Sandworm [1] [2] [3] [4] [5] [6] [7] [8], also known as APT44 [3] [4], is a Russian cyber threat group closely tied to the Kremlin and operating under the Russian Main Intelligence Directorate (GRU).


Initially focused on disruptive and destructive cyber operations against Ukraine [2], Sandworm has evolved into an Advanced Persistent Threat group with a focus on espionage and intelligence gathering. The group has been involved in various high-profile attacks, including the disruption of Ukraine’s energy grid in 2015 and 2016 [4], the global NotPetya attack in 2017 [4], and the disruption of the 2018 Pyeongchang Olympics [4]. Sandworm has been heavily involved in supporting Russian military objectives in Ukraine [3], conducting disruptive and destructive cyber operations targeting critical infrastructure and intelligence collection to support military activities. Nearly all disruptive and destructive cyberattacks in Ukraine since Russia’s invasion in February 2022 have been attributed to Sandworm [3]. The group’s global operations target government and critical infrastructure in North America, Europe [3] [5] [8], the Middle East [3] [5], Central Asia [3] [5] [8], and Latin America [3] [5]. Sandworm gains initial access through phishing [5], credential harvesting [5], and known vulnerabilities [5], prioritizing targets based on access vectors [5]. The group has a vast collection of bespoke attack tools but also relies on legitimate tools and living-off-the-land techniques to evade detection [3]. Sandworm’s capabilities include espionage, sabotage [2], and influence operations [2] [5] [7], with a history of targeting defense, transportation [5] [7], energy [4] [5] [7], media [5] [7], and civil society organizations [5] [7]. The group’s success is attributed to its access to Russian companies and criminal marketplaces for malware. Sandworm has also used hacking fronts like CyberArmyofRussia_Reborn for deniability purposes and to draw attention to its campaigns [3]. APT44 has been linked to recent cyberattacks against water utilities and identified as affiliated with a hacking group known as Cyber Army of Russia Reborn (CARR). Mandiant’s report “APT44: Unearthing Sandworm” highlights the group’s activities since 2015 [1], including disruptive operations in support of Russia’s invasion of Ukraine [1]. Sandworm [1] [2] [3] [4] [5] [6] [7] [8], believed to operate as Unit 74455 within the GRU [7], primarily targets government [7], defense [5] [7], transportation [5] [7], energy [4] [5] [7], media [5] [7], and civil society organizations in Russia’s near abroad [7]. The group has also targeted Western electoral systems and institutions [7], including in NATO member countries [7]. APT44 [1] [2] [3] [4] [5] [6] [7] [8], under the control of the Russian military intelligence hacking operation, has carried out disruptive attacks on critical infrastructure [7], including an incident in Ukraine where the group Solntsepek claimed credit for an attack on multiple Ukrainian telecommunications providers [7]. The threat posed by APT44 is evolving rapidly [7], making it a significant threat actor aligned with Russia, influencing public opinions and manipulating elections [5]. Sandworm’s operations are expected to continue evolving in line with Russia’s strategic objectives [4].


Sandworm’s activities have had significant impacts on critical infrastructure, government institutions, and civil society organizations globally [5] [7]. Mitigating the threat posed by APT44 requires enhanced cybersecurity measures, international cooperation, and increased awareness of the group’s tactics. The evolving nature of Sandworm’s operations underscores the need for ongoing vigilance and proactive defense strategies to counter the group’s malicious activities in the future.