Sandworm Case Study: Russian Hacker Group in Cyberwarfare

[Cloned Boy]

Sandworm (also known as APT44, Voodoo Bear, TeleBots) is one of the most aggressive state hacker groups, associated with the GRU of the Russian Federation (unit 74455). Specializes in attacks on critical infrastructure, energy grids and geopolitical sabotage.

Who is behind Sandworm?​

Origin and connections​

• Confirmed affiliation: 5th Directorate of the GRU (Military unit 74455, Moscow).
• Main objectives:
  • Destabilization of Ukraine.
  • Attacks on NATO and Western energy systems.
  • Conducting "hybrid wars".
• Financing: State (budget of the Russian Federation).

Key Operations of Sandworm​

1. The first cyberattack on the power grid in history (2015–2016)​

• Attack on Ukrainian energy systems (BlackEnergy, KillDisk):
  • December 2015: Power outage in Ivano-Frankivsk (230,000 people without power).
  • December 2016: Repeated attack on Kyivoblenergo (using Industroyer).

2. NotPetya ransomware (2017)​

• Disguised as ransomware, but in fact a purely destructive virus .
• Damage: $10+ billion (Maersk, Merck, Mondelez suffered).
• Goal: Destruction of data on Ukrainian servers (but the virus got out of control).

3. Attacks on the 2018 Olympics​

• "Olympic Destroyer":
  • Pyeongchang Winter Olympics servers hacked.
  • Substitution of websites, distribution of fakes.

4. War against Ukraine (2022–2024)​

• Attack on Viasat (satellite communications of the Ukrainian Armed Forces).
• Wiper attacks (AcidRain, CaddyWiper).
• Government website hacks (DDoS + disinformation).

Sandworm's Methods of Operation​

1. Phishing + malicious attachments (for example, fake documents "from the SBU").
2. 0-day vulnerabilities (e.g. CVE-2017-0144 on Windows).
3. Self-written destructive viruses:
   • BlackEnergy (for power grids).
   • Industroyer (hacking SCADA systems).
   • NotPetya (disguised as ransomware).
4. Attacks on OT systems (Siemens industrial controllers).

How were they identified?​

1. Errors in OpSec​

• Using Russian IPs (for example, from Moscow and St. Petersburg).
• Traces in the code:
  • Russian-language lines ("Activation of the destructor").
  • Using Russian cryptoalgorithms (GOST).

2. Exposure by the secret services​

• 2018–2020: The US, UK and EU imposed sanctions on GRU Unit 74455 .
• 2020: Arrest of hackers in the Czech Republic and Ukraine.
• 2022: Microsoft and Mandiant publish reports on Sandworm's ties to the Kremlin.

3. Malware Analysis​

• Industroyer → Related to BlackEnergy (same code style).
• NotPetya → Used the same C&C servers as Sandworm.

Results and consequences​

• Damage: Tens of billions of dollars + threats to vital infrastructure.
• Countermeasures:
  • The US and EU have imposed cyber sanctions against Russia.
  • Ukraine has created CERT-UA (cyber defense of energy networks).
  • NATO declared cyber attacks as a reason for Article 5 (collective defense).

What did this case teach us?​

1. Cyber attacks are part of modern warfare (power grids = new target).
2. Destructive viruses are more dangerous than ransomware (NotPetya showed the scale of the threat).
3. International cooperation is essential (FBI + SBU + Microsoft Threat Intelligence).

Want another case study? For example, Cozy Bear (APT29) — Russian hacker-spies?