Threat Actor Profile
High APT
Description

Sandworm Team is a destructive threat group that has been attributed to Russia's General Staff Main Intelligence Directorate (GRU) Main Center for Special Technologies (GTsST) military unit 74455.(Citation: US District Court Indictment GRU Unit 74455 October 2020)(Citation: UK NCSC Olympic Attacks October 2020) This group has been active since at least 2009.(Citation: iSIGHT Sandworm 2014)(Citation: CrowdStrike VOODOO BEAR)(Citation: USDOJ Sandworm Feb 2020)(Citation: NCSC Sandworm Feb 2020) In October 2020, the US indicted six GRU Unit 74455 officers associated with Sandworm Team for the following cyber operations: the 2015 and 2016 attacks against Ukrainian electrical companies and government organizations, the 2017 worldwide NotPetya attack, targeting of the 2017 French presidential campaign, the 2018 Olympic Destroyer attack against the Winter Olympic Games, the 2018 operation against the Organisation for the Prohibition of Chemical Weapons, and attacks against the country of Georgia in 2018 and 2019.(Citation: US District Court Indictment GRU Unit 74455 October 2020)(Citation: UK NCSC Olympic Attacks October 2020) Some of these were conducted with the assistance of GRU Unit 26165, which is also referred to as APT28.(Citation: US District Court Indictment GRU Oct 2018)

Confidence Score
90%
Known Aliases
Sandworm Team ELECTRUM Telebots IRON VIKING BlackEnergy (Group) Quedagh Voodoo Bear IRIDIUM Seashell Blizzard FROZENBARENTS APT44
Tags
mitre-attack stix-2.1 intrusion-set
First Seen

Unknown

Last Updated

Unknown

Active Status
Active
Created

April 29, 2026

MITRE ATT&CK Techniques (79)
T1005 - Data from Local System
Collection
T1056.001 - Keylogging
Collection
T1213.006 - Databases
Collection
T1071.001 - Web Protocols
Command and Control
T1090 - Proxy
Command and Control
T1102.002 - Bidirectional Communication
Command and Control
T1105 - Ingress Tool Transfer
Command and Control
T1132.001 - Standard Encoding
Command and Control
T1219 - Remote Access Tools
Command and Control
T1571 - Non-Standard Port
Command and Control
T1003.001 - LSASS Memory
Credential Access
T1003.003 - NTDS
Credential Access
T1040 - Network Sniffing
Credential Access
T1539 - Steal Web Session Cookie
Credential Access
T1555.003 - Credentials from Web Browsers
Credential Access
T1027 - Obfuscated Files or Information
Defense Evasion
T1027.010 - Command Obfuscation
Defense Evasion
T1036 - Masquerading
Defense Evasion
T1036.005 - Match Legitimate Resource Name or Locat…
Defense Evasion
T1070.004 - File Deletion
Defense Evasion
T1078 - Valid Accounts
Defense Evasion
T1078.002 - Domain Accounts
Defense Evasion
T1140 - Deobfuscate/Decode Files or Information
Defense Evasion
T1218.011 - Rundll32
Defense Evasion
T1018 - Remote System Discovery
Discovery
T1033 - System Owner/User Discovery
Discovery
T1049 - System Network Connections Discovery
Discovery
T1082 - System Information Discovery
Discovery
T1083 - File and Directory Discovery
Discovery
T1087.002 - Domain Account
Discovery
T1087.003 - Email Account
Discovery
T1047 - Windows Management Instrumentation
Execution
T1053.005 - Scheduled Task
Execution
T1059.001 - PowerShell
Execution
T1059.005 - Visual Basic
Execution
T1072 - Software Deployment Tools
Execution
T1106 - Native API
Execution
T1203 - Exploitation for Client Execution
Execution
T1204.001 - Malicious Link
Execution
T1204.002 - Malicious File
Execution
T1041 - Exfiltration Over C2 Channel
Exfiltration
T1485 - Data Destruction
Impact
T1486 - Data Encrypted for Impact
Impact
T1489 - Service Stop
Impact
T1490 - Inhibit System Recovery
Impact
T1491.002 - External Defacement
Impact
T1499 - Endpoint Denial of Service
Impact
T1561.002 - Disk Structure Wipe
Impact
T1190 - Exploit Public-Facing Application
Initial Access
T1195 - Supply Chain Compromise
Initial Access
T1195.002 - Compromise Software Supply Chain
Initial Access
T1199 - Trusted Relationship
Initial Access
T1566.001 - Spearphishing Attachment
Initial Access
T1566.002 - Spearphishing Link
Initial Access
T1021.002 - SMB/Windows Admin Shares
Lateral Movement
T1570 - Lateral Tool Transfer
Lateral Movement
T1133 - External Remote Services
Persistence
T1505.003 - Web Shell
Persistence
T1589.002 - Email Addresses
Reconnaissance
T1589.003 - Employee Names
Reconnaissance
T1590.001 - Domain Properties
Reconnaissance
T1591.002 - Business Relationships
Reconnaissance
T1592.002 - Software
Reconnaissance
T1593 - Search Open Websites/Domains
Reconnaissance
T1594 - Search Victim-Owned Websites
Reconnaissance
T1595.002 - Vulnerability Scanning
Reconnaissance
T1598.003 - Spearphishing Link
Reconnaissance
T1583 - Acquire Infrastructure
Resource Development
T1583.001 - Domains
Resource Development
T1583.004 - Server
Resource Development
T1584.004 - Server
Resource Development
T1584.005 - Botnet
Resource Development
T1585.001 - Social Media Accounts
Resource Development
T1585.002 - Email Accounts
Resource Development
T1586.001 - Social Media Accounts
Resource Development
T1587.001 - Malware
Resource Development
T1588.002 - Tool
Resource Development
T1588.006 - Vulnerabilities
Resource Development
T1608.001 - Upload Malware
Resource Development
Indicators of Compromise

Loading IOCs…

IOC KQL for Sentinel
STIX Data 
{'aliases': ['Sandworm Team',
             'ELECTRUM',
             'Telebots',
             'IRON VIKING',
             'BlackEnergy (Group)',
             'Quedagh',
             'Voodoo Bear',
             'IRIDIUM',
             'Seashell Blizzard',
             'FROZENBARENTS',
             'APT44'],
 'created': '2017-05-31T21:32:04.588Z',
 'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
 'description': '[Sandworm Team](https://attack.mitre.org/groups/G0034) is a '
                "destructive threat group that has been attributed to Russia's "
                'General Staff Main Intelligence Directorate (GRU) Main Center '
                'for Special Technologies (GTsST) military unit '
                '74455.(Citation: US District Court Indictment GRU Unit 74455 '
                'October 2020)(Citation: UK NCSC Olympic Attacks October 2020) '
                'This group has been active since at least 2009.(Citation: '
                'iSIGHT Sandworm 2014)(Citation: CrowdStrike VOODOO '
                'BEAR)(Citation: USDOJ Sandworm Feb 2020)(Citation: NCSC '
                'Sandworm Feb 2020)\n'
                '\n'
                'In October 2020, the US indicted six GRU Unit 74455 officers '
                'associated with [Sandworm '
                'Team](https://attack.mitre.org/groups/G0034) for the '
                'following cyber operations: the 2015 and 2016 attacks against '
                'Ukrainian electrical companies and government organizations, '
                'the 2017 worldwide '
                '[NotPetya](https://attack.mitre.org/software/S0368) attack, '
                'targeting of the 2017 French presidential campaign, the 2018 '
                '[Olympic Destroyer](https://attack.mitre.org/software/S0365) '
                'attack against the Winter Olympic Games, the 2018 operation '
                'against the Organisation for the Prohibition of Chemical '
                'Weapons, and attacks against the country of Georgia in 2018 '
                'and 2019.(Citation: US District Court Indictment GRU Unit '
                '74455 October 2020)(Citation: UK NCSC Olympic Attacks October '
                '2020) Some of these were conducted with the assistance of GRU '
                'Unit 26165, which is also referred to as '
                '[APT28](https://attack.mitre.org/groups/G0007).(Citation: US '
                'District Court Indictment GRU Oct 2018)',
 'external_references': [{'external_id': 'G0034',
                          'source_name': 'mitre-attack',
                          'url': 'https://attack.mitre.org/groups/G0034'},
                         {'description': '(Citation: CrowdStrike VOODOO '
                                         'BEAR)(Citation: US District Court '
                                         'Indictment GRU Unit 74455 October '
                                         '2020)(Citation: UK NCSC Olympic '
                                         'Attacks October 2020)',
                          'source_name': 'Voodoo Bear'},
                         {'description': '(Citation: Dragos '
                                         'ELECTRUM)(Citation: UK NCSC Olympic '
                                         'Attacks October 2020)',
                          'source_name': 'ELECTRUM'},
                         {'description': '(Citation: iSIGHT Sandworm 2014) '
                                         '(Citation: F-Secure BlackEnergy '
                                         '2014) (Citation: InfoSecurity '
                                         'Sandworm Oct 2014)(Citation: US '
                                         'District Court Indictment GRU Unit '
                                         '74455 October 2020)(Citation: UK '
                                         'NCSC Olympic Attacks October 2020)',
                          'source_name': 'Sandworm Team'},
                         {'description': '(Citation: iSIGHT Sandworm 2014) '
                                         '(Citation: F-Secure BlackEnergy '
                                         '2014)(Citation: UK NCSC Olympic '
                                         'Attacks October 2020)',
                          'source_name': 'Quedagh'},
                         {'description': '(Citation: Leonard TAG 2023)',
                          'source_name': 'FROZENBARENTS'},
                         {'description': '(Citation: '
                                         'mandiant_apt44_unearthing_sandworm)',
                          'source_name': 'APT44'},
                         {'description': '(Citation: Microsoft Prestige '
                                         'ransomware October 2022)',
                          'source_name': 'IRIDIUM'},
                         {'description': '(Citation: Microsoft Threat Actor '
                                         'Naming July 2023)',
                          'source_name': 'Seashell Blizzard'},
                         {'description': '(Citation: NCSC Sandworm Feb '
                                         '2020)(Citation: UK NCSC Olympic '
                                         'Attacks October 2020)',
                          'source_name': 'BlackEnergy (Group)'},
                         {'description': '(Citation: NCSC Sandworm Feb '
                                         '2020)(Citation: US District Court '
                                         'Indictment GRU Unit 74455 October '
                                         '2020)(Citation: UK NCSC Olympic '
                                         'Attacks October 2020)',
                          'source_name': 'Telebots'},
                         {'description': '(Citation: Secureworks IRON VIKING '
                                         ')(Citation: US District Court '
                                         'Indictment GRU Unit 74455 October '
                                         '2020)(Citation: UK NCSC Olympic '
                                         'Attacks October 2020)',
                          'source_name': 'IRON VIKING'},
                         {'description': 'Billy Leonard. (2023, April 19). '
                                         'Ukraine remains Russia’s biggest '
                                         'cyber focus in 2023. Retrieved March '
                                         '1, 2024.',
                          'source_name': 'Leonard TAG 2023',
                          'url': 'https://blog.google/threat-analysis-group/ukraine-remains-russias-biggest-cyber-focus-in-2023/'},
                         {'description': 'Brady, S . (2018, October 3). '
                                         'Indictment - United States vs '
                                         'Aleksei Sergeyevich Morenets, et '
                                         'al.. Retrieved October 1, 2020.',
                          'source_name': 'US District Court Indictment GRU Oct '
                                         '2018',
                          'url': 'https://www.justice.gov/opa/page/file/1098481/download'},
                         {'description': 'Dragos. (2017, January 1). ELECTRUM '
                                         'Threat Profile. Retrieved June 10, '
                                         '2020.',
                          'source_name': 'Dragos ELECTRUM',
                          'url': 'https://www.dragos.com/resource/electrum/'},
                         {'description': 'F-Secure Labs. (2014). BlackEnergy & '
                                         'Quedagh: The convergence of '
                                         'crimeware and APT attacks. Retrieved '
                                         'March 24, 2016.',
                          'source_name': 'F-Secure BlackEnergy 2014',
                          'url': 'https://blog-assets.f-secure.com/wp-content/uploads/2019/10/15163408/BlackEnergy_Quedagh.pdf'},
                         {'description': 'Hultquist, J.. (2016, January 7). '
                                         'Sandworm Team and the Ukrainian '
                                         'Power Authority Attacks. Retrieved '
                                         'October 6, 2017.',
                          'source_name': 'iSIGHT Sandworm 2014',
                          'url': 'https://www.fireeye.com/blog/threat-research/2016/01/ukraine-and-sandworm-team.html'},
                         {'description': 'Meyers, A. (2018, January 19). Meet '
                                         'CrowdStrike’s Adversary of the Month '
                                         'for January: VOODOO BEAR. Retrieved '
                                         'May 22, 2018.',
                          'source_name': 'CrowdStrike VOODOO BEAR',
                          'url': 'https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-january-voodoo-bear/'},
                         {'description': 'Microsoft . (2023, July 12). How '
                                         'Microsoft names threat actors. '
                                         'Retrieved November 17, 2023.',
                          'source_name': 'Microsoft Threat Actor Naming July '
                                         '2023',
                          'url': 'https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide'},
                         {'description': 'MSTIC. (2022, October 14). New '
                                         '“Prestige” ransomware impacts '
                                         'organizations in Ukraine and Poland. '
                                         'Retrieved January 19, 2023.',
                          'source_name': 'Microsoft Prestige ransomware '
                                         'October 2022',
                          'url': 'https://www.microsoft.com/en-us/security/blog/2022/10/14/new-prestige-ransomware-impacts-organizations-in-ukraine-and-poland/'},
                         {'description': 'Muncaster, P.. (2014, October 14). '
                                         'Microsoft Zero Day Traced to Russian '
                                         '‘Sandworm’ Hackers. Retrieved '
                                         'October 6, 2017.',
                          'source_name': 'InfoSecurity Sandworm Oct 2014',
                          'url': 'https://www.infosecurity-magazine.com/news/microsoft-zero-day-traced-russian/'},
                         {'description': 'NCSC. (2020, February 20). NCSC '
                                         'supports US advisory regarding GRU '
                                         'intrusion set Sandworm. Retrieved '
                                         'June 10, 2020.',
                          'source_name': 'NCSC Sandworm Feb 2020',
                          'url': 'https://www.ncsc.gov.uk/news/ncsc-supports-sandworm-advisory'},
                         {'description': 'Pompeo, M. (2020, February 20). The '
                                         'United States Condemns Russian Cyber '
                                         'Attack Against the Country of '
                                         'Georgia. Retrieved September 12, '
                                         '2024.',
                          'source_name': 'USDOJ Sandworm Feb 2020',
                          'url': 'https://2017-2021.state.gov/the-united-states-condemns-russian-cyber-attack-against-the-country-of-georgia/index.html'},
                         {'description': 'Roncone, G. et al. (n.d.). APT44: '
                                         'Unearthing Sandworm. Retrieved July '
                                         '11, 2024.',
                          'source_name': 'mandiant_apt44_unearthing_sandworm',
                          'url': 'https://services.google.com/fh/files/misc/apt44-unearthing-sandworm.pdf'},
                         {'description': 'Scott W. Brady. (2020, October 15). '
                                         'United States vs. Yuriy Sergeyevich '
                                         'Andrienko et al.. Retrieved November '
                                         '25, 2020.',
                          'source_name': 'US District Court Indictment GRU '
                                         'Unit 74455 October 2020',
                          'url': 'https://www.justice.gov/opa/press-release/file/1328521/download'},
                         {'description': 'Secureworks. (2020, May 1). IRON '
                                         'VIKING Threat Profile. Retrieved '
                                         'June 10, 2020.',
                          'source_name': 'Secureworks IRON VIKING ',
                          'url': 'https://www.secureworks.com/research/threat-profiles/iron-viking'},
                         {'description': 'UK NCSC. (2020, October 19). UK '
                                         'exposes series of Russian cyber '
                                         'attacks against Olympic and '
                                         'Paralympic Games . Retrieved '
                                         'November 30, 2020.',
                          'source_name': 'UK NCSC Olympic Attacks October 2020',
                          'url': 'https://www.gov.uk/government/news/uk-exposes-series-of-russian-cyber-attacks-against-olympic-and-paralympic-games'}],
 'id': 'intrusion-set--381fcf73-60f6-4ab2-9991-6af3cbc35192',
 'modified': '2024-12-04T21:17:08.593Z',
 'name': 'Sandworm Team',
 'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
 'revoked': False,
 'spec_version': '2.1',
 'type': 'intrusion-set',
 'x_mitre_attack_spec_version': '3.2.0',
 'x_mitre_contributors': ['Dragos Threat Intelligence', 'Hakan KARABACAK'],
 'x_mitre_deprecated': False,
 'x_mitre_domains': ['enterprise-attack', 'ics-attack', 'mobile-attack'],
 'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
 'x_mitre_version': '4.2'}
Quick Actions
Related TTPs (79)
Data from Local System
Collection
Keylogging
Collection
Databases
Collection
Web Protocols
Command and Control
Proxy
Command and Control
View All 79 TTPs
Back to Threat Actors
Dashboard Home