Sandworm

Also known as: Voodoo Bear, IRIDIUM, Seashell Blizzard, TeleBots, Black Energy, Quedagh, Iron Viking, Hades, Olympic Destroyer

ActiveNation-StateRussiaMITRE G0034

0Campaigns

29Techniques

5IOCs

20Tools

0Matches

3Infrastructure

Overview

Sandworm Team is a Russian state-sponsored destructive threat actor attributed to GRU Military Unit 74455 (Main Center for Special Technologies). Active since at least 2009, Sandworm is considered one of the most dangerous threat actors globally, responsible for the most destructive cyberattacks in history including the NotPetya wiper attack (2017) that caused over $10 billion in damages worldwide. The group specializes in disruptive and destructive operations against critical infrastructure, particularly targeting Ukraine's power grid. Sandworm was responsible for the December 2015 and December 2016 Ukraine power grid attacks — the first confirmed cyberattacks to cause power outages. The group has also conducted operations targeting the 2018 Winter Olympics (Olympic Destroyer), Georgian media and government, and French elections. Since Russia's 2022 invasion of Ukraine, Sandworm has intensified operations using multiple wiper malware families (CaddyWiper, WhisperGate, HermeticWiper, IsaacWiper, AcidRain) against Ukrainian government and infrastructure targets, often coordinating destructive cyber operations with kinetic military strikes.

Motivations

SabotageDisruptionInformation OperationsEspionage

Target Sectors

EnergyGovernmentCritical InfrastructureTransportationFinancial ServicesMediaTelecommunicationsSports OrganizationsIndustrial Control Systems

Activity Timeline

First Seen

Jan 2009

Last Seen

Jan 2024

Quick Facts

OriginRussia

Sophisticationnation-state

StatusActive

MITRE GroupG0034

MITRE ATT&CK Techniques

(29)

Initial Access

T1190

Exploit Public-Facing Application

Exploit vulnerabilities in internet-facing applications to gain access.

T1566.001

Spearphishing Attachment

Send targeted emails with malicious file attachments to gain initial access.

T1078

Valid Accounts

Use legitimate credentials to authenticate and gain access.

T1133

External Remote Services

Abuse remote services like VPNs or RDP to gain access to the network.

Other

Execution

T1059.001

PowerShell

Use PowerShell commands and scripts for execution and automation.

T1059.003

Windows Command Shell

Use cmd.exe to execute commands and batch scripts.

T1047

Windows Management Instrumentation

Use WMI to execute commands and manage systems remotely.

Impact

T1486

Data Encrypted for Impact

Encrypt victim data to disrupt availability, typically for ransom.

T1485

Data Destruction

Destroy data and files on victim systems to disrupt operations.

T1489

Service Stop

Stop critical services to disrupt operations or aid in data destruction.

T1490

Inhibit System Recovery

Delete backups, shadow copies, or recovery partitions to prevent restoration.

Defense Evasion

T1027

Obfuscated Files or Information

Encrypt, encode, or obfuscate payloads and data to evade detection.

T1036

Masquerading

Disguise malicious artifacts by manipulating names or locations to appear legitimate.

Discovery

T1018

Remote System Discovery

Discover remote systems on the network for lateral movement targets.

Lateral Movement

T1021.002

SMB/Windows Admin Shares

Use SMB and administrative shares (C$, ADMIN$) to access remote systems.

Command and Control

T1105

Ingress Tool Transfer

Download additional tools or payloads from an external system.

T1090

Proxy

Route C2 traffic through intermediary proxies to obscure the source.

Privilege Escalation

T1068

Exploitation for Privilege Escalation

Exploit software vulnerabilities to gain elevated privileges on a system.

Credential Access

T1003

OS Credential Dumping

Dump credentials from the operating system or security software.

T1558

Steal or Forge Kerberos Tickets

Steal or forge Kerberos tickets to access resources without credentials.

Tools & Malware

(20)

NotPetya

malwareMalicious

Destructive wiper disguised as ransomware. Spread via M.E.Doc accounting software supply chain attack in Ukraine, causing $10+ billion in global damages in June 2017.

Industroyer

malwareMalicious

ICS-targeting malware that directly manipulates electrical grid protocols (IEC 101/104, OPC DA, IEC 61850). Caused the December 2016 Kyiv power outage.

Industroyer2

malwareMalicious

Streamlined version of Industroyer targeting IEC 104 protocol. Deployed against Ukrainian high-voltage substations in April 2022, coordinated with kinetic strikes.

CaddyWiper

malwareMalicious

Destructive wiper deployed against Ukrainian organizations in 2022. Overwrites files and partition tables, rendering systems unrecoverable.

HermeticWiper

malwareMalicious

Deployed hours before Russia's 2022 invasion of Ukraine. Uses legitimate EaseUS Partition Master drivers to corrupt disk structures at the MBR and partition level.

WhisperGate

malwareMalicious

Multi-stage destructive malware targeting Ukrainian government systems in January 2022. Masquerades as ransomware but irreversibly corrupts the MBR and targeted file types.

AcidRain

malwareMalicious

Wiper malware targeting MIPS-based modems. Destroyed Viasat KA-SAT satellite modems across Europe on the first day of Russia's 2022 invasion, disrupting Ukrainian military communications.

Olympic Destroyer

malwareMalicious

Destructive malware deployed during the 2018 Pyeongchang Winter Olympics opening ceremony. Designed to disrupt IT systems with multiple false flag attributions embedded in the code.

BlackEnergy

malwareMalicious

Modular trojan used in the December 2015 Ukraine power grid attack. HMI module manipulated SCADA systems to open circuit breakers, causing the first cyber-caused blackout.

Cyclops Blink

malwareMalicious

Modular botnet malware replacing VPNFilter, targeting WatchGuard Firebox and ASUS routers. Provides persistent access and C2 relay capabilities.

GreyEnergy

malwareMalicious

Successor to BlackEnergy targeting energy sector organizations. More stealthy with modular architecture, used for espionage preceding potential destructive attacks.

Exaramel

malwareMalicious

Backdoor for Windows and Linux, evolved from the Industroyer framework. Used for persistent access in critical infrastructure environments with encrypted C2 communication.

KillDisk

malwareMalicious

Disk-wiping component deployed alongside BlackEnergy and Industroyer. Overwrites files with random data and corrupts the MBR to prevent system recovery.

Cobalt Strike

frameworkLegitimate

Used as post-exploitation tool for lateral movement and command execution before deploying destructive payloads in target networks.

Mimikatz

frameworkLegitimate

Used for credential harvesting to enable lateral movement across enterprise networks before deploying wiper malware to maximum endpoints.

PowerShell

os utilityLegitimate

Used for reconnaissance, disabling security tools, and deploying secondary payloads. Often used to distribute wiper malware via Group Policy.

PsExec

legitimate toolLegitimate

Sysinternals tool used for mass deployment of wiper malware across compromised networks, maximizing destructive impact simultaneously.

IsaacWiper

malwareMalicious

Wiper deployed against Ukrainian government organizations in February 2022. Uses IOCTL calls to overwrite physical disks and corrupt all accessible volumes.

Industroyer/CRASHOVERRIDE

OtherMalicious

ICS-focused malware framework designed to attack electrical substations and industrial control systems

P.A.S. Webshell

BackdoorMalicious

Web shell used for persistent access to compromised web servers

Indicators of Compromise

(5)

IOC values are defanged for safety

Type	Value	Notes
domain	`vpnfilter[.]net`	C2 domain linked to VPNFilter botnet campaign
ip	`176[.]119[.]147[.]225`	Cyclops Blink C2 infrastructure
ip	`91[.]245[.]255[.]243`	Infrastructure used in Ukraine targeting operations
hash	`027cc450ef5f8c5f653329641ec1fed9`	NotPetya ransomware/wiper (MD5)
hash	`a196c6b8ffcb97ffb9f1d45a17eeead7`	Industroyer2 ICS-targeting malware (MD5)

Infrastructure

(3)

Domain values are defanged for safety

Domain / Host	Type	Status	Last Checked
`vpnfilter[.]net` C2 domain linked to VPNFilter botnet campaign	c2	active	Apr 2, 2026
`176[.]119[.]147[.]225` Cyclops Blink C2 infrastructure	ip	active	Apr 2, 2026
`91[.]245[.]255[.]243` Infrastructure used in Ukraine targeting operations	ip	offline	Apr 2, 2026

Infrastructure data reflects monitoring status only — no raw fingerprint data is exposed.

References

(9)

MITRE ATT&CK - Sandworm Team

https://attack.mitre.org/groups/G0034/

U.S. DOJ - Six Russian GRU Officers Charged

https://www.justice.gov/opa/pr/six-russian-gru-officers-charged-connection-worldwide-deployment-destructive-malware

Mandiant - Sandworm Disrupts Power in Ukraine

https://www.mandiant.com/resources/sandworm-disrupts-power-ukraine-operational-technology

SANDWORM: (Mandiant Report)

https://www.mandiant.com/resources/blog/apt-attack-ukrainian-critical-infrastructure

Industroyer: Biggest threat to industrial control systems since Stuxnet

https://www.welivesecurity.com/2017/06/12/industroyer-biggest-threat-industrial-control-systems-since-stuxnet/

Industroyer2: Sandworm conducts attacks against Ukrainian energy sector

https://www.welivesecurity.com/2022/04/12/industroyer2-industroyer-reloaded/

CaddyWiper: New wiper malware targeting Ukrainian organizations

https://www.welivesecurity.com/2022/03/15/caddywiper-new-wiper-malware-discovered-ukraine/

AcidRain: A wiper rains down on Europe (Viasat attack analysis)

https://www.sentinelone.com/labs/acidrain-a-modem-wiper-rains-down-on-europe/

U.S. Charges Russian GRU Officers with International Hacking and Related Influence and Disinformation Operations

https://www.justice.gov/opa/pr/us-charges-russian-gru-officers-international-hacking-and-related-influence-and