Live Training | What's New in Lumu Defender

Register Now

Already have an account? Sign in

Sign in

Main Menu

Group

G0034

Sandworm Team

Aliases

Iron Viking, Voodoo Bear, Seashell Blizzard

Type

Military intelligence cyberwarfare unit. Their goals are disruption, destruction, and espionage.

Target

Critical Infrastructure, Energy, Government

Malware

BlackEnergy, Industroyer (CrashOverride), NotPetya

Country

Russia Russia

IoCs on Maltiverse

Maltiverse provides updated IoCs for easy SIEM/SOAR/Firewall/EDR integration.

Search for Sandworm Team

Who is Sandworm Team?

Sandworm Team is an elite Russian state-sponsored hacking group. The U.S. and U.K. governments have linked them to Unit 74455 of Russia’s military intelligence service, GRU. They are known for highly destructive attacks.

Sandworm Team has launched some of the most disruptive cyberattacks in history. Their main focus has been Ukraine, but their attacks have caused massive damage worldwide.

They are one of the few groups proven to have the capability to translate cyberattacks into physical, real-world consequences, such as power outages.

Common Tactics and Tools

Sandworm is known for its skill in attacking Industrial Control Systems (ICS) and Operational Technology (OT) networks.

Their attacks often start in normal IT networks with phishing. Then they move into the more sensitive OT networks that control physical equipment. Their toolkit includes some of the most infamous malware ever made.

  • BlackEnergy: A modular malware toolkit. It was used in the 2015 Ukrainian power grid attack. This was the first confirmed blackout from a cyberattack. The tool gave them access to the IT network. From there, they jumped to the ICS network to shut off power.
  • Industroyer (CrashOverride): A very dangerous malware made to control industrial equipment. It was used in a 2016 attack on a Ukrainian power company. It can speak native ICS protocols for industrial hardware to directly control things like circuit breakers.
  • NotPetya: A destructive wiper malware disguised as ransomware. In 2017, it spread through a hacked Ukrainian software update. It acted like a worm and spread globally. It caused about $10 billion in damage and crippled major companies.

How to Defend Against Sandworm Team

Defense against a group this skilled requires special security controls. This is vital for critical infrastructure.

  • Strict IT/OT segmentation: The best defense is a strong, monitored wall between your corporate (IT) and industrial (OT) networks. This stops attackers from moving from a hacked office computer to the systems that control physical equipment.
  • Harden the OT environment: Use strong security inside the industrial network. Restrict access. Harden workstations. Use advanced NDR technology to watch for anomalous traffic.
  • Secure the supply chain: Check all third-party software and connections carefully. Pay close attention to software updates. Sandworm has used these to launch attacks.
  • Develop a resilient response plan: For critical infrastructure, you need a response plan that works without power or IT networks. Create this plan and test it often.

Related Resources

View all threat actors

Join our pre-day 
workshop waitlist

By clicking “Submit Request” you agree to the Lumu Terms of Service and Privacy Policy.