In October 2020, the United States Department of Justice unsealed an indictment naming six Russian military intelligence officers responsible for some of the most destructive cyberattacks ever recorded. The officers belonged to GRU Unit 74455, also known as the Main Centre for Special Technologies. In the intelligence community, they are known by a different name: Sandworm.
The indictment charged them with the 2015 and 2016 attacks on Ukraine’s power grid, the NotPetya wiper that caused over $10 billion in global damages, the Olympic Destroyer attack on the 2018 Winter Olympics, and attacks on French elections, Georgian infrastructure, and a multinational company that dared to investigate a Russian intelligence operation.
That list was already extraordinary. Since 2022, it has grown significantly.
Attribution and Structure
Sandworm is tracked under multiple designations across the intelligence and security industry: APT44 (Mandiant), Voodoo Bear (CrowdStrike), IRIDIUM (Microsoft), Seashell Blizzard (Microsoft, updated naming), and TeleBots (ESET, for a specific subcluster). The unit is formally designated as GRU Military Unit 74455, headquartered at 22 Kirova Street, Khimki, Moscow.
It is critically important to distinguish Sandworm from APT28 (Fancy Bear, GRU Unit 26165). Both are Russian military intelligence units. Both conduct offensive cyber operations. But they are structurally separate, with different tasking, different methods, and different objectives:
| Sandworm (Unit 74455) | APT28 (Unit 26165) | |
|---|---|---|
| Primary focus | Destructive and disruptive attacks | Intelligence collection and influence operations |
| Signature capability | ICS-targeting malware, wiper deployment | Spear-phishing, credential theft, data exfiltration |
| Notable operations | NotPetya, Ukraine power grid, Olympic Destroyer | DNC hack, Macron campaign, SolarWinds (disputed) |
| Civilian impact | Catastrophic (NotPetya spread globally) | Primarily targeted organisations |
Understanding this distinction matters because the appropriate defensive posture for each threat is different. APT28 is an intelligence collection threat. Sandworm is a weapon.
The Ukraine Power Grid Attacks: A First in History
On 23 December 2015, power went out across large parts of western Ukraine. Approximately 230,000 customers lost electricity for up to six hours. The cause was not a mechanical failure. It was a coordinated cyberattack against three Ukrainian power distribution companies, executed with precision.
The attack involved multiple components: spear-phishing emails with malicious macros to gain initial access, a custom backdoor called BlackEnergy 3 for persistent access, a module that overwrote firmware on serial-to-Ethernet converters to prevent remote recovery, a separate KillDisk component that wiped workstations after the attack, and coordinated telephone denial-of-service calls to the utilities’ helplines to delay the customer service response.
It was the first confirmed cyberattack to cause a power outage. No one had done it before.
Eleven months later, on 17 December 2016, Sandworm attacked the Ukrainian capital’s power grid. This time the weapon was more sophisticated: Industroyer (also known as Crashoverride), the first malware specifically designed to interact with electricity grid control systems. It spoke the native protocols of industrial control systems — IEC 60870-5-101, IEC 60870-5-104, IEC 61850, OPC DA — and could send commands directly to substation breakers without human interaction.
Industroyer is, in the assessment of every major security firm that has analysed it, the most dangerous ICS malware ever discovered prior to 2022. It required deep knowledge of power grid operations to build, not just software engineering skill. It wasn’t written by cybercriminals. It was written by engineers who understood electricity infrastructure.
NotPetya: The Most Destructive Cyberattack in History
On 27 June 2017, a wiper masquerading as ransomware began propagating across Ukraine. Within hours it had escaped Ukraine entirely and was consuming networks across Europe, Asia, and North America. By the time it stopped, the damage assessment reached $10 billion — making it the most economically destructive cyberattack in history, a record it still holds.
NotPetya was delivered via a trojanised update to M.E.Doc, accounting software used by virtually every company doing business in Ukraine. The supply chain delivery gave it immediate access to corporate networks, and from there it exploited a combination of EternalBlue (the NSA-developed SMB exploit leaked by Shadow Brokers in April 2017) and credential harvesting via Mimikatz to propagate laterally.
Unlike actual ransomware, NotPetya had no functional decryption capability. The ransom demand was theatre. The overwritten Master Boot Record could not be recovered even if a victim paid. The intent was destruction, not profit.
The collateral damage was indiscriminate. Shipping giant Maersk lost an estimated $300 million and had to reinstall 45,000 PCs and 4,000 servers in ten days. Pharmaceutical company Merck lost $870 million. FedEx subsidiary TNT Express lost $400 million. Mondelez, Reckitt Benckiser, Nuance Communications — companies with no connection to Ukraine or Russia — were all devastated. The NotPetya supply chain insertion had created a weapon that the attackers could not control once deployed.
The US, UK, EU, Australia, Canada, and New Zealand formally attributed NotPetya to Russia’s GRU in February 2018. It remains the benchmark example of how a targeted cyberattack can cause catastrophic collateral damage across the global economy.
Olympic Destroyer and the False Flag
During the opening ceremony of the 2018 Winter Olympics in Pyeongchang, South Korea, the games’ IT infrastructure was attacked. The official Olympics app stopped working. Wi-Fi at the stadium went down. IPTV systems in the press centre failed. The attack was timed for maximum embarrassment.
What made Olympic Destroyer remarkable was not the attack itself but its attribution complexity. The malware was laced with false flag indicators: code that superficially resembled North Korean Lazarus Group tools, Chinese APT artefacts, and other misleading elements. Multiple attribution analyses produced conflicting conclusions in the immediate aftermath.
Detailed forensic analysis by Kaspersky and Cisco Talos eventually identified the true author — an indicator that the false flag attempts, while sophisticated, ultimately failed against deep technical analysis. The attribution indicators pointed back to Sandworm.
The episode is significant because it demonstrates a capability and willingness to invest in deception and false attribution at a level beyond most threat actors. Sandworm doesn’t just attack targets. It tries to make someone else take the blame.
2022 Onwards: Continuous War in Cyberspace
Russia’s full-scale invasion of Ukraine in February 2022 transformed Sandworm’s operational tempo. The group shifted from sporadic high-impact attacks to sustained, high-frequency offensive operations running in parallel with kinetic military action.
Industroyer2 and the April 2022 Grid Attack
In April 2022, ESET researchers and Ukraine’s Computer Emergency Response Team (CERT-UA) disrupted an attack against a Ukrainian energy provider that would have caused a second major power outage. The weapon was Industroyer2 — an evolved version of the 2016 Industroyer malware. Where the original had a modular architecture supporting multiple ICS protocols, Industroyer2 was compiled specifically for the target environment, with hardcoded substation parameters embedded in the binary.
Alongside Industroyer2, the attackers deployed CaddyWiper — a destructive wiper targeting Windows systems — as well as tools targeting Linux and Solaris systems, and ORCSHRED, SOLOSHRED, and AWFULSHRED designed to destroy data on Linux machines running SCADA software. The multi-component, cross-platform attack demonstrated significant operational investment in a single target.
CERT-UA detected the attack before the payload fired. The grid stayed up. But the technical sophistication of the attempt confirmed that Sandworm’s ICS capability had continued to evolve since 2016.
Continuous Wiper Campaigns
From February 2022 onward, Sandworm deployed a succession of wiper malware variants against Ukrainian government agencies, media organisations, financial institutions, and infrastructure operators. Documented wipers include:
- WhisperGate (January 2022, pre-invasion staging)
- HermeticWiper (February 2022, invasion day)
- IsaacWiper (February 2022)
- CaddyWiper (March 2022, multiple deployments)
- Prestige (October 2022, targeting logistics and transportation in Poland and Ukraine)
- RansomBoggs (November 2022, destructive ransomware-themed wiper)
The pace of novel malware development is notable. Most threat actors reuse tools extensively. Sandworm’s continuous production of new wiper variants suggests either significant development resources or a deliberate strategy of tool rotation to evade signature-based detection — or both.
Targeting Beyond Ukraine
Mandiant’s April 2024 APT44 report documented Sandworm’s targeting scope extending significantly beyond Ukraine. Confirmed or highly probable operations have included:
- Georgia: intrusions against government and media during periods of political tension
- Poland: the Prestige ransomware campaign targeted Polish logistics companies alongside Ukrainian ones
- Baltic states: preparatory reconnaissance consistent with pre-positioning activity
- US and European critical infrastructure: the group’s interest in pre-positioning within Western CNI has been assessed by multiple Five Eyes agencies
Sandworm is not exclusively a Ukraine-focused actor. Ukraine is the primary theatre, but the group’s remit appears to encompass any target that serves Russian strategic interests.
Technical Capabilities
ICS Malware Development
Sandworm’s most distinctive capability — and what sets it apart from every other threat actor currently operating — is its ability to develop malware that directly interacts with industrial control systems. Building tools like Industroyer and Industroyer2 requires engineers who understand power grid operations at a deep level. This is not a capability that criminal groups or most nation-state actors have demonstrated.
The implication for Western critical infrastructure operators is direct. If Sandworm has the capability to target Ukrainian power grids, the same capability applies to European, British, and North American grid infrastructure. The ICS protocols Industroyer supports — IEC 60870-5-101, IEC 60870-5-104, IEC 61850 — are the same protocols used in power substations globally.
Living-off-the-Land and IT Infrastructure Targeting
Prior to ICS operations, Sandworm conducts extensive IT network compromise using methods consistent with other advanced threat actors: spear-phishing for initial access, exploitation of internet-facing applications and VPN devices, credential harvesting via Mimikatz and similar tools, lateral movement via PsExec and legitimate remote access tools, and persistence through web shells on compromised servers.
The 2020 DOJ indictment specifically referenced the group’s exploitation of Microsoft Office vulnerability CVE-2017-0199, deployment of web shells (including the P.A.S. and P0wnyshell web shells), and use of Tor for operational security.
Supply Chain Attacks
NotPetya established Sandworm as the reference case for supply chain attacks at scale. The M.E.Doc compromise was not the only instance. Subsequent research has identified Sandworm involvement in supply chain compromises of Ukrainian software vendors, government portals, and update mechanisms. The group understands that compromising the distribution mechanism is more efficient than compromising individual targets.
What This Means for Defenders
The Wiper Threat to Non-Ukrainian Targets
NotPetya was not the last time a Sandworm operation caused collateral damage outside its intended target zone. The Prestige ransomware campaign hit Polish logistics companies. Any organisation with operational connections to Ukraine — logistics chains, financial relationships, shared service providers — faces a real risk of collateral compromise.
Organisations should ensure that their incident response and backup procedures explicitly cover wiper scenarios, not just ransomware scenarios. A wiper doesn’t encrypt — it destroys. There is no key to recover. Immutable, offline backups that cannot be reached from a domain-joined network are the only reliable recovery mechanism.
OT/ICS Security in the Industroyer Context
Every electric utility operator, water treatment facility, and industrial operator in a NATO country should treat Industroyer as a reference threat when assessing their OT security posture. The specific question is not “could we detect a novel ICS malware” — you probably couldn’t, initially. The question is:
- Could an attacker traverse from your IT network to your OT network? If yes, this is the most urgent gap to close.
- If they reached your OT network, would they have the network access needed to send commands to field devices? Network segmentation and conduit controls (IEC 62443 zone model) address this.
- Do you have out-of-band monitoring of physical process variables that would detect unauthorised commands without relying on the OT network? Process monitoring independent of IT/OT connected systems is increasingly considered baseline for high-criticality CNI.
The False Flag Problem
Olympic Destroyer demonstrated that Sandworm is willing to invest significant effort in misdirecting attribution. Incident responders and threat intelligence analysts should treat initial attribution of destructive attacks with appropriate scepticism, and prioritise containment and recovery over rapid attribution during a live incident.
Assessment
Sandworm is, in the judgment of Mandiant, the UK NCSC, and most Western intelligence services, the most dangerous offensive cyber actor currently operating. Not the most prolific — that might be China’s various espionage clusters. Not the most financially motivated — that’s the ransomware ecosystem. But the most dangerous in terms of capability combined with willingness to cause catastrophic, indiscriminate harm.
The 2015 power grid attacks, NotPetya, Olympic Destroyer, and the sustained wiper campaigns since 2022 collectively constitute a body of destructive cyber operations that no other actor comes close to matching. The group’s ICS capabilities and its demonstrated willingness to cause civilian harm — including the 2016 attack on a hospital that lost power as a secondary effect of the grid attack — place it in a different category.
For Western critical infrastructure operators, the operational lesson from eight years of Sandworm activity is unambiguous: the threat to OT/ICS environments from state-sponsored actors is real, has been demonstrated repeatedly in a real-world conflict, and the technical capability developed against Ukrainian targets is portable. The question is not whether Sandworm or a group with comparable capability could target your infrastructure. The question is whether you would know before the lights went out.