Introduction
A few cyber actors today illustrate the combination of cyber sabotage, espionage, and military strategy like Sandworm (also known as APT44, VOODOO BEAR, and IRON VIKING). Considered with high confidence as operating on behalf of Russia’s GRU (Main Directorate of the General Staff) for over a decade, Sandworm is behind some of the most consequential cyberattacks ever conducted.
This group has invoked opinions, such as destroying Ukrainian power grids and that they were responsible for NotPetya, considered to be one of the most costly cyber incidents to date. By 2025, the group demonstrated evolution in operational tradecraft, integrated several new wiper families, such as AcidPour, and broadened their campaigns against critical infrastructure globally.
Identity and Motivation
Sandworm also functions under multiple other names such as – FROZENBARENTS, Seashell Blizzard, ELECTRUM, TeleBots, TEMP.Noble, IRIDIUM, Blue Echidna, etc. Regardless of the names listed, the actor will ultimately be characterized as a GRU-controlled cyber unit.
- Active Since: Approximately 2009, with public awareness from the mid-2010s.
- Motivation: Strategic disruption and espionage in the interests of Russian geopolitical goals. Sandworm’s campaigns frequently correspond with some kind of significant military or political event – a clear indicator of its power as an instrument of the state.
- Category: State-sponsored Advanced Persistent Threat (APT).
Unlike financially motivated ransomware groups, Sandworm’s activities are motivated by geopolitical and military objectives, and collateral damage is often considered acceptable, or even intentional.
TTPs (Tactics, Techniques and Procedures)
Initial Access
Sandworm continues to exhibit proficiency in the exploitation of internet-facing vulnerabilities and zero-days, particularly in the following areas:
- VPN appliances and remote access tools.
- Industrial Control Systems (ICS) and SCADA software.
- Edge devices and administrative panels.
They also utilize spear-fishing campaigns, posed as government correspondence, and supply-chain compromises.
Persistence and Privilege Escalation
The group deploys custom backdoors to facilitate long-term access, typically accomplishing privilege escalation using the following means:
- Credential dumping (using stolen service accounts).
- Exploiting Active Directory.
- Abuse of Kerberos tickets.
Command and Control
Sandworm employs multi-channel infrastructure C2:
- HTTP/S and domain fronting.
- Compromised infrastructure to obfuscate origins.
- Use of non-standard protocols for discreet exfiltration.
Malware and Tools
The toolkit utilizes some of the most notorious malware families ever used:
- BlackEnergy: An early backdoor/wiper used in the Ukrainian power outages.
- NotPetya: A destructive wiper disguised as ransomware that caused billions of dollars in damages around the world.
- Industroyer / CrashOverride: CS-specific malware designed to disrupt electric substations.
- Olympic Destroyer: Malware preying on systems used for the Winter Olympics.
- AcidRain / AcidPour: Recent wiper families that can brick modems, servers, telecom equipment, and exfiltrate data.
Collectively, these tools demonstrate Sandworm’s unique capability of espionage as well as the ability to destroy.
Techniques in Post-Compromise
Lateral Movement: PsExec, stolen credentials, remote management tools.
Reconnaissance: Targeting ICS/OT environment to deliver maximum impact.
Data Exfiltration + Destruction: Stealing sensitive data followed by wipers to inhibit the recovery of the infrastructure.
Target Profile
Sandworm’s victims correspond to the military and political interests of Russia:
- Sectors: Energy (power grids, electricity), telecommunications, defense, finance, government agencies, media outlets, and transportation.
- Geographies: Ukraine is the central location where Sandworm operates. NATO countries and European allies are common secondary targets, but general Sandworm operations have caused collateral damage across the globe (including the U.S. and multinational corporations).
The organization’s aims for action are:
1. Ruin critical infrastructure in enemy states.
2. Disrupt military operations on behalf of Russia.
3. Undermine public belief in Western institutions by creating chaos and outages.
Notable Operations
Ukraine Power Grid Attacks (2015–2016)
Sandworm employed BlackEnergy malware to disrupt the SCADA systems in Ukraine, enabling power outages resulting in hundreds of thousands of people without power. The blackout caused were the first confirmed blackouts from a cyber attack.
NotPetya (2017)
Dubbed as ransomware, the attack was really a form of wiper malware. In this instance, it spread quickly via compromised Ukrainian tax software, and had devastating effect on businesses across the world, affecting well known businesses like Maersk, FedEx, and Merck. The attack resulted in greater than $10 billion in damages and was one of the most costly cyber attacks in history.
Industroyer / CrashOverride (2017–2018)
Industroyer was specifically designed to interface with industrial protocols, targeting electrical substations in Ukraine to demonstrate Sandworm’s experience with malware that targets Industrial Control Systems, ICS.
Olympic Destroyer (2018)
During the Winter Olympics in PyeongChang, South Korea, Sandworm disrupted IT infrastructure by disabling Wi-Fi connectivity, ticketing, and broadcasting operations. The disruption highlighted Sandworm’s ability to conduct cyber-attacks that could result in global, high-profile disruptive attacks.
Ukraine War Campaigns (2022–2023)
As the Russian invasion of Ukraine unfolded, Sandworm launched multiple disruptive campaigns against Ukrainian government entities, telecommunication providers, and energy entities. Disruptive campaigns would often coincide with kinetic military campaigns.
AcidRain & AcidPour (2024–2025)
Sandworm developed newer wiper families, including AcidPour, to not only wipe but exfiltrate sensitive military and telecommunication information. AcidPour was primarily deployed against Ukrainian ISPs and critical communications infrastructure to disrupt and sever command and control over adversary military engagements.
Evolution and Recent Developments
Sandworm has transitioned from a conventional espionage focused operation to an expansive, destructive operation. Among the indicators of this transition include:
- Integration with kinetic warfare: Where cyber operations were aligned with Russian military operations.
- Focus on OT/ICS disruption: Malware is increasingly sophisticated that was purposefully built to take down industrial infrastructure.
- New wiper generations: AcidPour is demonstrating a transition to data theft combined with destruction.
- Global collateral: Sandworm is willing to create disruption in countries outside of Ukraine, as demonstrated in NotPetya.
As of 2025, Sandworm is most likely the most destructive state-backed APT in history.
Conclusion
The cyber-attack capabilities of Sandworm represent the apex of state-sponsored destructive hacking. Unlike a typical APT focused on espionage, the distinguishing feature of Sandworm is its ability to sabotage at scale. Sandworm’s campaigns illustrate that cyber capabilities can do far more than just spy on targets—they can disrupt and incapacitate nations and economies and be a strategic extension of force in warfare.
From a defender’s perspective, a critical lesson is:
- Critical Infrastructure Defense: Ensure you properly segment between IT and OT environments.
- Patch Management: Find ways to stay ahead of zero-day exploitation and keep an eye on edge devices and VPNs.
- Incident Readiness: Always have offline backups and tested recovery plans.
- Threat Hunting: Watch out for living-off-the-land behaviors and shifts in ICS traffic pattern.
As geopolitical tensions between Russia and the West escalate, Sandworm’s operations will be at the core of continued global risk and uncertainty. Sandworm is not just another APT; it is a cyberweapon. The Russian state employs Sandworm in the context of hybrid warfare — with devastating implications.
You can download and review the sheet for all the details!
