Sandworm

Sandworm is a Russian state-sponsored threat actor linked to Russia’s military intelligence service GRU, including references to Unit 74455, and is also tracked as APT44, Seashell Blizzard, Electrum, TeleBots, BlackEnergy, Voodoo Bear, Iridium, Iron Viking, Blue Echidna, FrozenBarents, and UAC-0113. Multiple sources in the content describe Sandworm as an offensive Russian cyber sabotage unit responsible for espionage, disruptive, destructive, and influence operations. The group has heavily targeted Ukraine for years, especially government, military, media, energy, aviation, and other critical infrastructure entities, and has also targeted organizations in Poland, Kazakhstan, Russia, France, Georgia, South Korea, and broader NATO-linked contexts. Reported activity includes the 2015 Ukraine power grid attack using BLACKENERGY 3; the 2016 Ukraine Electric Power Attack; the 2017 NotPetya attack; the 2018 Pyeongchang Olympics attack; the 2022 attempted disruption of a Ukrainian energy company using Industroyer2 and the wipers CaddyWiper, Orcshred, Soloshred, and Awfulshred; exploitation associated with Cyclops Blink; a Centreon-related intrusion campaign affecting French entities in which ANSSI found P.A.S. webshell and Exaramel; targeting of Ukrainian media via suspected Follina exploitation delivering CrescentImp; targeting of Ukrainian soldiers via fake Army+ sites attributed to UAC-0125; and a December 2025 destructive incident affecting a Polish energy company attributed with medium confidence. The content states Sandworm has repeatedly targeted Western electoral systems and institutions, attempted to interfere with democratic processes, conducted credential theft against Exim, Zimbra, and Exchange mail environments since at least 2019, and targeted journalists and investigative organizations including OPCW and Bellingcat. Observed Sandworm tradecraft in the content includes spearphishing; exploitation of known vulnerabilities including CVE-2014-4114, CVE-2014-6352, CVE-2022-30190, and CVE-2025-8088; use of trojanized installers and compromised software update mechanisms; LDAP queries against Active Directory for computer discovery; remote system discovery over LAN; WMI and Impacket WMIexec for remote code execution and queries; PowerShell for in-memory credential harvesting and destructive deployment; xp_cmdshell in MS-SQL; scheduled tasks and registry abuse; exfiltration of internal documents and files; deletion of attack files from infected systems; HTTP-based C2; use of Telegram Bot API and legitimate M.E.Doc update requests for command and control; hosting payloads on putdrive.com; base64 encoding and HTML tags in BCS-server C2 traffic; use of Cloudflare Workers in lures; and defense evasion such as lowering in-registry internet security settings and disguising malware as explorer.exe. The content also states Sandworm has used open-source and commercial tooling including Invoke-PSImage, Impacket, RemoteExec, Empire, Cobalt Strike, and PoshC2, and has used CredRaptor to collect saved passwords from internet browsers. Sandworm has used Prestige to delete backup catalogs and volume shadow copies. The content further notes BlackEnergy offshoots GreyEnergy and TeleBots, with TeleBots associated with NotPetya and GreyEnergy described as a successor subgroup targeting critical infrastructure in Central and Eastern Europe.