Brandefense Academy Your trusted hub for learning, developing, and mastering the skills that shape tomorrow's digital defense.
Discover Now
RESOURCES TYPES
Brandefense Academy Your trusted hub for learning, developing, and mastering the skills that shape tomorrow's digital defense.
Discover NowNOVEMBER 23, 2025
A few cyber actors today illustrate the combination of cyber sabotage, espionage, and military strategy like Sandworm (also known as APT44, VOODOO BEAR, and IRON VIKING). Considered with high confidence as operating on behalf of Russia’s GRU (Main Directorate of the General Staff) for over a decade, Sandworm is behind some of the most consequential cyberattacks ever conducted.
This group has invoked opinions, such as destroying Ukrainian power grids and that they were responsible for NotPetya, considered to be one of the most costly cyber incidents to date. By 2025, the group demonstrated evolution in operational tradecraft, integrated several new wiper families, such as AcidPour, and broadened their campaigns against critical infrastructure globally.
Sandworm also functions under multiple other names such as – FROZENBARENTS, Seashell Blizzard, ELECTRUM, TeleBots, TEMP.Noble, IRIDIUM, Blue Echidna, etc. Regardless of the names listed, the actor will ultimately be characterized as a GRU-controlled cyber unit.
Unlike financially motivated ransomware groups, Sandworm’s activities are motivated by geopolitical and military objectives, and collateral damage is often considered acceptable, or even intentional.
Initial Access
Sandworm continues to exhibit proficiency in the exploitation of internet-facing vulnerabilities and zero-days, particularly in the following areas:
They also utilize spear-fishing campaigns, posed as government correspondence, and supply-chain compromises.
The group deploys custom backdoors to facilitate long-term access, typically accomplishing privilege escalation using the following means:
Sandworm employs multi-channel infrastructure C2:
The toolkit utilizes some of the most notorious malware families ever used:
Collectively, these tools demonstrate Sandworm’s unique capability of espionage as well as the ability to destroy.
Lateral Movement: PsExec, stolen credentials, remote management tools.
Reconnaissance: Targeting ICS/OT environment to deliver maximum impact.
Data Exfiltration + Destruction: Stealing sensitive data followed by wipers to inhibit the recovery of the infrastructure.
Sandworm’s victims correspond to the military and political interests of Russia:
The organization’s aims for action are:
1. Ruin critical infrastructure in enemy states.
2. Disrupt military operations on behalf of Russia.
3. Undermine public belief in Western institutions by creating chaos and outages.
Ukraine Power Grid Attacks (2015–2016)
Sandworm employed BlackEnergy malware to disrupt the SCADA systems in Ukraine, enabling power outages resulting in hundreds of thousands of people without power. The blackout caused were the first confirmed blackouts from a cyber attack.
Dubbed as ransomware, the attack was really a form of wiper malware. In this instance, it spread quickly via compromised Ukrainian tax software, and had devastating effect on businesses across the world, affecting well known businesses like Maersk, FedEx, and Merck. The attack resulted in greater than $10 billion in damages and was one of the most costly cyber attacks in history.
Industroyer was specifically designed to interface with industrial protocols, targeting electrical substations in Ukraine to demonstrate Sandworm’s experience with malware that targets Industrial Control Systems, ICS.
During the Winter Olympics in PyeongChang, South Korea, Sandworm disrupted IT infrastructure by disabling Wi-Fi connectivity, ticketing, and broadcasting operations. The disruption highlighted Sandworm’s ability to conduct cyber-attacks that could result in global, high-profile disruptive attacks.
As the Russian invasion of Ukraine unfolded, Sandworm launched multiple disruptive campaigns against Ukrainian government entities, telecommunication providers, and energy entities. Disruptive campaigns would often coincide with kinetic military campaigns.
Sandworm developed newer wiper families, including AcidPour, to not only wipe but exfiltrate sensitive military and telecommunication information. AcidPour was primarily deployed against Ukrainian ISPs and critical communications infrastructure to disrupt and sever command and control over adversary military engagements.
Sandworm has transitioned from a conventional espionage focused operation to an expansive, destructive operation. Among the indicators of this transition include:
As of 2025, Sandworm is most likely the most destructive state-backed APT in history.
The cyber-attack capabilities of Sandworm represent the apex of state-sponsored destructive hacking. Unlike a typical APT focused on espionage, the distinguishing feature of Sandworm is its ability to sabotage at scale. Sandworm’s campaigns illustrate that cyber capabilities can do far more than just spy on targets—they can disrupt and incapacitate nations and economies and be a strategic extension of force in warfare.
From a defender’s perspective, a critical lesson is:
As geopolitical tensions between Russia and the West escalate, Sandworm’s operations will be at the core of continued global risk and uncertainty. Sandworm is not just another APT; it is a cyberweapon. The Russian state employs Sandworm in the context of hybrid warfare — with devastating implications.
You can download and review the sheet for all the details!
Take control of your digital security with an exclusive demo of our powerful threat management platform.
