Damien’s Substack

Share this post

Damien’s Substack
Damien’s Substack
Digging into Sandworm
Copy link
Facebook
Email
Notes
More

Digging into Sandworm

An ABCbyD Threat Actor Profile

Damien Lewke
Jan 14, 2025
5

Share this post

Damien’s Substack
Damien’s Substack
Digging into Sandworm
Copy link
Facebook
Email
Notes
More
5
Share

Welcome to 2025’s first threat actor profile from ABCbyD. If you know me, you know that I am a huge fan of the Dune franchise. Not only does it combine hard sci-fi (albeit interstellar navigation is cleverly maneuvered around by the Holzman effect), but it’s a meandering space opera about humanity’s better and worse natures: zeal, greed, the consequences of revenge, and so much more.

Recently, I’ve been watching the new Dune series and got into a conversation about how science fiction intersects with cyberspace (a term coined originally in Neuromancer), including the eponymous Sandworm.

For fans of the movies, queue Hans Zimmer’s epic soundtrack, and let’s dig into one of the world’s most notorious threat actors.

Origins of the Name “Sandworm”

Sandworm, the Russian state-sponsored threat actor, owes its name to an investigation into a cyberattack campaign detailed in the book Sandworm: A New Era of Cyberwar and the Hunt for the Kremlin's Most Dangerous Hackers by Andy Greenberg.

Researchers at cybersecurity firm iSight Partners initially coined the name because they discovered references to Frank Herbert’s Dune series embedded in the malware (including strings of ‘arrakis’ and ‘dune’).

While the group itself has not officially embraced this moniker, the name stuck due to its symbolic relevance. Much like how the massive sandworms of Arrakis burrow and explode from the sandy depths with little to no warning, Sandworm has a history of existing undetected and then suddenly surfacing within an environment causing widespread destruction.

The group, officially linked to Russia’s GRU military intelligence agency and operating under Unit 74455, demonstrates precision, persistence, and a deep alignment with state interests.

A Longstanding History of Cyber Espionage and Sabotage

Sandworm’s operations date back to at least 2009 and are defined by their focus on critical infrastructure, geopolitical sabotage, and a willingness to deploy destructive malware. Sandworm is one of the few adversaries to execute attacks resulting in physical consequences, proving their expertise in combining technical precision with strategic impact.

Major Operations

Here’s a “non-top 3” list of some of Sandworm’s most notorious attacks.

  1. 2015 Ukrainian Power Grid Attack: In December 2015, Sandworm orchestrated the first known cyberattack to cause a power outage, targeting Ukraine’s energy infrastructure. The group deployed BlackEnergy malware to compromise systems, taking down power grids for six hours during a bitterly cold winter.

  2. NotPetya: The Malware That Crippled the World: In 2017, Sandworm unleashed NotPetya, a destructive malware masquerading as ransomware. Initially targeting Ukrainian financial systems, the malware spread globally, causing billions of dollars in damage and disrupting operations for multinational companies like Maersk and FedEx.

  3. Olympic Destroyer: Ahead of the 2018 PyeongChang Winter Olympics, Sandworm launched a cyberattack using the Olympic Destroyer malware, targeting IT systems and causing significant disruption to the event’s operations.

These campaigns reveal a clear pattern: Sandworm leverages its capabilities to further Russia’s geopolitical objectives, often leaving devastation in its wake.

Sandworm’s Recent Activity

Sandworm remains a highly active and dangerous threat actor. Their operations have expanded, with an increased focus on leveraging advanced malware, targeting mobile devices, and exploiting cloud infrastructure. While we’re only two weeks into 2025, I’ll bet we’ll be hearing from them soon. Here are three notable campaigns from 2024.

Espionage via Ukrainian Military App (March 2024)

In a campaign uncovered in March 2024, Sandworm targeted Ukrainian military personnel by infiltrating a widely used mobile application. This app was compromised to collect sensitive operational data, such as troop movements and logistics.

Indicators of Compromise (IOCs):

  • Domains mimicking legitimate military resources.

  • Malware identified as Infostealer.Z embedded in APK files.

  • C2 servers based in known Russian IP blocks.

Read more: Ukraine military app espionage.

Attacks on Energy Infrastructure in Eastern Europe (June 2024)

In a campaign reminiscent of their earlier attacks on Ukraine, Sandworm targeted energy companies across Eastern Europe. The group attempted to compromise grid control systems using spear-phishing emails and vulnerabilities in operational technology (OT).

Indicators of Compromise (IOCs):

  • Spear-phishing emails with subject lines referencing energy policies.

  • Use of Industroyer2 malware.

  • Obfuscated PowerShell scripts for lateral movement.

Read more: ICS/OT Security Analysis.

Leveraging Cloud Infrastructure for C2 (October 2024)

Sandworm has increasingly adopted cloud services to disguise their command-and-control (C2) activities. In October, Google researchers uncovered that the group had exploited legitimate cloud tools to exfiltrate data from compromised systems across Europe and Asia.

Indicators of Compromise (IOCs):

  • Abnormal activity involving Google Workspace APIs.

  • Malware communicating via encrypted cloud services.

  • Abuse of OAuth tokens for persistent access.

Read more: APT44 Analysis on Sandworm.

The Evolving Tactics, Techniques, and Procedures of Sandworm

Sandworm’s adaptability is a hallmark of their operations. They continuously refine their techniques to stay ahead of defenders. Key trends include:

  • Targeting Critical Infrastructure: Sandworm consistently targets sectors like energy, transportation, and defense. Their ability to blend IT and OT attacks makes them uniquely dangerous.

  • Abuse of Legitimate Services: By leveraging cloud platforms and widely used software, Sandworm minimizes their digital footprint and evades traditional detection.

  • Mobile Exploits: Recent campaigns, like the military app espionage case, highlight Sandworm’s increasing focus on mobile platforms as vectors for data collection and influence operations.

Digging into the details, their playbook is a mix of IT and OT attacks, leveraging sophisticated tools and methods to evade detection and achieve their objectives. Since we’ve focused on IT, I’ve broken out MITRE ATT&CK Enterprise tactics and techniques attributed to Sandworm. Check them out below:

  • Initial Access: Exploiting trusted relationships (T1199) and leveraging spear-phishing campaigns to gain a foothold.

  • Execution: Using PowerShell (T1059.001), Windows Command Shell (T1059.003), and Visual Basic scripts (T1059.005) for remote execution.

  • Persistence: Creating or modifying Windows services (T1543.003) and deploying web shells (T1505.003) for long-term access.

  • Privilege Escalation: Creating domain accounts with elevated privileges (T1136.002) to maintain higher-level access.

  • Defense Evasion: Obfuscating files (T1027), disabling Windows event logging (T1562.002), and masquerading malicious files as legitimate ones (T1036.005).

  • Credential Access: Dumping credentials from LSASS memory using tools like Mimikatz (T1003.001).

  • Discovery: Using LDAP queries for Active Directory enumeration and remote system discovery (T1018).

  • Lateral Movement: Exploiting SMB/Windows Admin Shares (T1021.002) and transferring malicious tools across networks (T1570).

  • Impact: Deploying destructive malware like KillDisk (T1490) to inhibit recovery and disrupt operations.

This list is not comprehensive, but it paints a picture of how Sandworm uses Windows System Internals to achieve persistence and ultimately achieve their objectives.

So What Do We Do About the GRU?

As you know, I’m a fan of thinking smarter, not harder and using publicly available resources to help you proactively harden your security posture. Defending against Sandworm starts with staying informed and leveraging open-source threat intelligence. Here are a few resources to inform your defenses:

  • MITRE Resources (APT-44): Map Sandworm’s known techniques using the ATT&CK framework to guide your threat hunting and detection efforts.

    • ATT&CK Navigator

    • Threat Profile

  • CISA Write-Up: CISA published a write up on Sandworm that I highly recommend

  • MISP & CISA Threat Sharing: Subscribe to MISP & CISA feeds for real-time updates on Sandworm-related IOCs, including domains, hashes, and TTPs.

Conclusion: The Sandworm’s Legacy

Sandworm is more than a threat actor; they’re an adversary with a legacy of chaos and precision. From disrupting Ukraine’s power grid to exploiting cloud infrastructure, they embody the challenges of modern cyber warfare.

Understanding Sandworm is not just an academic exercise—it’s a necessity for organizations aiming to protect themselves in an increasingly interconnected world. They’re also proof that adversaries, like companies, can continue to innovate and reinvent themselves as they evolve.

Stay curious and stay secure, my friends.

Damien

5

Share this post

Damien’s Substack
Damien’s Substack
Digging into Sandworm
Copy link
Facebook
Email
Notes
More
5
Share

Discussion about this post

No posts

Ready for more?

© 2025 Damien Lewke
Privacy ∙ Terms ∙ Collection notice
Start WritingGet the app
Substack is the home for great culture

Share

Copy link
Facebook
Email
Notes
More