Sandworm’s Evolving Playbook: Destructive Malware, BadPilot Subgroup, and the Escalating Threat to Global Critical Infrastructure

Sandworm, a Russian GRU-affiliated cyber threat group (Unit 74455), continues to escalate its offensive cyber operations, with a primary focus on Ukraine and Western allies. The group is notorious for high-impact attacks such as the 2015-2016 Ukrainian power grid blackouts...

Sandworm’s Evolving Playbook: Destructive Malware, BadPilot Subgroup, and the Escalating Threat to Global Critical Infrastructure
its gonna eat u.

(Have feedback? Did something resonate with you? Did something annoy you? Just hit reply! :))

Get questions like this:

  1. what do you know about sandworm?
  2. How does Sandworm’s operational focus and targeting evolve in response to geopolitical events, particularly in Eastern Europe?
  3. How do interagency dynamics within Russian intelligence and military cyber units affect the coordination and effectiveness of Sandworm’s operations?

Does it take a chunks out of your day? Would you like help with the research?

This baseline report was thoughtfully researched and took 10 minutes.. It's meant to be a rough draft for you to enhance with the unique insights that make you an invaluable analyst.

We just did the initial grunt work..

Are you ready to level up your skillset? Get Started Here!

Did this help you? Forward it to a friend!


Suggested Pivot

  1. How have specific geopolitical events, such as Russia’s 2022 full-scale invasion of Ukraine and subsequent Western sanctions, directly influenced the evolution of Sandworm’s TTPs, particularly in the deployment of zero-day exploits and destructive malware against critical infrastructure sectors like energy and transportation? Understanding this will clarify how geopolitical pressures shape operational shifts and help anticipate future attack vectors.

TL;DR

Key Points

    • Sandworm (GRU Unit 74455) is intensifying destructive cyber operations, especially against Ukrainian and Western critical infrastructure, leveraging advanced malware (e.g., CaddyWiper, NotPetya) and zero-day exploits.
    • Immediate focus should be on patch management, Active Directory hardening, and detection of destructive malware behaviors.
    • The BadPilot subgroup (Seashell Blizzard) specializes in initial access operations, exploiting public-facing applications and conducting persistent credential theft and phishing campaigns globally.
    • Organizations must prioritize monitoring for initial access TTPs (T1190, T1566) and enforce MFA and robust email security.
    • Sandworm adapts rapidly to geopolitical events, innovating with modular malware, AI-driven evasion, and supply chain attacks, while coordinating with other GRU-linked APTs (e.g., Fancy Bear).
    • Threat intelligence sharing and AI-driven analytics are critical for early detection and adaptive defense.
    • Western defensive postures are strengthening, but Sandworm is expected to escalate both the sophistication and scope of attacks, including targeting emerging technology sectors.
    • Cross-sector collaboration, regular threat hunting, and scenario-based incident response exercises are essential.

Executive Summary

Sandworm, a Russian GRU-affiliated cyber threat group (Unit 74455), continues to escalate its offensive cyber operations, with a primary focus on Ukraine and Western allies. The group is notorious for high-impact attacks such as the 2015-2016 Ukrainian power grid blackouts and the 2017 NotPetya campaign, and has recently intensified destructive campaigns using advanced malware like CaddyWiper and BackOrder. Sandworm’s operations are closely aligned with Russian geopolitical objectives, targeting critical infrastructure, government, arms manufacturing, and technology sectors.

The BadPilot subgroup (aka Seashell Blizzard) has emerged as a key operational unit, specializing in initial access through exploitation of public-facing applications (notably Microsoft Edge zero-days), persistent credential theft, and sophisticated phishing. These campaigns are global in scope, with persistent targeting of the US, UK, Canada, and Australia.

Sandworm’s TTPs include destructive malware deployment (T1486, T1489), phishing (T1566), exploitation of vulnerabilities (T1190), brute force (T1110), and abuse of Active Directory (T1098). The group demonstrates rapid adaptation to defensive measures and geopolitical shifts, innovating with modular malware, AI-driven evasion, and supply chain attack vectors. Operational integration with other GRU-linked APTs (e.g., Fancy Bear) increases the complexity and persistence of campaigns.

Short-term forecasts indicate a likely escalation of destructive attacks on Ukrainian and allied critical infrastructure, persistent credential theft/phishing, and the emergence of novel malware variants. Long-term, Sandworm is expected to sustain and expand sabotage campaigns, deepen operational integration with other Russian APTs, and adapt to advanced defensive technologies by exploiting new attack vectors, including supply chain and insider threats.

Actionable recommendations include rigorous patch management, Active Directory hardening, advanced EDR deployment, enhanced phishing awareness, and robust intelligence sharing with national and international partners. AI-driven analytics and continuous threat hunting are essential to detect evolving Sandworm TTPs. Organizations in critical infrastructure and emerging technology sectors should prepare for increasingly sophisticated, multi-vector attacks and ensure incident response plans are tailored to destructive malware scenarios.


Attribution

Historical Context

Sandworm is a Russian state-sponsored cyber threat group linked to the GRU (Russian military intelligence, Military Unit 74455). It surfaced publicly around 2014 and is infamous for disruptive cyberattacks, especially targeting Ukraine and Western countries. Notable operations include the 2015-2016 Ukrainian power grid attacks causing blackouts and the 2017 NotPetya malware attack, which caused widespread global damage. Sandworm’s operations align with Russian geopolitical objectives, focusing on cyber espionage, sabotage, and information warfare.

Timeline

  • 2014: Emergence of Sandworm’s cyber operations, including attacks on Ukrainian infrastructure.
  • 2015-2016: Ukrainian power grid attacks causing blackouts.
  • 2017: Deployment of NotPetya malware causing global collateral damage.
  • 2023-2025: Continued campaigns, including the BadPilot subgroup targeting critical infrastructure worldwide.
  • Ongoing: Adaptation of tactics and expansion of targets in response to geopolitical developments and internal Russian cyber unit dynamics.

Origin

Attributed to the Russian GRU, specifically Military Unit 74455, Sandworm operates as a military cyberwarfare unit conducting offensive cyber operations in support of Russian state interests. It shares resources and tactics with other GRU-affiliated groups.

Countries Targeted

  1. Ukraine – Primary target for disruptive attacks on critical infrastructure and military.
  2. United States – Targeted for espionage and credential theft.
  3. United Kingdom – Targeted for espionage and data theft.
  4. Canada – Targeted for espionage and initial access operations.
  5. Australia – Targeted for espionage and credential theft.

Sectors Targeted

  1. Arms Manufacturing – Espionage and intelligence gathering.
  2. Critical Infrastructure – Power grids and industrial control systems targeted for sabotage.
  3. Government – Espionage and information operations.
  4. Technology – Targeted for initial access and persistence.
  5. Economic Sectors – Espionage and disruption.

Motivation

Sandworm’s motivation is geopolitical, supporting Russian state objectives through cyber espionage, sabotage, and information warfare. The group aims to destabilize adversaries, gather intelligence, and project power, especially in Ukraine and Western countries.

Attack Types

Sandworm employs:

  • Cyber espionage via credential theft and persistent access.
  • Destructive malware deployment (NotPetya, CaddyWiper, BlackEnergy, BackOrder).
  • Sabotage of critical infrastructure (Ukrainian power grid attacks).
  • Exploitation of software vulnerabilities (e.g., Microsoft Edge bugs).
  • Brute force attacks and abuse of Active Directory Group Policy Objects for lateral movement.
  • Use of backdoors and custom malware toolkits.
  • Phishing campaigns for initial access.

Relevant MITRE ATT&CK techniques include:

  • T1486: Data Encrypted for Impact (NotPetya, CaddyWiper)
  • T1566: Phishing
  • T1190: Exploit Public-Facing Application (e.g., Microsoft Edge vulnerabilities)
  • T1110: Brute Force
  • T1071: Application Layer Protocol (for command and control)
  • T1098: Account Manipulation (credential theft and abuse)
  • T1489: Service Stop (disruption of services)

Evolution and Geopolitical Context

Sandworm’s operations have evolved in response to key geopolitical events such as Russia’s 2014 annexation of Crimea and the 2022 full-scale invasion of Ukraine. These events intensified Sandworm’s focus on Ukrainian critical infrastructure and expanded its targeting to Western allies supporting Ukraine. The group has adapted by developing more sophisticated malware (e.g., CaddyWiper) and leveraging zero-day exploits (e.g., Microsoft Edge vulnerabilities) to maintain persistent access and increase operational impact. Interagency dynamics within Russian intelligence and military cyber units have led to subgroups like BadPilot (Seashell Blizzard), specializing in initial access operations to support broader Sandworm campaigns. Western sanctions and increased cyber defenses have pushed Sandworm to innovate in evasion and persistence techniques.

Known Aliases

  • APT44
  • Telebots
  • Voodoo Bear
  • IRIDIUM
  • Seashell Blizzard
  • Iron Viking
  • BlackEnergy Group
  1. Fancy Bear (APT28, Sofacy, STRONTIUM)
    • Both under GRU, sharing malware families and infrastructure.
  2. Turla
    • Russian espionage group with overlapping tactics like spearphishing and custom malware.

Similar Threat Actor Groups

  • Lazarus Group: Known for destructive malware and sabotage.
  • Turla: Russian espionage group with advanced capabilities.
  • Fancy Bear: GRU-linked group with shared resources and goals.

Breaches Involving This Threat Actor

Sandworm is known for persistent access campaigns and credential theft in the US, UK, Canada, and Australia. Recent campaigns include the BadPilot subgroup’s multi-year global access operations targeting critical sectors, but no specific public data breach with detailed leaks has been attributed recently.


Recommendations, Actions, Suggested Pivots, Forecasts and Next Steps

(Subscribers Only)

Read more