Nation-State Actor

Sandworm

Russia • Active since 2009

Sandworm is Russia's most destructive hacking unit. They knocked out Ukraine's power grid in 2015 and 2016—the first cyberattacks to cause blackouts. They also unleashed NotPetya, a fake ransomware that destroyed computers worldwide, costing companies like Maersk and FedEx billions. They're still actively attacking Ukraine.

Overview

Sandworm is a Russian military intelligence (GRU Unit 74455) threat group known for the most destructive cyberattacks in history. They are responsible for the NotPetya malware that caused $10 billion in damages worldwide, attacks on Ukrainian power grids, and ongoing cyber operations against Ukraine.

Also Known As

Voodoo Bear, IRIDIUM, Seashell Blizzard, TeleBots, Unit 74455

Target Industries

Energy, Critical Infrastructure, Government, Financial Services, Media, Transportation

Target Regions

Ukraine, Europe, United States, Global (NotPetya)

Is your business exposed?

Tactics, Techniques & Procedures

  • Destructive wiper malware deployment
  • ICS/SCADA attacks
  • Supply chain compromise
  • Spear-phishing campaigns
  • Router and IoT device compromise

Known Tools & Malware

NotPetya, Industroyer/CrashOverride, BlackEnergy, Olympic Destroyer, VPNFilter, CaddyWiper

Notable Campaigns

Ukraine Power Grid Attacks (2015-2016)

First-ever cyberattacks to cause power outages, affecting hundreds of thousands of Ukrainians.

NotPetya (2017)

Global destructive attack disguised as ransomware causing $10 billion in damages.

Olympic Destroyer (2018)

Disrupted IT systems during the Pyeongchang Winter Olympics opening ceremony.

MITRE ATT&CK Techniques

T1485, T1486, T1195, T1059, T1071

Defense Recommendations

  1. 1.

    Isolate ICS/SCADA networks from business networks

  2. 2.

    Implement offline backups that cannot be reached via network

  3. 3.

    Update router firmware and change default credentials

  4. 4.

    Deploy industrial-specific threat detection

    Dragos, Claroty, or Nozomi

  5. 5.

    Develop and test disaster recovery plans for wiper scenarios

Related Threat Actors

Apt28 Fancy Bear, Apt29 Cozy Bear, Turla

Is your business exposed?

Check if your company data is circulating on the dark web

Free scan • No credit card required

Privacy PolicyYour Privacy Choices