← All Threat Actors / Sandworm
Last updated: April 02, 2026
Sandworm
Sandworm
GRU Unit 74455 (GTsST/Sandworm Team), Russian Main Intelligence Directorate
πŸ‡·πŸ‡Ί RussiaNation-State● ActiveG0034
Key Intelligence
MITRE ID
G0034
Country
πŸ‡·πŸ‡Ί Russia
Motivation
Disruption, Sabotage, Espionage
Active Since
2009
Last Seen
2025
Techniques
27 across 12 tactics
Attribution
GRU Unit 74455 (GTsST/Sandworm Team), Russian Main Intelligence Directorate
Also Known As
Voodoo BearIRIDIUMSeashell BlizzardTeleBotsIron VikingBlackEnergy GroupQuedaghELECTRUMDEV-0586APT44FROZENBARENTS
Target Profile
Targeted Industries
Energy/Power GridTransportationGovernmentFinancial ServicesMediaOlympicsShipping
Targeted Countries
πŸ‡ΊπŸ‡¦ UkraineπŸ‡ΊπŸ‡Έ United States🌍 Global (NotPetya)πŸ‡°πŸ‡· South KoreaπŸ‡¬πŸ‡ͺ Georgia

Overview

Sandworm is Russia's most destructive cyber threat group, responsible for the first-ever cyberattacks to cause power outages (Ukraine 2015/2016), the NotPetya attack causing $10B+ in global damages, and Olympic Destroyer. Attributed to GRU Unit 74455, the group specializes in destructive operations against critical infrastructure, with a focus on Ukraine. Six GRU officers were indicted by the US DOJ in 2020.

Tools & Malware

BlackEnergyIndustroyer/CrashOverrideNotPetyaOlympic DestroyerVPNFilterCyclops BlinkAcidRainCaddyWiperWhisperGateSwiftSlicerIndustroyer AnalysisBlackEnergy AnalysisImpacketIndustroyer2HermeticWiperKillDiskMetasploit

Malware & Tool Details

Arsenal attributed to Sandworm.

BlackEnergy
Backdoor/ICS Targeting
Backdoor/ICS Targeting
Industroyer/CrashOverride
Malware / Tool
ATT&CK Software
NotPetya
Destructive Wiper/Ransomware
Destructive Wiper/Ransomware
Olympic Destroyer
Destructive Malware
Destructive Malware
VPNFilter
IoT Botnet
IoT Botnet
Cyclops Blink
Router Malware
Router Malware
AcidRain
Modem Wiper
Modem Wiper
CaddyWiper
Wiper
Wiper
WhisperGate
Malware / Tool
ATT&CK Software
SwiftSlicer
Malware / Tool
ATT&CK Software
Industroyer Analysis
ICS Malware
ICS Malware
BlackEnergy Analysis
Backdoor
Backdoor

Attack Path Ukraine Power Grid Attack (2015-2016)

Following MITRE ATT&CK Flow methodology.

ATTACK FLOWUkraine Power Grid Attack (2015-2016)8 steps | Drag nodes to rearrange

Diamond Model

Caltagirone, Pendergast & Betz (2013) | Drag to rearrange
ADVERSARY
GRU Unit 74455 (GTsST), six indicted officers
CAPABILITY
BlackEnergy, Industroyer, NotPetya, Olympic Destroyer, CaddyWiper, AcidRain, VPNFilter
INFRASTRUCTURE
BlackEnergy C2, compromised ISP infrastructure, VPNFilter (500K+ devices)
VICTIM
Ukrainian power grid, Maersk, Merck, FedEx, PyeongChang Olympics

ATT&CK Navigator

Interactive MITRE ATT&CK Navigator layer for Sandworm (G0034).

Open Full Navigator

Known CVEs Exploited

CVEYearDescription
CVE-2014-41142014Windows OLE RCE (BlackEnergy campaigns)
CVE-2017-01442017EternalBlue SMB β€” NotPetya worm propagation
CVE-2023-388312023WinRAR RCE in 2023 Ukraine campaigns

Notable Campaigns

2023
AcidPour Campaign
Destructive wiper targeting Linux and IoT devices in Ukraine.
2022
Industroyer2/CaddyWiper
Attempted power grid attack during Russia-Ukraine war.
2018
Olympic Destroyer
Destructive attack on PyeongChang Winter Olympics infrastructure.
2017
NotPetya
Destructive wiper disguised as ransomware; $10B+ in global damages.
2015
Ukraine Power Grid Attack
First cyberattack to cause power outage; 230,000 customers affected.

Detection Engineering

ICS/SCADA Protocol Anomaly Detection
Deploy OT-specific IDS to monitor IEC 104, Modbus, DNP3 traffic patterns. Alert on unauthorized SCADA commands outside maintenance windows. Detect anomalous circuit breaker open/close command sequences. Baseline normal OT traffic patterns for deviation detection.
View Detection Rule / Guide
Wiper Malware / MBR Modification
Monitor for MBR/VBR modification attempts via raw disk access. Alert on mass SMB lateral movement patterns consistent with worm propagation. Detect rundll32.exe loading DLLs with perfc.dat or similar naming conventions. Sysmon Event ID 1 + raw access monitoring.
View Detection Rule / Guide
VPNFilter/Cyclops Blink IoT Detection
Monitor network edge devices (routers, firewalls, NAS) for unexpected reboots, configuration changes, or outbound C2 beaconing. Scan SOHO devices for known VPNFilter/Cyclops Blink indicators. FBI published YARA rules for Cyclops Blink detection.
View Detection Rule / Guide

Related Threat Actors

Documented in MITRE ATT&CK, vendor intelligence, and government advisories.

APT28
Sister GRU unit
Unit 74455 (destructive) vs Unit 26165 (espionage).
Turla
Russian co-operator
FSB group, different command structure.

Defense Recommendations

Mitigations with MITRE ATT&CK IDs. Click badges for implementation guidance.

Air-gap or segment IT from OT/ICS/SCADA. Use unidirectional gateways where data transfer is needed.
NIST SP 800-82 Rev 3
Deploy OT-specific monitoring (Dragos, Claroty, Nozomi) for ICS protocol anomaly detection.
CISA ICS-CERT
Patch EternalBlue (MS17-010) and disable SMBv1. NotPetya used EternalBlue for propagation causing $10B+ damages.
Microsoft MS17-010
Implement immutable offline backups. Test restoration quarterly. Sandworm deploys wipers to destroy recovery.
CISA Ransomware Guide
Establish OT incident response with manual override procedures. Operators must run facilities without digital controls.
NERC CIP Standards

Attribution Confidence

High
Attribution
Confidence
Evidence Supporting Attribution
DOJ indicts 6 GRU Unit 74455 officers (Oct 2020)
https://www.justice.gov/opa/pr/six-russian-gru-officers-char
US/UK publicly attribute NotPetya to Russian military
https://www.whitehouse.gov/briefings-statements/statement-pr
Ukraine CERT attributes power grid attacks
https://cert.gov.ua/

Threat Assessment

Capability10/10
Intent10/10
Targeting9/10
Critical
Overall Threat Level
Most destructive cyber threat actor globally. Responsible for $10B+ in damages via NotPetya. Demonstrated ICS/SCADA attack capability against power grids.

Legal Actions & Sanctions

2020-10
DOJ indicts 6 GRU officers for NotPetya, Olympics, Ukraine attacks
Indictment
https://www.justice.gov/opa/pr/six-russian-gru-officers-charged-connection-worldwide-deployment-destructive-malware-and
2018-02
US/UK publicly attribute NotPetya to Russian military
Attribution
https://www.whitehouse.gov/briefings-statements/statement-press-secretary-25/
2020-10
EU sanctions GRU Unit 74455 officers
Sanctions
https://www.consilium.europa.eu/en/press/press-releases/2020/10/22/cyber-attacks-council-imposes-sanctions-against-russian-military-intelligence/

Recent Reporting

2025-05
CISA AA25-141A references Sandworm logistics targeting
https://www.cisa.gov/news-events/cybersecurity-advisories/aa25-141a
2024-04

Emulation Plans & Guidance

PlanSourceTypeDescriptionLink
MITRE CTID - Sandworm Full Emulation PlanMITRE CTIDOpen SourceComplete Sandworm emulation with detection and protection scenarios, YARA rules, and ICS focusOpen
Sandworm Emulation Plan - Scenario 1MITRE CTIDOpen SourceStep-by-step walkthrough: SSH compromise, webshell, lateral movement, data destructionOpen
ATT&CK Evaluations Library - SandwormMITRE EngenuityFrameworkOfficial Sandworm evaluation plan with destructive operationsOpen
AttackIQ - Sandworm Emulation Part 1AttackIQCommercialDestructive operations validation for Sandworm TTPsOpen
ESET Industroyer2 Technical AnalysisESETGuideDeep technical analysis of Industroyer2 ICS malware with YARA rulesOpen
Sandworm Emulation - Scenario 2 ProtectionMITRE CTIDOpen SourceProtection scenario: 3 independent tests for CaddyWiper, Exaramel, and NotPetya-style propagationOpen
AttackIQ: Emulating Sandworm Part 2AttackIQCommercialICS targeting and wiper deployment validation scenariosOpen
Emulating Sandworm - Part 1AttackIQBlog PostPost-compromise TTP emulation: ICS targeting, wiper deployment, EternalBlue propagationOpen
Emulating Sandworm - Part 2AttackIQBlog PostHermeticWiper, HermeticWizard spreader, and destructive operations validationOpen
Emulating the Destructive Sandworm Adversary (2025)AttackIQBlog PostLatest 2025 Sandworm emulation: nano.exe and system.exe samples, scheduled task persistenceOpen
Unearthing APT44: Russia's SandwormGoogle Cloud / MandiantBlog PostMandiant's comprehensive analysis of Sandworm graduating to APT44 designationOpen

References & Intelligence Sources

Page Contributors

Adversary Village
MITRE ATT&CK Team
BreachSimRange