Threat Groups

Sandworm

1. Overview

Sandworm is a highly destructive Russian state-sponsored threat group attributed to Unit 74455 of the GRU, Russia’s military intelligence agency. The group has been active since at least 2009 and is known for some of the most damaging cyber operations in history, including the 2015 and 2016 attacks on Ukraine’s energy grid and the 2017 NotPetya attack.

Unlike other Russian APTs that focus on cyber espionage or influence operations, Sandworm is often deployed for disruptive and destructive campaigns. Its targets include military organisations, energy providers, telecommunications firms, election infrastructure, and public services—particularly in Ukraine, but also across NATO member states, including the UK.

2. Origin and Evolution

Sandworm was first identified by researchers analysing the 2015 Ukrainian power grid attacks. Its association with Unit 74455 was later confirmed through international investigations, including joint attributions by the US Department of Justice, UK’s National Cyber Security Centre (NCSC), and others.

The group has been a consistent component of Russia’s hybrid warfare doctrine, integrating cyber operations with military and political campaigns. It is closely associated with the broader Russian strategy of destabilising Western institutions through both kinetic and cyber means.

3. Tactics, Techniques, and Procedures (TTPs)

Sandworm uses a mix of custom malware and commodity tools for maximum effect. It is known for its advanced capabilities in:

  • Initial access
    Exploitation of known vulnerabilities in network appliances (T1190), phishing emails (T1566.001), and supply chain intrusions. Sandworm has also used VPN and remote desktop brute force attacks (T1110).
  • Malware deployment
    Sandworm is known for destructive malware including:
    • BlackEnergy
    • Industroyer (CrashOverride)
    • NotPetya
    • AcidRain
    • WhisperGate
    • Exaramel
  • Lateral movement and privilege escalation
    Utilises Mimikatz, PsExec, and scheduled tasks for privilege escalation and persistence (T1055, T1021). Often leverages stolen credentials to move laterally.
  • Destruction and disruption
    Has deployed wipers, fake ransomware, and OT-specific malware. Tactics are designed to destroy data, disable infrastructure, and create maximum operational disruption (T1485, T1490).
  • Command and control
    Uses custom C2 protocols and encrypted channels, often relying on dynamic DNS and previously compromised infrastructure (T1071.001).

4. Targeting Profile

Sandworm focuses heavily on organisations involved in:

  • Energy generation and transmission
  • Water, gas, and critical utilities
  • Telecommunications and mobile networks
  • Government, defence, and foreign affairs
  • Transport and logistics
  • Election infrastructure and voting technology

Primary targets are in Ukraine, but the group has also conducted operations in the UK, US, Germany, France, Poland, and the Baltics. In the UK, energy providers, grid operators, and telecom companies have been subject to reconnaissance and attempted compromise.

5. Notable Campaigns and Victims

Sandworm is responsible for some of the most consequential cyberattacks in modern history:

  • Ukrainian power grid attack (2015)
    First known successful cyberattack to disrupt electricity supply to civilians. Used BlackEnergy and KillDisk malware.
  • Industroyer / CrashOverride (2016)
    Second Ukrainian grid attack with malware designed to interact directly with industrial control systems (ICS).
  • NotPetya (2017)
    Masquerading as ransomware, this destructive worm targeted Ukrainian organisations but spread globally, impacting Maersk, Merck, TNT Express, and NHS services. Damages exceeded £8 billion.
  • Olympic Destroyer (2018)
    Targeted the Winter Olympics in Pyeongchang, disabling systems used by organisers. Disguised attribution through false flags.
  • Ukraine hybrid war operations (2022–2024)
    Active alongside Russia’s invasion of Ukraine. Used HermeticWiper, CaddyWiper, and AcidRain against infrastructure, media, and government systems. Also responsible for cyber sabotage against Starlink satellite networks.

6. Technical Indicators

Sandworm’s tooling is customised and often rapidly redeployed, but shared traits include:

  • Use of wipers disguised as ransomware
  • File names like perfc.dat, system32.dll, or mssecsvc.exe
  • Registry manipulation and scheduled tasks to destroy MBR
  • Deployment of ICS-specific protocols in malware like Industroyer
  • C2 domains with fast-flux DNS and hosting in Eastern Europe

UK Cyber Defence Ltd maintains Sandworm-specific detection signatures and IOC feeds for OT/ICS defenders.

7. Defensive Measures and Recommendations

Organisations operating critical infrastructure should adopt the following:

  • Implement network segmentation between IT and OT environments
  • Monitor for unauthorised access to industrial control systems
  • Maintain offline, immutable backups of system configurations
  • Conduct tabletop exercises focused on cyber-physical incidents
  • Deploy EDR/XDR with ICS/SCADA awareness
  • Use secure firmware and enforce multi-factor authentication on all access points

Public sector and utility providers should coordinate with the UK NCSC and sector-specific CSIRTs to stay updated on threat activity.

8. Attribution and Alliances

Sandworm is directly attributed to Russia’s GRU Unit 74455. Attribution has been supported by:

  • UK NCSC
  • US CISA, FBI, and DOJ
  • EU cybersecurity agencies and NATO cyber defence groups
  • Private researchers from ESET, Mandiant, and Dragos

Sandworm often operates alongside other GRU cyber components, such as APT28 (Fancy Bear), but serves a distinct role focused on infrastructure and kinetic impact.

9. Conclusion

Sandworm is one of the most destructive state-sponsored threat groups in operation today. Its missions are explicitly aligned with Russian military objectives, and its tactics include both stealthy access and outright sabotage. For UK organisations involved in critical infrastructure, Sandworm represents a priority threat requiring a fusion of cyber and physical security resilience.

Proactive detection, incident preparedness, and international collaboration are essential to counter the long-term risk posed by this actor.

Author:
Threat Intelligence Team, UK Cyber Defence Ltd
All intelligence current as of May 2025

  • 35 Views

you may also like

Kettering Health crippled by ransomware: 14 hospitals on emergency reroute

On May 20, 2025, Kettering Health’s network was hit by a ransomware attack, forcing 14 hospitals to switch to emergency reroutes and manual operations. The attack spread rapidly across critical systems due to undetected lateral movement, highlighting gaps in early threat detection. Patients reported suspicious calls, indicating potential data misuse. This incident underscores the urgent need for healthcare organizations to strengthen identity security, implement layered defenses, and prepare robust response plans.

Pro-Russian Cyber Activity: Hybrid Threats and the UK Response

An insights article assessing pro-Russian cyber activity with a situational briefing on hybrid threats to UK-aligned institutions. Includes a side-by-side comparison of key threat groups including KillNet, NoName057(16), and XakNet.

Donation-Based Ransomware Groups

An insights article comparing donation-model ransomware operators such as MalasLocker, exploring the ethics, tactics, and implications of threat actors who demand charitable giving instead of cryptocurrency payments.

Western Alliance Data Breach Tied to Cleo Software Flaw

Western Alliance Bank confirmed a data breach in April 2025 linked to a vulnerability in Cleo Integration Cloud. The breach, attributed to the Cl0p ransomware group, underscores the growing risks from third-party software vulnerabilities. Learn how the bank is responding and the increasing role of SOC in protecting financial institutions.

DBS Data Breach 2025: Ransomware Attack Exposes 11,000 Customers

An insights article examining the 2025 DBS data breach, focusing on how a ransomware attack on vendor Toppan Next Tech exposed thousands of customer records, and what it reveals about the growing threat of third-party supply chain vulnerabilities in the financial sector.

Emerging Ransomware Threats and Securing Open-Source Email Infrastructure

An insights article highlighting the rise of unconventional ransomware groups targeting open-source email platforms like Zimbra, including a technical bulletin with actionable guidance for UK organisations.

Stay Informed. Stay Secure.

Subscribe to our newsletter.
Linkedin-in
© 2025 CyberDefence