Sandworm (hacker group)

Sandworm also known as Unit 74455, is allegedly a Russian cybermilitary unit of the GRU, the organization in charge of Russian military intelligence.[1] Other names, given by cybersecurity researchers, include Telebots, Voodoo Bear, and Iron Viking.[2]

Formationc. 2004–2007[1]
TypeAdvanced persistent threat
PurposeCyberespionage, cyberwarfare
Headquarters22 Kirova Street
Khimki, Russia
MethodsZero-days, spearphishing, malware
Official language
Parent organization
AffiliationsFancy Bear
Formerly called
Voodoo Bear
Iron Viking

The team is believed to be behind the December 2015 Ukraine power grid cyberattack,[3][4][5] the 2017 cyberattacks on Ukraine using the NotPetya malware,[6] various interference efforts in the 2017 French presidential election,[2] and the cyberattack on the 2018 Winter Olympics opening ceremony.[7][8] Then-United States Attorney for the Western District of Pennsylvania Scott Brady described the group's cyber campaign as "representing the most destructive and costly cyber-attacks in history."[2]

On October 19, 2020 a US-based grand jury released an indictment charging six alleged Unit 74455 officers with cybercrimes.[9][10][11] The officers, Yuriy Sergeyevich Andrienko (Юрий Сергеевич Андриенко), Sergey Vladimirovich Detistov (Сергей Владимирович Детистов), Pavel Valeryevich Frolov (Павел Валерьевич Фролов), Anatoliy Sergeyevich Kovalev (Анатолий Сергеевич Ковалев), Artem Valeryevich Ochichenko (Артем Валерьевич Очиченко), and Petr Nikolayevich Pliskin (Петр Николаевич Плискин), were all individually charged with conspiracy to conduct computer fraud and abuse, conspiracy to commit wire fraud, wire fraud, damaging protected computers, and aggravated identity theft. Five of the six were accused of overtly developing hacking tools, while Ochichenko was accused of participating in spearphishing attacks against the 2018 Winter Olympics and conducting technical reconnaissance on and attempting to hack the official domain of the Parliament of Georgia.[2]

In February 2022, Sandworm allegedly released the Cyclops Blink as malware. The malware is similar to VPNFilter.[12] The malware allows a botnet to be constructed, and affects Asus routers and WatchGuard Firebox and XTM appliances. CISA issued a warning about this malware.[13]

In April 2022, Sandworm attempted a blackout in Ukraine.[14] It is said to be the first attack in five years to use an Industroyer malware variant called Industroyer2.[15]

See alsoEdit


  1. ^ Greenberg, Andy (2019). Sandworm: a new era of cyberwar and the hunt for the Kremlin's most dangerous hackers. Knopf Doubleday. ISBN 978-0-385-54441-2.
  2. ^ a b c d "Six Russian GRU Officers Charged in Connection with Worldwide Deployment of Destructive Malware and Other Disruptive Actions in Cyberspace". DOJ Office of Public Affairs. United States Department of Justice. October 19, 2020. Retrieved July 23, 2021.
  3. ^ "Hackers shut down Ukraine power grid". 5 January 2016. Retrieved 2020-10-28.
  4. ^ Volz, Dustin (25 February 2016). "U.S. government concludes cyber attack caused Ukraine power outage". Reuters. Retrieved 2020-10-28.
  5. ^ Hern, Alex (7 January 2016). "Ukrainian blackout caused by hackers that attacked media company, researchers say". The Guardian. ISSN 0261-3077. Retrieved 2020-10-28.
  6. ^ "The Untold Story of NotPetya, the Most Devastating Cyberattack in History". Wired. ISSN 1059-1028. Retrieved 2020-10-28.
  7. ^ Greenberg, Andy. "Inside Olympic Destroyer, the Most Deceptive Hack in History". Wired. ISSN 1059-1028. Retrieved 2020-10-28.
  8. ^ Andrew S. Bowen (November 24, 2020). Russian Military Intelligence: Background and Issues for Congress (PDF) (Report). Congressional Research Service. p. 16. Retrieved July 21, 2021.
  9. ^ Cimpanu, Catalin. "US charges Russian hackers behind NotPetya, KillDisk, OlympicDestroyer attacks". ZDNet. Retrieved 2020-10-28.
  10. ^ "Russian cyber-attack spree shows what unrestrained internet warfare looks like". The Guardian. 19 October 2020. Retrieved 2020-10-28.
  11. ^ "US Indicts Sandworm, Russia's Most Destructive Cyberwar Unit". Wired. ISSN 1059-1028. Retrieved 2020-10-28.
  12. ^ Hardcastle, Jessica Lyons. "Cyclops Blink malware sets up shop in ASUS routers". Retrieved 2022-03-21.
  13. ^ "CISA Adds Eight Known Exploited Vulnerabilities to Catalog | CISA". Retrieved 2022-04-13.
  14. ^ Greenberg, Andy. "Russia's Sandworm Hackers Attempted a Third Blackout in Ukraine". Wired. ISSN 1059-1028. Retrieved 2022-04-13.
  15. ^ "Industroyer2: Industroyer reloaded". Retrieved 2022-04-13.

External linksEdit