Sandworm Team (G0034) Threat Profile: Russia's Destructive Cyber Arm
- Suspected Origin
- Russia
- Motivation
- Espionage, Sabotage, Disruption, Geopolitical Objectives
- Aliases
- ELECTRUM, Telebots, IRON VIKING, BlackEnergy (Group), Quedagh, Voodoo Bear, IRIDIUM, Seashell Blizzard, FROZENBARENTS, APT44
- Target Sectors
- Energy, Telecommunications, Government, Defense, Finance, Transportation, Media, Critical Infrastructure
- Associated Malware
- BlackEnergy, Industroyer, NotPetya, Olympic Destroyer, Cyclops Blink, CaddyWiper, Neo-REGEORG, NikoWiper, SwiftSlicer, ZeroLot, AcidRain, AcidPour, Infamous Chisel, Prestige, RansomBoggs
Overview
The Sandworm Team, also tracked as G0034 in the MITRE ATT&CK framework, is a highly sophisticated and destructive state-sponsored threat group unequivocally linked to Russia’s General Staff Main Intelligence Directorate (GRU), specifically military unit 74455. Operating under a multitude of aliases including APT44, ELECTRUM, Telebots, Voodoo Bear, and IRON VIKING, this actor has been active since at least 2009, evolving from stealthy espionage to become a primary instrument of Russian geopolitical and military objectives through cyber warfare. Sandworm’s motivation extends beyond traditional espionage to include strategic disruption, sabotage, and pre-positioning for potential future conflicts, often aligning its cyber operations with kinetic military activities. This group is unique for its proven capability to inflict physical-world consequences, most notably demonstrated through successful power grid outages. Its operations are global in scope, impacting dozens of countries, with a pronounced focus on Ukraine and NATO member states.
Tactics & Techniques
Sandworm Team employs a diverse and evolving set of tactics, techniques, and procedures (TTPs) to achieve its objectives, consistently demonstrating a high level of operational maturity. Initial access often involves spear phishing campaigns, frequently disguised as government correspondence, or the exploitation of internet-facing vulnerabilities in systems like VPN appliances, remote access tools, industrial control systems (ICS)/SCADA software, edge devices, and mail servers (such as the CVE-2019-10149 vulnerability in Exim). Supply-chain compromises have also been a critical vector, as seen with the NotPetya attack.
Once inside a network, Sandworm prioritizes lateral movement and persistence. They utilize legitimate tools such as PsExec and stolen credentials, alongside custom backdoors and remote management tools. Techniques include credential harvesting, exploiting known vulnerabilities like EternalBlue and EternalRomance for SMBv1, and deploying webshells such as Neo-REGEORG for remote access and persistence. Persistence is further achieved through custom backdoors, Systemd service units, and by hijacking device firmware, as exemplified by the Cyclops Blink botnet. Command and control (C2) infrastructure is diverse, leveraging compromised servers, hijacked domains, VPNs, and TLS-based tunnels, often incorporating obfuscation techniques like Base64 encoding and HTML tags to blend C2 traffic.
Defense evasion is a hallmark of Sandworm’s operations. They extensively use “living-off-the-land” (LotL) techniques, employing native Windows programs (e.g., cmd.exe, vssadmin, wbadmin, bcdedit) to perform actions and inhibit system recovery. The group also disables event logging on compromised systems and obfuscates malware to hinder investigations. Masquerading malware as legitimate software, such as Windows updates, is another tactic to evade detection and enhance phishing efficacy. Critically, Sandworm has demonstrated a tendency to escalate operations after initial detection, intensifying activity against operational technology (OT) and ICS systems to maximize operational disruption rather than disengaging.
Notable Campaigns
Sandworm Team has been responsible for some of the most destructive and costly cyberattacks in history, many of which are directly tied to Russian state interests.
- 2015 and 2016 Ukraine Power Grid Attacks: These pioneering attacks, utilizing BlackEnergy and Industroyer/CrashOverride malware, caused the first publicly acknowledged cyber-induced power outages, affecting hundreds of thousands of Ukrainian citizens.
- 2017 NotPetya Attack: Disguised as ransomware, NotPetya was a destructive wiper malware that rapidly spread globally via a compromised Ukrainian software update (M.E.Doc), causing over $10 billion in damages and crippling multinational corporations.
- 2017 French Presidential Campaign: Sandworm targeted the campaign, attempting to interfere with democratic processes through data leaks and other disruptive activities.
- 2018 Olympic Destroyer Attack: This operation disrupted the opening ceremony of the Winter Olympic Games in PyeongChang, South Korea, in retaliation for Russia’s doping ban.
- 2018 Operation against the Organisation for the Prohibition of Chemical Weapons (OPCW): This attack targeted the OPCW’s investigations.
- 2018-2019 Attacks against Georgia: Sandworm defaced approximately 15,000 Georgian government, non-government, and private sector websites, temporarily disrupting services.
- Ukraine War Campaigns (2022-2023): Coinciding with the full-scale Russian invasion, Sandworm launched multiple disruptive campaigns against Ukrainian government, telecommunication, and energy entities. These included deploying new wipers like CaddyWiper, NikoWiper, SwiftSlicer, and ZeroLot, and using retooled Industroyer variants (Industroyer2) to attempt further power blackouts. These operations often show coordination with kinetic military strikes.
- 2023 Infamous Chisel: This malware campaign specifically targeted Android devices used by the Ukrainian military, focusing on intelligence collection from mobile communications.
- 2025 Poland Power Grid Attack: Reports indicate Sandworm targeted the Polish power grid in December 2025, leading to a temporary reallocation of the group’s resources.
- 2025-2026 Western Critical Infrastructure Targeting: Microsoft and Amazon reported sustained targeting of Western critical infrastructure, including energy and telecommunications providers in North America and Europe, by exploiting misconfigured network edge devices and VPNs.
Associated Malware & Tools
Sandworm has developed and utilized a sophisticated arsenal of malware and tools, continuously evolving its capabilities.
- Wipers: BlackEnergy KillDisk, NotPetya, Olympic Destroyer, CaddyWiper, Neo-REGEORG, NikoWiper, SwiftSlicer, ZeroLot, AcidRain, AcidPour.
- ICS/OT-Specific Malware: BlackEnergy, Industroyer (CrashOverride), Industroyer2 – specifically designed to interface with industrial protocols and disrupt power grids.
- Botnets: Cyclops Blink, which succeeded the VPNFilter platform, demonstrating the group’s ability to gain firmware-level persistence on network devices.
- Remote Access Tools/Backdoors: Custom backdoors, FONTCACHE.DAT (BlackEnergy implant), webshells (Neo-REGEORG), Python-based backdoors, SSH servers, and the BCS-server tool.
- Ransomware (used destructively): Prestige and RansomBoggs, often deployed without intent for decryption, serving as destructive wipers.
- Other Tools and Utilities: GOGETTER (tunneling), TANKTRAP (PowerShell utility), Adminer (database exfiltration), PsExec, Mimikatz (often packed with UPX), and various PowerShell scripts for credential harvesting and payload delivery.
- Exploited Vulnerabilities: Sandworm regularly exploits known vulnerabilities such as CVE-2014-4114, CVE-2019-10149 (Exim), EternalBlue, EternalRomance (SMBv1), and Log4Shell.
Current Status
Sandworm Team remains an exceptionally active, adaptable, and highly dangerous threat actor. Its operations have intensified significantly since Russia’s full-scale invasion of Ukraine in 2022, often showing direct coordination with conventional military activities to achieve joint military objectives. Recent intelligence indicates an evolving tactical focus, with the group increasingly exploiting misconfigured network edge devices, VPN concentrators, and remote access gateways, relying less on zero-day exploits and more on leveraging common vulnerabilities and existing compromises.
While their destructive campaigns against Ukrainian critical infrastructure continue, there’s also a growing emphasis on intelligence collection, particularly from mobile devices used by the Ukrainian military to gain battlefield advantage. Sandworm continues to target Western critical infrastructure across North America and Europe, demonstrating a sustained global reach. Activity reports extend through early 2026, confirming the group’s ongoing operations, introduction of new malware families (like ZeroLot and AcidPour), and continued development of sophisticated cyber-physical attack capabilities. The group’s operational tempo aligns with Moscow office hours and a structured, bureaucratic execution model, indicating centralized tasking from its GRU handlers. Given its destructive history, state-sponsored backing, and continuous evolution, Sandworm poses a critical and persistent threat to governments and critical infrastructure worldwide.
Worried this actor targets your sector?
Let's map your exposure before they find it themselves.
Book an advisory call