Threat actor profile: Sandworm

Sandworm, also commonly referred to as IRIDIUM, Sandworm Team, Voodoo Bear or Telebots, is a Russian state-sponsored advanced strategic threat group responsible for some of the most destructive cyber-attacks around the world. They are believed to be operating with the aim to advance Russia’s geopolitical position by conducting destruction, sabotage, and espionage based cyber operations. They are known to target the energy infrastructure, transportation systems, telecommunication services, government organizations, and more. Their focus has been set on Eastern nations with strategic importance to Russia, such as Georgia and Ukraine, although some of their attacks has had worldwide reach. The group has been labeled as one of the most dangerous APT groups in the world, which is why it is crucial to understand their background, motivations and techniques to prepare companies and institutions for possible future attacks.

Aliases: Seashell Blizzard, Sandworm, Quedagh, VOODOO BEAR, TEMP.Noble, IRON VIKING, G0034, ELECTRUM, TeleBots, IRIDIUM, Blue Echidna, FROZENBARENTS, UAC-0113, UAC-0082, Sandworm Team, CTG-7263, ATK 14, BE2, BlackEnergy (Group)
Strategic motives: Destruction, Espionage, Sabotage
Affiliation: Russian Main Intelligence Directorate (GRU)
Cyber capabilities: ★★★★☆
Target sectors: Energy, Telecommunications, Government
Observed countries: 60+, including Azerbaijan, Belarus, Denmark, France, Georgia, Iran, Israel, Kazakhstan, Kyrgyzstan, Lithuania, Poland, Russia, Ukraine, Netherlands

Sandworm is confirmed to have been operating since 2009, although it is believed that (members of) the group was involved in cyber-attacks already during the Russian-Georgian war in 2008. Moreover, they are known to deploy the malware BlackEnergy Lite, which has its origins traced back to DDoS attacks in 2007. The name Sandworm by which the group is best known, was given by researchers at iSIGHT after their 2014 discovery of hidden references to the 1965 sci-fi novel Dune in their code. It is generally accepted that Sandworm operates within Unit 74455 of the Main Intelligence Directorate of the Russian Federation, effectively acting as Russia’s cyber military unit. This state affiliation ensures the group’s access to resources, as well as guarantees impunity for its members as long as they remain on Russian-controlled territory.

As stated previously, the group is generally focusing on Eastern regions, particularly countries that carry a geopolitical relevance to Russia. This includes countries that used to belong to the Soviet bloc, such as Georgia, Lithuania, Poland, or Ukraine. This tendency, however, is not exclusive, as they attempted to interfere with the 2017 French elections, as well as carried out campaigns with worldwide effects. Sandworm tends to target a variety of sectors as long as the attack results in an outcome aligning with Russian state interest. Their most well-known activities involved the energy sector, the financial sector, governmental agencies, and telecommunication networks.

Sandworm had been focusing on geopolitically relevant Eastern countries before 2017, therefore the Netherlands was not an obvious target. This, however, changed with the launching of the global NotPetya attacks which affected several Dutch companies. This included container terminal operator APM, pharmaceutical company MSD, and delivery company TNT. It is (publicly) unknown exactly how much damage these companies suffered.

Then in 2022, the geopolitical landscape changed. Shortly after Russia invaded Ukraine, the Dutch military intelligence agency MIVD detected Sandworm activity in the Netherlands. Thousands of routers in Dutch homes and businesses had been compromised in what the MIVD believes was a botnet operation by Sandworm.

Due to the inherently international nature of the operation of state-sponsored APT groups, it is extremely rare that individuals are held responsible. One crucial part of hacking is innovation, from which it follows that legal procedures to invoke criminal liability are often too slow and not well-equipped to address the rapidly evolving technology and operations that cross many jurisdictions. Even so, Sandworm has caused substantial damage and gained enough international attention that a case against them was initiated. This resulted in the 2020 indictment of six Sandworm members by a Pennsylvania grand jury on seven counts. The US Department of Justice charged the member under a number of Title 18 violations such as conspiracy, wire fraud, identity theft, and more.

The indictment cites multiple large-scale attacks committed by Sandworm during the 2015-2019 time period. These include the Ukrainian power grid attacks in 2015 and 2016, the spearphishing campaign targeting Macron’s campaign during the 2017 French election, the worldwide NotPetya attacks in 2017, the destructive action during the 2018 Winter Olympics, the 2018 attacks targeting the Organisation for the Prohibition of Chemical Weapons and the 2018 and 2019 attacks against Georgian organisations.

This indictment is not only impactful from a justice point of view, but also because this is rare occasions that, due to lenient privacy regulations in the United States, the global public gets to know the names and faces behind the malicious activities committed by APT groups. The defendants all belong to Unit 74455 of the GRU – also known as Sandworm. The identified and charged members are: Yuriy Sergeyevich Andrienko, Sergey Vladimirovich Detistov, Pavel Valeryevich Frolov, Anatoliy Sergeyevich Kovalev, Artem Valeryevich Ochichenko, Petr Nikolayevich Pliskin.

Threat Actor Profile Sandworm

Request a free membership to access our full research insights

Origins, Motivations & Targets

SWOT analysis

Strengths

Weaknesses

Opportunities

Threats

More detailed information about this actor?

Sandworm in the Netherlands

Trends

Learn more about our threat research?