Threat Actor Profile Sandworm
Sandworm, also commonly referred to as IRIDIUM, Sandworm Team, Voodoo Bear or Telebots, is a Russian state-sponsored advanced strategic threat group responsible for some of the most destructive cyber-attacks around the world. They are believed to be operating with the aim to advance Russia’s geopolitical position by conducting destruction, sabotage, and espionage based cyber operations. They are known to target the energy infrastructure, transportation systems, telecommunication services, government organizations, and more. Their focus has been set on Eastern nations with strategic importance to Russia, such as Georgia and Ukraine, although some of their attacks has had worldwide reach. The group has been labeled as one of the most dangerous APT groups in the world, which is why it is crucial to understand their background, motivations and techniques to prepare companies and institutions for possible future attacks.
Request a free membership to access our full research insights
Already a member? Login here
- Aliases: Seashell Blizzard, Sandworm, Quedagh, VOODOO BEAR, TEMP.Noble, IRON VIKING, G0034, ELECTRUM, TeleBots, IRIDIUM, Blue Echidna, FROZENBARENTS, UAC-0113, UAC-0082, Sandworm Team, CTG-7263, ATK 14, BE2, BlackEnergy (Group)
- Strategic motives: Destruction, Espionage, Sabotage
- Affiliation: Russian Main Intelligence Directorate (GRU)
- Cyber capabilities: ★★★★☆
- Target sectors: Energy, Telecommunications, Government
- Observed countries: 60+, including Azerbaijan, Belarus, Denmark, France, Georgia, Iran, Israel, Kazakhstan, Kyrgyzstan, Lithuania, Poland, Russia, Ukraine, Netherlands
Origins, Motivations & Targets
Sandworm is confirmed to have been operating since 2009, although it is believed that (members of) the group was involved in cyber-attacks already during the Russian-Georgian war in 2008. Moreover, they are known to deploy the malware BlackEnergy Lite, which has its origins traced back to DDoS attacks in 2007. The name Sandworm by which the group is best known, was given by researchers at iSIGHT after their 2014 discovery of hidden references to the 1965 sci-fi novel Dune in their code. It is generally accepted that Sandworm operates within Unit 74455 of the Main Intelligence Directorate of the Russian Federation, effectively acting as Russia’s cyber military unit. This state affiliation ensures the group’s access to resources, as well as guarantees impunity for its members as long as they remain on Russian-controlled territory.
As stated previously, the group is generally focusing on Eastern regions, particularly countries that carry a geopolitical relevance to Russia. This includes countries that used to belong to the Soviet bloc, such as Georgia, Lithuania, Poland, or Ukraine. This tendency, however, is not exclusive, as they attempted to interfere with the 2017 French elections, as well as carried out campaigns with worldwide effects. Sandworm tends to target a variety of sectors as long as the attack results in an outcome aligning with Russian state interest. Their most well-known activities involved the energy sector, the financial sector, governmental agencies, and telecommunication networks.
SWOT analysis
Strengths, weaknesses, opportunities & threats
Strengths
- Significant resources available from the Russian state
- Advanced level and speed to develop new tools
- No fear from criminal prosecution
Weaknesses
- Actual effects of their attacks are fairly limited
- Difficulties carrying out long-term attacks
Opportunities
- Chances for further development to maintain access for a longer period of time in order to gain strategic advantage
- Opportunities to further develop and utilize their tools during the Russia-Ukraine conflict
Threats
- Increased attention on Russian activity in general
- Ongoing criminal proceedings against members
Sandworm in the Netherlands
Sandworm had been focusing on geopolitically relevant Eastern countries before 2017, therefore the Netherlands was not an obvious target. This, however, changed with the launching of the global NotPetya attacks which affected several Dutch companies. This included container terminal operator APM, pharmaceutical company MSD, and delivery company TNT. It is (publicly) unknown exactly how much damage these companies suffered.
Then in 2022, the geopolitical landscape changed. Shortly after Russia invaded Ukraine, the Dutch military intelligence agency MIVD detected Sandworm activity in the Netherlands. Thousands of routers in Dutch homes and businesses had been compromised in what the MIVD believes was a botnet operation by Sandworm.
Trends
This indictment is not only impactful from a justice point of view, but also because this is rare occasions that, due to lenient privacy regulations in the United States, the global public gets to know the names and faces behind the malicious activities committed by APT groups. The defendants all belong to Unit 74455 of the GRU – also known as Sandworm. The identified and charged members are: Yuriy Sergeyevich Andrienko, Sergey Vladimirovich Detistov, Pavel Valeryevich Frolov, Anatoliy Sergeyevich Kovalev, Artem Valeryevich Ochichenko, Petr Nikolayevich Pliskin.