They moved from espionage to physical disruption. Their operations have affected national power grids, critical infrastructure, and global supply chains. They go by the name of Sandworm.
What is Sandworm?
Sandworm, also known as APT44, Voodoo Bear, or TeleBots, is a cyber unit within the Russian military intelligence agency (GRU), specifically Unit 74455. The group is known for combining sophisticated espionage with destructive capabilities. Their operations frequently coincide with geopolitical tensions involving Russia, especially in Ukraine and NATO-aligned countries.
Sandworm differs from other Russian APTs in that their focus is not limited to data collection or access maintenance. They demonstrate a willingness to cause disruption and physical consequences.
Origins and attributions
Investigations from multiple countries have linked Sandworm to the GRU through infrastructure reuse across campaigns, malware code similarities, and operational mistakes, including exposed IP addresses. The evidence of their existence is also contained in some federal indictments of the United States in 2020.
Their activity can be traced back to the mid-2000s, with early attacks focused on Ukrainian institutions, industrial systems, and government networks. Over time, their operational scope expanded to targets in Europe, the United States, and the Middle East.
Major operations
Sandworm is responsible for some of the most significant cyber incidents recorded.
Ukraine power grid attacks (2015 and 2016)
These attacks were the first confirmed power outages caused directly by cyber activity. They targeted regional electricity distribution companies, SCADA systems, and remote terminal units. The 2015 incident used the BlackEnergy and KillDisk toolsets. The 2016 incident advanced to Industroyer, a modular framework designed specifically to interact with industrial control protocols. Both attacks led to temporary blackouts for hundreds of thousands of people.
NotPetya (2017)
NotPetya began as a supply chain compromise of Ukrainian accounting software, but it spread globally within hours. This is a destructive pseudo-ransomware tool where data is not recoverable. It uses rapid lateral movement through modified EternalBlue techniques and causes the disruption of logistics, shipping, pharmaceuticals, and financial systems. NotPetya caused billions of dollars in losses. Many governments publicly attributed the attack to Sandworm.
Olympic Destroyer (2018)
During the Winter Olympics in South Korea, Sandworm deployed Olympic Destroyer, a wiper designed to disrupt IT operations, ticketing systems, and broadcast and Wi-Fi services. The malware blended multiple false attribution clues, which complicated early analysis. Later investigations tied the activity to Unit 74455.
Industroyer2 attack (2022)
During the early months of the full-scale invasion of Ukraine, Sandworm deployed Industroyer2, an updated variant of its industrial control system malware. The operation attempted to cut power in a Ukrainian region by directly manipulating electrical substation equipment. Although mitigated, the attempt confirmed Sandworm’s continued interest in physical disruption.
ICS, energy, and government networks
Sandworm has also been linked to breaches of energy sector networks in Europe, NATO and related institutions, long-term intrusions into ICS environments, and CISA advisories regarding ICS malware such as Pipedream / Incontroller. For the latter, although attribution is still debated, Sandworm remains a candidate. Their operations often align with periods of political escalation involving Russia.
The toolbox
Sandworm uses a diverse set of tools, many designed specifically for destructive or industrial purposes. For espionage and initial access, they use spear-phishing, credential harvesting, exploitation of unpatched systems, and the use of tunneling and persistence frameworks.
Their ICS-focused malware toolbox includes:
- BlackEnergy
- Industroyer / CrashOverride
- Industroyer2
These frameworks include modules designed to speak native industrial protocols such as IEC 60870-5-104, IEC 61850, and others.
Their destructive malware includes:
- NotPeya
- KillDisk
- Olympic Destroyer
Sandworm operations show a high-level of coordination with military objectives, the ability to transition from access to sabotage, the preference for high-impact targets, and the capability to develop custom malware for industrial control environments.
Geopolitical impact
Sandworm’s operations have influenced policy and security across the world. Their attacks on Ukraine demonstrated that cyber operations can cause physical infrastructure damage, power loss, and economic disruption. This changed how governments approach national cyber defence.
As responses to Sandworm’s attacks, they have increased ICS security funding, strengthened grid defence planning, and adopted zero-trust and segmentation in critical infrastructure. Most Western governments now have joint international advisories on Russian APTs.
Multiple Sandworm operators have been indicted by the United States, the United Kingdom, and allies supporting public attribution efforts. These indictments describe the group’s operations in detail.
Sandworm's role today
Sandworm remains one of the most important cyber units globally due to their espionage and destructive capabilities. They demonstrate interest in critical infrastructure and their malware families continue to evolve.