Sandworm [1] [2] [3] [4] [5] [6] [7], a Russia-backed hacking group believed to be linked to Russia’s GRU military intelligence agency [3], has been conducting cyber operations in support of the GRU since at least 2009. They primarily target entities in Ukraine but have also targeted European Union government organizations, NATO [1], and others.


Sandworm recently carried out a disruptive cyber-attack on a Ukrainian critical infrastructure organization [5], utilizing novel techniques and backed by Russia’s GRU intelligence and special forces agency [6]. The attack caused a brief power outage by impacting industrial control systems (ICS) and operational technology (OT) [5] [6]. Sandworm potentially had access to the SCADA system for up to three months [1] [5]. The attack involved two disruptive events in October 2022, including a power outage and a wiper attack [5]. The first attack aimed to trip the victim’s substation circuit breakers [5], coinciding with mass Russian missile strikes against critical national infrastructure (CNI) targets in Ukraine [6]. The second attack involved the deployment of a new variant of CaddyWiper in the victim’s IT environment [5]. Mandiant’s response to the attack revealed the serious threat that Ukraine still faces and praised the exceptional work of Ukrainian defenders in preventing similar scenarios [6]. The attack demonstrated a clear evolution in Russia’s cyber-physical capabilities and suggests the maturity of the Kremlin’s offensive OT arsenal [6]. Sandworm is believed to be capable of developing similar capabilities against other OT systems worldwide [1] [6]. The attack also highlighted the psychological toll of such attacks on civilians and the growing maturity of Russia’s offensive OT arsenal.


The attack on Ukrainian critical infrastructure showcases Russia’s evolving cyber-physical attack capabilities and their potential to target other OT systems worldwide. It emphasizes the need for heightened security measures globally [4], particularly for entities using MicroSCADA systems [4]. Critical infrastructure operators worldwide should take this as a warning and fortify their defenses against similar threats [4]. The exceptional work of Ukrainian defenders and their partners has limited the impact of attacks in Ukraine [5], but the threat remains.