SandWorm APT Group Cyber Intelligence Report

This blog post comes from the “SandWorm APT Group Cyber Intelligence Report” by the Brandefense CTI Analyst Team. For more details about the analysis, download the report.

Execution Summary

The Russian statesupported Sandworm APT group is discussed in this report prepared by the Brandefense threat intelligence team. APT’s objectives, motivations, past cyberattacks, which started in 2009, group’s Tactics, Techniques, and Procedures (TTPs), malware, opensource tools, IoC findings, and YARA rules are explained in this report.

Cyber attack methods and malware investigations in this report will create cyber security awareness. In addition, TTP findings and IoC data used by threat actors will contribute by feeding cybersecurity teams and products. A correct understanding of Tactics, Techniques, and Procedures used by the threat group and their utilities/malware and its capabilities will provide a proactive approach for future attacks and will enable the necessary steps to be taken to take early action.

Considering the report’s general scope and content, it aims to nurture rulebased security solutions together with network and machinebased security solutions and to be illuminating in terms of raising security awareness against targeted cyber attacks.

Sandworm APT Group Overview

Reference NamesSandworm Team (Trend Micro)

Iron Viking (SecureWorks)

CTG-7263 (SecureWorks)

Voodoo Bear (CrowdStrike)

Quedagh (F-Secure)

TEMP.Noble (FireEye)

ATK 14 (Thales)

BE2 (Kaspersky)

SponsorState-sponsored, GRU Unit 74455
First Seen2009
MotivationSabotage && Espionage
MethodZero-days, Malware, Spearphishing
Targeted IndustriesEducation, Energy, Government, Telecommunications

Sandworm Team, also known as Unit 74455, is a Russian cyber espionage group that has been operating since 2009. The group is allegedly affiliated with the cyber military unit of the Main Intelligence Service (GRU), which is working for Russian military intelligence.

Sandworm Team mainly targets Ukrainian organizations associated with energy, industrial control systems, SCADA, government, and the media sector.

Sandworm Team was directly linked to the Ukrainian energy sector attack in late 2015.


The GRU or GU (General Staff of the Armed Forces of the Russian Federation) is a military foreign intelligence agency. Sandworm APT operates within this intelligence agency. It has advanced and disruptive capabilities to conduct global disinformation, propaganda, espionage, and cyber operations.

GRU, which had previous cyber operations against Estonia in 2007 and Georgia in 2008, has become more visible with the recent cyber operations. Western intelligence agencies attributed the last significant attacks to this agency. While it is difficult to assess whether the GRU is taking a leading role among other special services in conducting operations in cyberspace, it has serious activities.

GRU has capabilities focused on improving both technical and psychological capabilities. For example, the 85th Special Service Center (Unit 26165) and Special Technologies Headquarters (Unit 26165), traditionally responsible for signal intelligence and cryptography, have been responsible for computer-based operations. The 72nd Special Service Center (Unit 54777), which forms the core of the GRU’s psychological warfare team, has been working closely with ‘technical’ units and carrying out cyberattacks through frontline organizations since at least 2014.

Unit 74455 (Sandworm) is credited with creating and distributing malware used for spoofing operations during the 2016 US Presidential election, the NotPetya malware, and Ukraine’s electrical infrastructure attacks.

Russia’s security agencies are in competition with each other and often carry out similar operations on the same targets. Therefore, it becomes difficult to make specific attribution and motivational assessments. However, in some cases, attacks can also be carried out jointly. For example, some of the Sandworm APT group’s attacks were carried out with the help of GRU Unit 26165, the Russian GRU cyber military unit that is part of Fancy Bear (APT28).

On the next page, the special services of Russia involved in cyber operations and the threat groups connected to these services were shared.

sandworm apt group

This blog post comes from the “SandWorm APT Group Cyber Intelligence Report” by the Brandefense CTI Analyst Team. For more details about the analysis, download the report.

Share This: