Sandworm

Also known as: IRIDIUM, Voodoo Bear, Seashell Blizzard, APT44

Overview

Russian GRU Unit 74455. Most destructive cyber threat actor globally. Responsible for NotPetya, Ukraine power grid attacks, and ongoing cyber operations against Ukrainian infrastructure.

MITRE ATT&CK Coverage

Recon

Res Dev

Init Access

Execution

Persistence

Priv Esc

Def Evasion

Cred Access

Discovery

Lat Move

Collection

Exfil

Impact

4 of 14 tactics observed

Raw TTPs

Destructive MalwareICS/SCADA AttacksWiper DeploymentSupply Chain CompromiseLiving-off-the-Land

Related Intelligence (3)

CRITICALMalwareExploited

Sandworm Targets European Energy Companies with Industroyer3 Variant

Sandworm deploys Industroyer3 variant against energy companies in Poland and Baltic states. ICS-specific payload targets Siemens SIPROTEC relays.

Siemens SIPROTEC

Mar 25, 2026CERT-EU / Mandiant

CRITICALMalwareExploited

Sandworm Deploys New Wiper Malware Against Ukrainian Energy Grid

Russian GRU Sandworm group deploys new wiper variant AcidBurn targeting Ukrainian power distribution systems during winter heating season.

Schneider Electric SCADA

Mar 16, 2026CERT-UA / Mandiant

HIGHMalware

Sandworm Uses Compromised Ubiquiti Routers as C2 Infrastructure

FBI warns Sandworm is using a botnet of compromised Ubiquiti EdgeRouters as proxy C2 infrastructure for espionage operations against NATO targets.

Ubiquiti EdgeRouter

Mar 8, 2026FBI / NSA Joint Advisory