sandworm

Sandworm’s Evolving Playbook: Destructive Malware, BadPilot Subgroup, and the Escalating Threat to Global Critical Infrastructure

Wes

05 Jun 2025 — 18 min read

its gonna eat u.

your generic "oh-look-at-me-I-can-summarize" AI can't tell you where to pivot next.

(Have feedback? Did something resonate with you? Did something annoy you? Just hit reply! :))

Get questions like this:

what do you know about sandworm?
How does Sandworm’s operational focus and targeting evolve in response to geopolitical events, particularly in Eastern Europe?
How do interagency dynamics within Russian intelligence and military cyber units affect the coordination and effectiveness of Sandworm’s operations?

Does it take a chunks out of your day? Would you like help with the research?

This baseline report was thoughtfully researched and took 10 minutes.. It's meant to be a rough draft for you to enhance with the unique insights that make you an invaluable analyst.

We just did the initial grunt work..

Are you ready to level up your skillset? Get Started Here!

Did this help you? Forward it to a friend!

TL;DR

Key Points

- Sandworm (GRU Unit 74455) is intensifying destructive cyber operations, especially against Ukrainian and Western critical infrastructure, leveraging advanced malware (e.g., CaddyWiper, NotPetya) and zero-day exploits.
- Immediate focus should be on patch management, Active Directory hardening, and detection of destructive malware behaviors.
- The BadPilot subgroup (Seashell Blizzard) specializes in initial access operations, exploiting public-facing applications and conducting persistent credential theft and phishing campaigns globally.
- Organizations must prioritize monitoring for initial access TTPs (T1190, T1566) and enforce MFA and robust email security.
- Sandworm adapts rapidly to geopolitical events, innovating with modular malware, AI-driven evasion, and supply chain attacks, while coordinating with other GRU-linked APTs (e.g., Fancy Bear).
- Threat intelligence sharing and AI-driven analytics are critical for early detection and adaptive defense.
- Western defensive postures are strengthening, but Sandworm is expected to escalate both the sophistication and scope of attacks, including targeting emerging technology sectors.
- Cross-sector collaboration, regular threat hunting, and scenario-based incident response exercises are essential.

Executive Summary

Sandworm, a Russian GRU-affiliated cyber threat group (Unit 74455), continues to escalate its offensive cyber operations, with a primary focus on Ukraine and Western allies. The group is notorious for high-impact attacks such as the 2015-2016 Ukrainian power grid blackouts and the 2017 NotPetya campaign, and has recently intensified destructive campaigns using advanced malware like CaddyWiper and BackOrder. Sandworm’s operations are closely aligned with Russian geopolitical objectives, targeting critical infrastructure, government, arms manufacturing, and technology sectors.

The BadPilot subgroup (aka Seashell Blizzard) has emerged as a key operational unit, specializing in initial access through exploitation of public-facing applications (notably Microsoft Edge zero-days), persistent credential theft, and sophisticated phishing. These campaigns are global in scope, with persistent targeting of the US, UK, Canada, and Australia.

Sandworm’s TTPs include destructive malware deployment (T1486, T1489), phishing (T1566), exploitation of vulnerabilities (T1190), brute force (T1110), and abuse of Active Directory (T1098). The group demonstrates rapid adaptation to defensive measures and geopolitical shifts, innovating with modular malware, AI-driven evasion, and supply chain attack vectors. Operational integration with other GRU-linked APTs (e.g., Fancy Bear) increases the complexity and persistence of campaigns.

Short-term forecasts indicate a likely escalation of destructive attacks on Ukrainian and allied critical infrastructure, persistent credential theft/phishing, and the emergence of novel malware variants. Long-term, Sandworm is expected to sustain and expand sabotage campaigns, deepen operational integration with other Russian APTs, and adapt to advanced defensive technologies by exploiting new attack vectors, including supply chain and insider threats.

Actionable recommendations include rigorous patch management, Active Directory hardening, advanced EDR deployment, enhanced phishing awareness, and robust intelligence sharing with national and international partners. AI-driven analytics and continuous threat hunting are essential to detect evolving Sandworm TTPs. Organizations in critical infrastructure and emerging technology sectors should prepare for increasingly sophisticated, multi-vector attacks and ensure incident response plans are tailored to destructive malware scenarios.

Attribution

Historical Context

Sandworm is a Russian state-sponsored cyber threat group linked to the GRU (Russian military intelligence, Military Unit 74455). It surfaced publicly around 2014 and is infamous for disruptive cyberattacks, especially targeting Ukraine and Western countries. Notable operations include the 2015-2016 Ukrainian power grid attacks causing blackouts and the 2017 NotPetya malware attack, which caused widespread global damage. Sandworm’s operations align with Russian geopolitical objectives, focusing on cyber espionage, sabotage, and information warfare.

Timeline

2014: Emergence of Sandworm’s cyber operations, including attacks on Ukrainian infrastructure.
2015-2016: Ukrainian power grid attacks causing blackouts.
2017: Deployment of NotPetya malware causing global collateral damage.
2023-2025: Continued campaigns, including the BadPilot subgroup targeting critical infrastructure worldwide.
Ongoing: Adaptation of tactics and expansion of targets in response to geopolitical developments and internal Russian cyber unit dynamics.

Origin

Attributed to the Russian GRU, specifically Military Unit 74455, Sandworm operates as a military cyberwarfare unit conducting offensive cyber operations in support of Russian state interests. It shares resources and tactics with other GRU-affiliated groups.

Countries Targeted

Ukraine – Primary target for disruptive attacks on critical infrastructure and military.
United States – Targeted for espionage and credential theft.
United Kingdom – Targeted for espionage and data theft.
Canada – Targeted for espionage and initial access operations.
Australia – Targeted for espionage and credential theft.

Sectors Targeted

Arms Manufacturing – Espionage and intelligence gathering.
Critical Infrastructure – Power grids and industrial control systems targeted for sabotage.
Government – Espionage and information operations.
Technology – Targeted for initial access and persistence.
Economic Sectors – Espionage and disruption.

Motivation

Sandworm’s motivation is geopolitical, supporting Russian state objectives through cyber espionage, sabotage, and information warfare. The group aims to destabilize adversaries, gather intelligence, and project power, especially in Ukraine and Western countries.

Attack Types

Sandworm employs:

Cyber espionage via credential theft and persistent access.
Destructive malware deployment (NotPetya, CaddyWiper, BlackEnergy, BackOrder).
Sabotage of critical infrastructure (Ukrainian power grid attacks).
Exploitation of software vulnerabilities (e.g., Microsoft Edge bugs).
Brute force attacks and abuse of Active Directory Group Policy Objects for lateral movement.
Use of backdoors and custom malware toolkits.
Phishing campaigns for initial access.

Relevant MITRE ATT&CK techniques include:

T1486: Data Encrypted for Impact (NotPetya, CaddyWiper)
T1566: Phishing
T1190: Exploit Public-Facing Application (e.g., Microsoft Edge vulnerabilities)
T1110: Brute Force
T1071: Application Layer Protocol (for command and control)
T1098: Account Manipulation (credential theft and abuse)
T1489: Service Stop (disruption of services)

Evolution and Geopolitical Context

Sandworm’s operations have evolved in response to key geopolitical events such as Russia’s 2014 annexation of Crimea and the 2022 full-scale invasion of Ukraine. These events intensified Sandworm’s focus on Ukrainian critical infrastructure and expanded its targeting to Western allies supporting Ukraine. The group has adapted by developing more sophisticated malware (e.g., CaddyWiper) and leveraging zero-day exploits (e.g., Microsoft Edge vulnerabilities) to maintain persistent access and increase operational impact. Interagency dynamics within Russian intelligence and military cyber units have led to subgroups like BadPilot (Seashell Blizzard), specializing in initial access operations to support broader Sandworm campaigns. Western sanctions and increased cyber defenses have pushed Sandworm to innovate in evasion and persistence techniques.

Known Aliases

APT44
Telebots
Voodoo Bear
IRIDIUM
Seashell Blizzard
Iron Viking
BlackEnergy Group

Links to Other APT Groups

Fancy Bear (APT28, Sofacy, STRONTIUM)
- Both under GRU, sharing malware families and infrastructure.
Turla
- Russian espionage group with overlapping tactics like spearphishing and custom malware.

Similar Threat Actor Groups

Lazarus Group: Known for destructive malware and sabotage.
Turla: Russian espionage group with advanced capabilities.
Fancy Bear: GRU-linked group with shared resources and goals.

Breaches Involving This Threat Actor

Sandworm is known for persistent access campaigns and credential theft in the US, UK, Canada, and Australia. Recent campaigns include the BadPilot subgroup’s multi-year global access operations targeting critical sectors, but no specific public data breach with detailed leaks has been attributed recently.

Recommendations, Actions and Next Steps

Strengthen Patch Management and Vulnerability Mitigation
- Implement a rigorous, continuous patch management program using industry-standard tools such as Microsoft WSUS, System Center Configuration Manager (SCCM), or third-party solutions like Ivanti or ManageEngine. Prioritize patching of critical infrastructure and public-facing applications, especially those vulnerable to Sandworm’s exploits (e.g., Microsoft Edge vulnerabilities, T1190). Adopt frameworks such as CIS Controls v8 to guide patch prioritization and deployment.
- Expected impact: Reduces the attack surface by closing exploitable entry points, directly mitigating Sandworm’s exploitation tactics and limiting initial access opportunities.
- Implementation steps: Deploy automated patch management tools; establish a vulnerability management team for rapid assessment and deployment; integrate patching schedules with operational calendars to minimize downtime; conduct regular vulnerability scanning and compliance audits. Timeline: Immediate initiation with continuous cycles.
- Challenges: Coordination across IT and OT teams, managing patch-related downtime, and ensuring compatibility with legacy or specialized systems.
- Metrics: Reduction in open critical vulnerabilities, average time-to-patch, and decreased detection of exploitation attempts in security monitoring.
- MITRE ATT&CK IDs: T1190
Harden Active Directory (AD) Environments and Group Policy Objects (GPO)
- Apply Microsoft’s best practices and NIST SP 800-53 controls for AD security hardening, including enforcing least privilege, implementing multi-factor authentication (MFA) for all privileged accounts, and restricting GPO modification rights. Deploy monitoring tools such as Microsoft Defender for Identity or Azure ATP to detect anomalous GPO changes and credential abuse.
- Expected impact: Mitigates lateral movement and persistence techniques used by Sandworm (T1110, T1098), reducing the risk of credential theft and account manipulation.
- Implementation steps: Conduct comprehensive AD security audits; implement role-based access control (RBAC) for GPO management; enable logging and alerting on critical AD changes; provide targeted training for AD administrators on secure GPO practices; regularly review and update AD permissions. Timeline: 3-6 months for full implementation with ongoing monitoring.
- Challenges: Complexity of AD environments, potential operational disruptions from policy changes, and need for specialized cybersecurity expertise.
- Metrics: Number of unauthorized or suspicious GPO changes detected, reduction in brute force and credential abuse incidents, and audit compliance scores.
- MITRE ATT&CK IDs: T1110, T1098
Enhance Detection and Response Capabilities for Destructive Malware and Lateral Movement
- Deploy and fine-tune Endpoint Detection and Response (EDR) platforms such as CrowdStrike Falcon, Microsoft Defender for Endpoint, or SentinelOne to detect behaviors associated with destructive malware (NotPetya, CaddyWiper, BlackEnergy) and lateral movement techniques including service stoppage (T1489) and data encryption for impact (T1486). Integrate threat intelligence feeds specific to Sandworm malware signatures and conduct regular threat hunting exercises. Develop and rehearse incident response playbooks tailored to destructive malware scenarios.
- Expected impact: Enables early detection and rapid containment of destructive attacks, minimizing operational disruption and data loss.
- Implementation steps: Integrate EDR with Security Information and Event Management (SIEM) systems; establish a dedicated threat hunting team; schedule quarterly red team exercises simulating Sandworm attack scenarios; update incident response plans to include Sandworm-specific TTPs. Timeline: 3-6 months for deployment and tuning, ongoing thereafter.
- Challenges: Managing alert volumes and false positives, ensuring skilled personnel availability, and maintaining up-to-date threat intelligence.
- Metrics: Mean Time to Detect (MTTD) and Mean Time to Respond (MTTR) to destructive malware incidents, number of successful containment actions.
- MITRE ATT&CK IDs: T1486, T1489
Increase Phishing Awareness and Implement Strong Email Security Controls
- Enhance user training programs with frequent, realistic phishing simulations reflecting Sandworm’s evolving tactics (T1566). Deploy advanced email security solutions incorporating DMARC, DKIM, SPF, URL filtering, attachment sandboxing, and machine learning-based phishing detection. Establish clear reporting mechanisms for suspected phishing emails.
- Expected impact: Reduces initial access vectors exploited by Sandworm, limiting successful phishing campaigns and credential theft.
- Implementation steps: Schedule quarterly phishing simulations; update training content regularly; implement and monitor email authentication protocols; deploy email security gateways with sandboxing capabilities; track and analyze phishing incident reports. Timeline: Immediate start with continuous improvement.
- Challenges: User engagement and training fatigue, rapidly evolving phishing techniques, and balancing security controls with user experience.
- Metrics: Phishing simulation click rates, number of reported phishing emails, reduction in successful phishing incidents.
- MITRE ATT&CK IDs: T1566
Foster Collaboration and Intelligence Sharing with National CERTs and International Partners
- Formalize and expand partnerships with national Computer Emergency Response Teams (CERTs), agencies such as CISA and ENISA, and international cybersecurity organizations to share timely, actionable intelligence on Sandworm’s evolving TTPs, including monitoring of subgroups like BadPilot. Participate actively in information sharing platforms such as the Cybersecurity Information Sharing Act (CISA) programs and the European Union Agency for Cybersecurity (ENISA) initiatives.
- Expected impact: Enhances situational awareness, enables proactive defense measures, and supports coordinated responses to Sandworm campaigns.
- Implementation steps: Establish Memoranda of Understanding (MOUs) for information sharing; assign liaison officers; participate in joint threat intelligence exercises; integrate shared intelligence into security operations workflows. Timeline: Initiate within 3 months, ongoing collaboration.
- Challenges: Managing sensitive information, building trust among partners, and aligning operational priorities.
- Metrics: Frequency and quality of intelligence exchanges, number of joint alerts and advisories issued, and effectiveness of coordinated incident responses.
- MITRE ATT&CK IDs: N/A
Establish Forward-Looking Threat Monitoring and AI-Driven Analytics
- Invest in advanced analytics platforms incorporating AI and machine learning to detect emerging Sandworm TTPs and anomalous behaviors indicative of evolving threats. Continuously update detection models with the latest threat intelligence and conduct predictive threat modeling to anticipate Sandworm’s next moves.
- Expected impact: Improves early warning capabilities and adaptive defense posture against Sandworm’s innovation in evasion and persistence.
- Implementation steps: Evaluate and deploy AI-driven security analytics tools; integrate with existing SIEM and EDR systems; train analysts on interpreting AI-generated alerts; establish feedback loops for continuous model refinement. Timeline: 6-12 months for deployment and tuning.
- Challenges: High initial investment, need for skilled data scientists and analysts, and managing false positives.
- Metrics: Detection rate of novel threats, reduction in undetected intrusions, and analyst efficiency improvements.
- MITRE ATT&CK IDs: N/A

Suggested Pivots

How have specific geopolitical events, such as Russia’s 2022 full-scale invasion of Ukraine and subsequent Western sanctions, directly influenced the evolution of Sandworm’s TTPs, particularly in the deployment of zero-day exploits and destructive malware against critical infrastructure sectors like energy and transportation? Understanding this will clarify how geopolitical pressures shape operational shifts and help anticipate future attack vectors.
What are the distinct operational roles, capabilities, and coordination mechanisms of Sandworm’s subgroups, including BadPilot, within the GRU’s cyber warfare apparatus, and how do these subgroups integrate with other Russian APT groups like Fancy Bear to conduct multi-faceted campaigns? Detailed mapping of these relationships can inform targeted disruption strategies.
How effective are current detection and mitigation strategies—specifically Endpoint Detection and Response (EDR), Security Information and Event Management (SIEM), and threat intelligence sharing—in protecting critical infrastructure sectors such as power grids and industrial control systems from Sandworm’s destructive malware and lateral movement techniques? Identifying gaps will guide resource allocation and technology investments.
What are the unique indicators of compromise (IOCs), behavioral patterns, and phishing tactics employed by Sandworm, and how can these be operationalized through MITRE ATT&CK mappings and threat intelligence platforms to enhance early detection and user awareness programs? This will improve proactive defense and reduce initial access success rates.
How can existing international collaboration frameworks, such as FIRST and CISA’s Joint Cyber Defense Collaborative (JCDC), be evaluated and optimized to improve real-time intelligence sharing and coordinated response to Sandworm’s campaigns targeting allied nations’ critical infrastructure and government sectors? Establishing measurable metrics for information exchange frequency, timeliness, and incident response effectiveness will strengthen collective defense.

Forecast

Short-Term Forecast (3-6 months)

Intensified Destructive Cyberattacks on Ukrainian and Allied Critical Infrastructure
- Sandworm, including its BadPilot subgroup, will escalate destructive operations targeting Ukrainian critical infrastructure and extend sabotage efforts to Western countries supporting Ukraine. This will likely involve deployment of advanced destructive malware such as CaddyWiper and exploitation of zero-day vulnerabilities in public-facing applications like Microsoft Edge.
- Examples:
  - The 2015-2016 Ukrainian power grid attacks and 2017 NotPetya campaign demonstrate Sandworm’s capability for large-scale disruption.
  - The May 2025 ESET report highlights recent destructive wiper deployments in Ukraine, signaling ongoing escalation.
- Impact and Action: Organizations in energy, transportation, and industrial control sectors should prioritize patching and monitoring for destructive malware indicators. Proactively ask: Are incident response plans updated to handle destructive malware scenarios?
- What to watch out for:
  - Emergence of new zero-day exploits targeting critical infrastructure software
  - Increased phishing campaigns targeting energy and transportation sectors
  - Alerts related to destructive malware behaviors (T1486, T1489)
Persistent Credential Theft and Phishing Campaigns Targeting Western Governments and Technology Sectors
- Sandworm will continue sophisticated phishing and brute-force attacks to maintain persistent access in government, technology, and economic sectors of the US, UK, Canada, and Australia. Credential theft and account manipulation will remain central to lateral movement and espionage.
- Examples:
  - BadPilot’s multi-year global access campaigns documented by Microsoft in 2025
  - Historical use of phishing and brute force in Ukrainian power grid attacks
- Impact and Action: Organizations should evaluate and enhance phishing simulation programs and enforce multi-factor authentication (MFA) for all privileged accounts. Proactively ask: Are current user training and email security controls aligned with Sandworm’s evolving phishing tactics?
- What to watch out for:
  - Spike in phishing attempts mimicking trusted entities
  - Anomalous Active Directory Group Policy Object changes indicating credential abuse
Expansion of Initial Access Operations via Exploitation of Public-Facing Applications
- The BadPilot subgroup will intensify initial access operations globally, focusing on critical infrastructure and technology sectors, exploiting vulnerabilities in public-facing applications to establish footholds.
- Examples:
  - Microsoft’s 2025 report on BadPilot’s use of Microsoft Edge zero-day exploits
- Impact and Action: Critical infrastructure operators should implement rigorous patch management and vulnerability scanning focused on public-facing applications. Proactively ask: Are patching cycles optimized to rapidly address zero-day vulnerabilities?
- What to watch out for:
  - Detection of exploitation attempts against public-facing applications
  - Increased reconnaissance and scanning activities targeting critical infrastructure networks
Strengthened Western Defensive Posture and Intelligence Sharing
- Western countries will enhance patch management, Active Directory hardening, and deploy advanced Endpoint Detection and Response (EDR) solutions. Intelligence sharing and coordinated incident response efforts will increase, focusing on early detection of Sandworm’s malware families and subgroups.
- Examples:
  - UK NCSC and US CISA advisories promoting collaboration and mitigation strategies
  - Adoption of AI-driven analytics for threat detection as reported by Trend Micro 2024
- Impact and Action: Security teams should integrate threat intelligence feeds and conduct regular threat hunting exercises targeting Sandworm TTPs. Proactively ask: Is intelligence sharing with national CERTs and international partners fully operational and timely?
- What to watch out for:
  - Increased joint advisories and threat intelligence reports
  - Deployment of new detection rules targeting Sandworm TTPs
Emergence of Novel Sandworm Malware Variants and Evasion Techniques
- Sandworm will innovate new malware variants and evasion tactics to circumvent enhanced defenses, including AI-driven anomaly evasion and modular malware capable of dynamic payload delivery.
- Examples:
  - Evolution from BlackEnergy to CaddyWiper and BackOrder malware families
  - Increasing use of custom backdoors and stealth techniques
- Impact and Action: Organizations should invest in AI-driven security analytics and update detection models continuously. Proactively ask: Are current detection capabilities adaptive enough to identify novel malware behaviors?
- What to watch out for:
  - Discovery of novel malware signatures linked to Sandworm
  - Reports of evasion of MFA or advanced endpoint protections

Long-Term Forecast (12-24 months)

Sustained and Sophisticated Cyber Sabotage Campaigns Targeting Global Critical Infrastructure
- Sandworm will maintain and likely increase cyber sabotage against critical infrastructure worldwide, leveraging lessons from Ukraine and expanding to energy, transportation, and industrial control systems in allied countries. Integration of AI and automation will enhance attack precision and impact.
- Examples:
  - NotPetya’s global collateral damage as a model for future campaigns
  - Trend Micro’s 2024 report on AI-enabled cyber threats
- Impact and Action: Critical infrastructure operators must adopt zero-trust architectures and AI-enhanced defense mechanisms. Proactively ask: Are defenses prepared for AI-augmented cyberattacks?
- What to watch out for:
  - Coordinated multi-vector attacks combining cyber and information warfare
  - Use of AI-enabled malware and autonomous attack tools
Increased Operational Integration Among Russian GRU-Affiliated Cyber Groups
- Sandworm will deepen coordination with other GRU-linked groups like Fancy Bear, sharing resources and infrastructure to conduct complex campaigns blending espionage, sabotage, and influence operations.
- Examples:
  - Shared malware families and infrastructure between Sandworm and Fancy Bear documented by NCSC and CSIS
- Impact and Action: Organizations should correlate threat intelligence across multiple GRU groups to detect multi-stage attacks. Proactively ask: Are detection systems capable of identifying overlapping TTPs from multiple GRU groups?
- What to watch out for:
  - Overlapping indicators of compromise across campaigns attributed to multiple GRU groups
  - Increased sophistication in multi-stage attacks blending espionage and destructive tactics
Adaptation to Advanced Defensive Technologies and Emergence of New Attack Vectors
- As defenders adopt AI-driven analytics, zero-trust, and enhanced identity protections, Sandworm will develop stealthier persistence mechanisms, exploit supply chain vulnerabilities, and leverage insider threats to bypass hardened defenses.
- Examples:
  - Recent supply chain attacks globally illustrate adversaries’ shift to indirect compromise
- Impact and Action: Organizations must enhance supply chain risk management and insider threat detection. Proactively ask: Are supply chain security and insider threat programs mature and integrated with threat intelligence?
- What to watch out for:
  - New attack vectors exploiting software supply chains
  - Insider threat incidents linked to Sandworm or proxies
Strengthened International Legal and Operational Measures Against Sandworm
- Western and allied nations will enhance legal frameworks, sanctions, and joint cyber operations to disrupt Sandworm’s infrastructure and personnel, potentially degrading their capabilities over time.
- Examples:
  - Past coordinated takedowns of Russian cyber infrastructure and sanctions
- Impact and Action: Policy makers and security leaders should support international collaboration and information sharing initiatives. Proactively ask: Are partnerships with international cyber defense coalitions active and effective?
- What to watch out for:
  - Public announcements of joint cyber operations targeting Sandworm
  - Increased diplomatic and economic pressure linked to cyber activities
Potential Shift in Sandworm’s Targeting Due to Geopolitical Changes
- Depending on geopolitical developments, Sandworm may shift focus from Ukraine and Western allies to other regions or sectors, possibly increasing espionage activities or targeting emerging technologies such as quantum computing or AI research.
- Examples:
  - Historical shifts in targeting following geopolitical events
  - Emerging cyber espionage trends targeting advanced technology sectors
- Impact and Action: Organizations in emerging technology sectors should heighten threat awareness and implement sector-specific defenses. Proactively ask: Are emerging technology assets adequately protected against state-sponsored espionage?
- What to watch out for:
  - New targeting patterns in intelligence reports
  - Increased cyber activity against non-traditional sectors or regions

MITRE ATT&CK IDs

T1486, T1566, T1190, T1110, T1098, T1489, T1071, T1078, T1072, TA0040, TA0001, TA0006, G0034, S0561, S0580

Appendix

References

AlphaHunt