Sandworm Destructive Operations Profile

Sandworm Destructive Operations Profile | CDA.Wiki | CDA.Wiki

# Sandworm Destructive Operations Profile

Sandworm (officially attributed to GRU Unit 74455, also tracked as IRIDIUM, Voodoo Bear, and Electrum) represents the most operationally destructive state-sponsored threat actor in documented history. The group operates as a direct-action cyber warfare unit of Russian military intelligence, executing attacks designed not to steal data but to cause physical-world consequences: blackouts, supply chain collapse, and mass system destruction. Understanding Sandworm is not an academic exercise. Critical infrastructure operators, industrial control system engineers, and enterprise defenders who fail to model Sandworm's capabilities and methods as a credible threat face the realistic possibility of irreversible system damage, prolonged outages, and attacks that no patch or endpoint agent will fully prevent without foundational architectural controls in place.

---

Definition and Scope

Sandworm is a Russian Advanced Persistent Threat (APT) group operating under the GRU's Main Center for Special Technologies (GTsST), designated Unit 74455. The group is formally distinguished from information-theft or espionage-focused APTs by its primary mission objective: destructive effect at scale. Where groups like APT29 (Cozy Bear) conduct long-term, low-visibility espionage, Sandworm executes campaigns where the final payload is designed to destroy, deny, or degrade systems to the point of operational failure.

Sandworm is not a ransomware group. Although some of its tools (notably WhisperGate, which mimics ransomware) display ransom notes, the objective is irreversible destruction, not payment collection. This distinction matters operationally: standard ransomware recovery playbooks that assume data restoration after payment are irrelevant against Sandworm-style wipers.

The group is also not limited to any single technology domain. Sandworm has demonstrated proficiency across IT networks, operational technology (OT) environments, Industrial Control Systems (ICS), SCADA platforms, and supply chain vectors. This cross-domain capability is what separates it from most threat actors.

Sandworm's primary tool categories include:

ICS-specific malware: BlackEnergy 3, Industroyer (also called Crashoverride), Industroyer2
Disk wipers: KillDisk, HermeticWiper, CaddyWiper, WhisperGate
Self-propagating destructive worms: NotPetya, which masqueraded as ransomware but contained no functional recovery mechanism
Event-specific disruption tools: Olympic Destroyer, designed for psychological effect during the 2018 Pyeongchang Winter Olympics

Adjacent but distinct concepts include cyber espionage campaigns, hacktivism, and ransomware operations. Sandworm blurs these categories deliberately, using disinformation and false-flag techniques to obscure attribution and delay response.

---

How It Works

Sandworm's attack methodology follows a multi-phase process that combines conventional IT intrusion techniques with specialized OT knowledge and custom-built destructive payloads. Each phase is documented across multiple campaigns and confirmed through forensic analysis by government agencies, private threat intelligence firms, and international law enforcement.

Phase 1: Initial Access and Reconnaissance

Sandworm typically achieves initial access through spearphishing emails targeting employees at energy utilities, government ministries, or logistics companies. In the 2015 Ukraine power grid attack, attackers sent Microsoft Word documents containing BlackEnergy macros to employees of three regional electricity distribution companies. Upon execution, the macro established a persistent backdoor. The reconnaissance phase extended over months, during which attackers mapped internal networks, identified human-machine interface (HMI) workstations connected to SCADA systems, and harvested credentials through keylogging and credential dumping tools.

The group has also demonstrated supply chain targeting capabilities. The M.E.Doc accounting software compromise that enabled NotPetya distribution required months of preparation to understand the software's update mechanism and user base. This level of planning distinguishes Sandworm from opportunistic threat actors who exploit available vulnerabilities without extensive target research.

Phase 2: Lateral Movement and Credential Harvesting

Once inside the IT network, Sandworm moves laterally using standard Windows administration tools (PsExec, WMI, scheduled tasks) combined with harvested domain administrator credentials. This technique is notable because it leaves minimal forensic artifacts compared to custom malware execution. In the NotPetya campaign of June 2017, Sandworm compromised M.E.Doc, Ukrainian accounting software with a large enterprise user base. A malicious software update distributed through M.E.Doc's legitimate update mechanism installed the initial NotPetya component, which then used the EternalBlue SMB exploit (stolen from the NSA) and Mimikatz-based credential harvesting to propagate autonomously across networks without any further attacker interaction.

The group demonstrates sophisticated understanding of Windows domain architecture. In multiple campaigns, attackers have prioritized domain administrator credentials over local administrator access, indicating they understand that domain-level privileges enable rapid horizontal movement across entire enterprise environments. They also show awareness of typical IT/OT segmentation patterns, specifically targeting engineering workstations that have legitimate access to both corporate networks and industrial control systems.

Phase 3: OT Network Penetration and Staging

In ICS-targeted operations, Sandworm does not rely on generic IT malware once inside OT environments. The Industroyer malware, deployed in the December 2016 Ukraine power grid attack, contained four distinct payload modules, each implementing a different industrial communication protocol: IEC 60870-5-101, IEC 60870-5-104, IEC 61850, and OPC DA. These protocols are used by power grid control systems globally. Industroyer could directly issue commands to substation equipment, opening and closing circuit breakers without operator input. The malware also included a wiper component that overwrote firmware on serial-to-Ethernet converters to prevent remote recovery.

The technical sophistication of Industroyer2, deployed in April 2022 against Ukrainian electrical infrastructure, represents an evolution in ICS targeting. The malware contained hardcoded configuration parameters specific to individual substations, meaning attackers had conducted detailed reconnaissance of the exact equipment models, network topology, and control logic at the targeted facility. This level of customization indicates either insider knowledge or extensive passive network monitoring during the staging phase.

Phase 4: Execution of Destructive Payload

The destructive phase is typically timed for maximum impact. The 2015 Ukraine attack executed on December 23, a cold winter evening, disabling power to approximately 230,000 customers. Sandworm operators simultaneously conducted a telephone denial-of-service attack against the utility's customer call center to delay public awareness and prevent customers from reporting outages through alternative channels.

The timing coordination extends beyond single-target attacks. NotPetya was initially deployed on June 27, 2017, the day before a Ukrainian national holiday, when IT staff availability would be minimal. The malware's self-propagating mechanism meant that by the time staff returned to work, the infection had spread globally beyond any possibility of containment.

Phase 5: Anti-Forensic and Anti-Recovery Mechanisms

Sandworm's most technically sophisticated characteristic is its systematic destruction of recovery paths. KillDisk overwrites the Master Boot Record (MBR) and Volume Boot Record (VBR) to prevent system restart. HermeticWiper, deployed in the hours before Russia's February 2022 invasion of Ukraine, corrupted the MBR and partition table on thousands of systems across government and financial sector organizations. CaddyWiper specifically avoided wiping domain controllers (to preserve attacker persistence) while destroying endpoints, showing deliberate operational planning rather than indiscriminate destruction.

The group also demonstrates awareness of backup and disaster recovery systems. In several campaigns, attackers have specifically targeted backup servers, network-attached storage devices, and cloud backup connections before deploying wipers. This sequencing ensures that standard recovery procedures fail, forcing organizations to rebuild from scratch rather than restoring from recent backups.

Specific Scenario: NotPetya Supply Chain Propagation

Shipping company Maersk, a collateral victim of NotPetya, lost virtually all of its 45,000 PCs and 4,000 servers within hours. The malware propagated through the company's Windows network using EternalBlue and harvested credentials, requiring zero additional attacker interaction after initial seeding through M.E.Doc. Maersk's recovery required installing an entirely new network infrastructure over approximately ten days, sourcing hardware globally, and restoring from a single domain controller that had been offline in Ghana during the attack due to a power outage. That single offline machine saved the company's ability to restore its Active Directory environment.

---

Why It Matters

The operational and financial consequences of Sandworm attacks are not hypothetical. NotPetya alone caused an estimated $10 billion in global damages, making it the most costly cyberattack in history at the time. Maersk lost approximately $300 million. Pharmaceutical company Merck lost approximately $870 million. FedEx subsidiary TNT Express lost approximately $400 million. None of these companies were the intended targets. They were collateral victims caught in a self-propagating weapon designed for Ukraine's infrastructure.

This collateral damage pattern is a critical risk factor that is frequently underestimated. Organizations that have no geopolitical exposure to Russia-Ukraine conflict, no government contracts, and no critical infrastructure role can still be destroyed by a Sandworm-origin attack if they share supply chain software, use the same update infrastructure, or operate on a network connected to a targeted organization. The NotPetya case is the definitive proof of concept for catastrophic supply chain weapon effects.

A common misconception among enterprise security teams is that Sandworm attacks target only Ukraine or NATO member governments. The historical record contradicts this entirely. Sandworm has attacked the Georgian television broadcast network, the French political campaign of Emmanuel Macron (alongside other GRU units), the 2018 Winter Olympics organizing committee, and global logistics companies. The attack surface is any organization that falls within the GRU's operational priorities at a given moment, which shift with geopolitical conditions.

A second misconception is that endpoint detection and response (EDR) tools provide adequate protection against wiper attacks. Wipers that overwrite MBR and VBR operate below the level at which most EDR agents function. By the time process-level telemetry captures suspicious disk writes, the damage is frequently already done. Detection must occur upstream, during lateral movement and staging phases, not at the moment of payload execution.

Organizations without tested offline backup procedures face an existential recovery problem after a Sandworm-style attack. Cloud snapshots that are connected to the same Active Directory environment being wiped are destroyed alongside the primary infrastructure. Recovery requires backups that are genuinely isolated from the production network at the moment of attack. The lesson from Maersk is that organizations may have only one chance to restore, and that restoration capability must be protected with the same rigor as production systems.

The speed of modern wiper deployment also invalidates traditional incident response timelines. Sandworm wipers can destroy thousands of systems within hours of execution. Traditional incident response procedures that assume days or weeks to analyze, contain, and remediate are meaningless in this context. Response procedures must be designed around the assumption that detection occurs during execution, not before it.

---

CDA Perspective

CDA approaches Sandworm and analogous destructive threat actors through the Threat Intelligence Domain (TID) of the Planetary Defense Model (PDM), combined with hardening controls drawn from the Security Posture Hardening (SPH) domain. The organizing methodology is Predictive Defense Intelligence (PDI), which the CDA defines operationally as "See the threat before it sees you."

Applied to Sandworm, PDI means that defenders cannot wait for a wiper to execute before initiating a response. The execution phase is, by definition, too late. Detection and disruption must occur during initial access, lateral movement, or staging. CDA's TID framework structures intelligence collection and analysis around the specific behavioral indicators associated with each Sandworm phase: macro-enabled document execution from external email, credential dumping tool signatures (particularly Mimikatz variants), use of PsExec or WMI for lateral movement from unusual source systems, and anomalous access to OT network segments from IT workstations.

What distinguishes CDA's approach from generic threat intelligence programs is the operational specificity of the TID output. CDA does not publish threat actor profiles as awareness documents. TID deliverables are structured as detection engineering inputs: specific YARA rules for Sandworm wiper families, Sigma rules for lateral movement patterns consistent with Sandworm TTPs, and network detection rules for industrial protocol abuse consistent with Industroyer behavior. SPH domain guidance provides concrete segmentation architectures and backup isolation requirements derived from post-incident analysis of actual Sandworm victim environments, not theoretical best practices.

The CDA perspective is that Sandworm represents the baseline capability threshold for critical infrastructure threat modeling. Any organization that operates technology essential to public services, logistics, or national security must model against a threat actor capable of destructive wiper deployment and ICS manipulation, because that capability has been demonstrated repeatedly and is not declining. Organizations that cannot defend against Sandworm-level threats cannot claim to be adequately secured against state-sponsored adversaries.

---

Key Takeaways

Test backup restoration against a total AD destruction scenario: Sandworm wipers target domain controllers alongside endpoints. If your recovery plan assumes Active Directory is available, it will fail. Maintain at least one domain controller backup that is physically offline and test full AD restoration quarterly.

Deploy industrial protocol monitoring in all OT environments: Industroyer and Industroyer2 exploit legitimate ICS protocols to issue destructive commands. Passive network monitoring solutions that baseline normal protocol traffic patterns can detect anomalous commands before execution, even when the malware uses valid credentials.

Treat EDR as a lateral movement detector, not a wiper blocker: Configure EDR and SIEM alerting specifically for credential harvesting tools and abnormal administrative tool usage (PsExec, WMI from non-standard sources) rather than relying on wiper payload signatures, which frequently arrive after the damage window has opened.

Audit software update channels as a critical supply chain attack vector: NotPetya demonstrated that a trusted software update mechanism is a high-value initial access vector. Enumerate all third-party software that receives automatic updates, verify update integrity mechanisms (code signing, hash verification), and consider network-level controls that restrict update traffic to specific authenticated destinations.

Conduct a tabletop exercise specifically modeled on the NotPetya propagation scenario: Use the exercise to identify which internal systems would be reachable via EternalBlue or credential reuse within one hour of initial compromise. The results will directly prioritize patching, network segmentation, and credential hygiene remediation work.

---

ICS/SCADA Threat Modeling for Critical Infrastructure
Wiper Malware Detection and Recovery Architecture
IT/OT Network Segmentation Design Principles
Predictive Defense Intelligence (PDI): See the Threat First
NotPetya Supply Chain Attack Case Study

---

Sources

MITRE ATT&CK. "Sandworm Team (G0034)." MITRE ATT&CK Enterprise Knowledge Base. https://attack.mitre.org/groups/G0034/

Cybersecurity and Infrastructure Security Agency (CISA). "Alert AA22-110A: Russian State-Sponsored and Criminal Cyber Threats to Critical Infrastructure." April 2022. https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-110a

NIST Special Publication 800-82 Rev. 3. "Guide to Operational Technology (OT) Security." National Institute of Standards and Technology. May 2023. https://csrc.nist.gov/publications/detail/sp/800-82/rev-3/final

US Department of Justice. "Six Russian GRU Officers Charged in Connection with Worldwide Deployment of Destructive Malware." October 2020. https://www.justice.gov/opa/pr/six-russian-gru-officers-charged-connection-worldwide-deployment-destructive-malware-and

Center for Internet Security. "CIS Controls Version 8." Center for Internet Security. May 2021. https://www.cisecurity.org/controls/v8

Table of Contents

Definition and Scope

How It Works

Why It Matters

CDA Perspective

Key Takeaways

Sources

Related CDA Missions

Related Articles

Lazarus Group (HIDDEN COBRA / Diamond Sleet)

Salt Typhoon

Digital Forensics Evidence Handling

Discussion

The Academy

The Command Post

The Armory