Sandworm

1. Sandworm: Emergence as Russian Espionage

He called the group Sandworm.

Early signs. In 2014, cybersecurity firm iSight Partners discovered a sophisticated hacking campaign using a zero-day vulnerability in Microsoft Office, dropping a variant of the BlackEnergy malware. The lures, like a list of "terrorists" over a Ukrainian flag, suggested political targeting. Analysis of an unsecured command-and-control server revealed instructions written in Russian.

Dune references. Further investigation by analyst Drew Robinson uncovered campaign codes like "arrakis02" and "houseatreides94" within the malware, revealing the hackers' unusual obsession with Frank Herbert's sci-fi epic "Dune." These unique fingerprints allowed researchers to link disparate attacks dating back to 2009, targeting:

• Ukrainian government and media
• Polish energy companies
• NATO-related events
• American academics focused on Russia

Identifying the threat. This long-running, sophisticated espionage campaign, with clear Russian fingerprints and a focus on geopolitical targets, led iSight to name the group Sandworm. While initially seen as state-sponsored spying, hints of infrastructure targeting soon suggested a more dangerous evolution.

2. Escalation: Targeting Critical Infrastructure

Intelligence-gathering operations don’t break into industrial control systems.

Beyond espionage. Shortly after iSight's discovery, Trend Micro researcher Kyle Wilhoit found a connection between Sandworm's infrastructure and a file designed for General Electric's Cimplicity industrial control system (ICS) software. This suggested Sandworm was probing systems that control physical machinery, moving beyond data theft to potential sabotage.

Reconnaissance for attack. This finding was confirmed by the Department of Homeland Security's ICS-CERT, which reported Sandworm had built tools for hacking ICS software from GE, Siemens, and Advantech/Broadwin. These intrusions, dating back to 2011, targeted critical infrastructure, including American utilities.

• ICS systems control power grids, water plants, factories, etc.
• An "air gap" is supposed to separate these systems from the internet.
• Sandworm's probes suggested they were bridging the digital and physical.

A new era. For analysts like John Hultquist, this shifted the understanding of Sandworm from cyberspying to cyberwar reconnaissance. The group was mapping out critical systems, potentially preparing for attacks with physical consequences, a threat far more immediate than traditional espionage.

3. Ukraine: The Cyberwar Test Lab

After years of lurking, spying, building their capabilities, and performing reconnaissance work, Sandworm had taken the step that no other hackers had ever dared to: They’d caused an actual blackout, indiscriminately disrupting the physical infrastructure of hundreds of thousands of civilians.

First blackout. On Christmas Eve 2015, Sandworm attacked power distribution companies in western Ukraine, cutting electricity to nearly a quarter-million people for several hours. The attack used BlackEnergy malware delivered via phishing emails, spreading through networks, and ultimately opening circuit breakers.

Escalating attacks. This marked the first known hacker-induced blackout and a significant escalation in Russia's ongoing hybrid war against Ukraine, which included:

• Physical invasion and conflict in the east
• Disinformation campaigns
• Cyberattacks on government, media, and finance

Second blackout. A year later, in December 2016, Sandworm hit Ukraine's transmission grid, blacking out a portion of Kiev. This attack was more sophisticated, using stolen credentials and hijacking remote access tools to control circuit breakers, even disabling backup power systems. Ukraine became a testing ground for cyberwar tactics.

4. Industroyer/Crash Override: The Automated Blackout Weapon

This was the first piece of malware to cause disruption to civilian infrastructure.

Uncovering the tool. Forensic analysis of the 2016 Kiev blackout by researchers like Anton Cherepanov at ESET revealed a new, highly sophisticated malware payload. Named Industroyer (by ESET) or Crash Override (by Dragos), this code was designed to directly interact with industrial control systems.

Automated sabotage. Unlike the 2015 attack, which involved manual control, Industroyer could automatically:

• Discover and map industrial equipment
• Communicate using multiple ICS protocols
• Send commands to open circuit breakers repeatedly

Scalable threat. This modular, automated weapon meant Sandworm could potentially cause blackouts across multiple targets simultaneously with machine speed. Its design suggested it was built for reuse and adaptation, not just in Ukraine but potentially against grids using similar equipment worldwide, including in the United States.

5. Shadow Brokers & EternalBlue: NSA Tools Unleashed

Instead of an abstract fear that U.S. cyberweapons would inspire adversaries to develop their own, America’s hacking arsenal had fallen, suddenly and directly, into enemy hands.

NSA breach. In August 2016, a mysterious group calling themselves "the Shadow Brokers" claimed to have hacked the NSA's elite hacking team (Equation Group) and began leaking their tools. These leaks included powerful zero-day exploits, most notably EternalBlue, which targeted a vulnerability in Windows.

Global impact. EternalBlue allowed hackers to gain full remote control over millions of unpatched Windows computers worldwide. While Microsoft released a patch after being warned by the NSA, many systems remained vulnerable. The leak put sophisticated state-level hacking capabilities into the hands of any actor.

WannaCry pandemic. In May 2017, the WannaCry ransomware outbreak leveraged EternalBlue to spread rapidly across the globe, encrypting hundreds of thousands of computers, including those in hospitals and major corporations. This demonstrated the immense collateral damage possible when state-developed cyberweapons are leaked and weaponized by others.

6. NotPetya: The Global Cyber-Catastrophe

To an extent never seen before or—as of this writing—since, a single surprise cyberattack took a chunk out of the foundation of civilization, from pharmaceuticals to shipping to food.

Patient zero. On June 27, 2017, Sandworm launched NotPetya, piggybacking on the update mechanism of M.E.Doc, a widely used Ukrainian accounting software. This supply chain attack provided a perfect vector into thousands of networks.

Destructive power. NotPetya combined Mimikatz (for stealing credentials) and EternalBlue (for spreading via vulnerability) to rampage through networks, permanently wiping data under the guise of ransomware. It spread uncontrollably beyond Ukraine, crippling multinational corporations like Maersk, Merck, and FedEx.

Immense cost. NotPetya caused over $10 billion in damages globally, making it the most costly cyberattack in history. Its impact disrupted global shipping, pharmaceutical manufacturing, and even hospital operations, demonstrating the interconnectedness and fragility of modern infrastructure in the face of indiscriminate digital attacks.

7. The GRU Connection: Sandworm's Identity Revealed

The GRU, it now seemed, had masterminded the first-ever hacker-induced blackouts, the plot to interfere in a U.S. presidential election, and the most destructive cyberweapon ever released.

Attribution. While Sandworm's identity remained elusive for years, forensic links and intelligence reports increasingly pointed to the Russian government. In January 2018, the CIA reportedly concluded with "high confidence" that the Russian military's Main Center for Special Technology (GTsST), part of the GRU, was behind NotPetya.

Overlapping operations. Further investigation by FireEye and the U.S. Department of Justice indictment of 12 GRU hackers in July 2018 solidified the link. Evidence showed connections between Sandworm's infrastructure and attacks attributed to Fancy Bear (also GRU), including:

• Attacks on U.S. state boards of elections
• The Olympic Destroyer malware
• The Guccifer 2.0 persona and DCLeaks

Unit 74455. The indictment named specific GRU units, including Unit 74455, linked to election interference infrastructure. FireEye researchers theorized this unit was Sandworm, suggesting a single GRU entity was responsible for both disruptive cyberwar and political influence operations.

8. Russia's Doctrine: Hybrid Warfare & Informational Confrontation

The power to destroy a thing is the absolute control over it.

Blurring lines. Russian military thinking, as articulated by General Valery Gerasimov, emphasizes blurring the lines between war and peace and using "long-distance, contactless actions" against an enemy's entire territory, including critical infrastructure. This doctrine, known as "informational confrontation," encompasses both propaganda and disruptive cyberattacks.

GRU's role. After being sidelined, the GRU reinvented itself as Russia's aggressive cyber agency, applying lessons from earlier conflicts like Georgia. Its culture, influenced by its spetsnaz special forces, rewards risk-taking and sees attacks on civilian infrastructure as a legitimate means to demoralize an enemy.

Psychological objective. Sandworm's attacks, from blackouts to NotPetya, align with this doctrine. Their purpose wasn't necessarily tactical military gain but psychological impact: to destabilize Ukraine, undermine faith in its government, and demonstrate Russia's capability to inflict pain far behind the front lines.

9. The Cost of Inaction: Western Silence & Escalation

The lack of any proper response is almost an invitation to escalate more.

Delayed response. Despite repeated warnings and clear evidence of Sandworm's escalating attacks on Ukraine's critical infrastructure, including two blackouts, the U.S. and other Western governments remained largely silent for years. This was partly due to attribution challenges, but also a reluctance to escalate with Russia and a view of Ukraine as outside NATO's immediate concern.

NotPetya's catalyst. Only after NotPetya caused billions in damages globally did the U.S. and its allies publicly attribute the attack to the Russian military in February 2018. Sanctions followed, but critics argued the response was too little, too late.

Permitting escalation. This perceived impunity allowed Sandworm and other Russian hackers to continue developing and deploying dangerous capabilities. The lack of clear red lines around civilian infrastructure attacks signaled to adversaries that such actions might be tolerated, potentially fueling a global cyber arms race.

10. The New Battlefield: Distance is No Defense

In those physics, NotPetya reminds us, distance is no defense.

Interconnected vulnerability. NotPetya demonstrated that in the digital realm, geographic distance offers no protection. A vulnerability in Ukrainian accounting software could instantly cripple global shipping, pharmaceutical production, and hospitals thousands of miles away.

New physics of war. Cyberwarfare operates outside traditional physical boundaries and intuitions. Attacks can originate from unknown locations and spread uncontrollably, impacting civilian life on an unprecedented scale.

• Supply chain attacks (like M.E.Doc) offer vectors into global networks.
• Leaked tools (like EternalBlue) amplify reach and impact.
• Collateral damage is often unpredictable and widespread.

Every gate. The NotPetya pandemic highlighted that modern society's reliance on interconnected digital systems means that vulnerabilities anywhere can become threats everywhere. The "barbarian" is no longer at a distant gate but potentially already inside the network.

11. The Future: Resilience and the Need for Norms

The world needs a new, digital Geneva Convention.

Lessons learned. The Sandworm saga, culminating in NotPetya, served as a stark wake-up call about the potential for devastating cyberattacks on critical infrastructure. It highlighted the need for better defenses, but also a fundamental rethinking of security.

Beyond prevention. Experts argue that preventing every attack is impossible. Instead, focus must shift to resilience: the ability to quickly detect, respond to, and recover from intrusions. This includes:

• Better network segmentation
• Reliable, disconnected backups
• Manual override capabilities for critical systems

Call for norms. Many advocate for international agreements, like a "digital Geneva Convention," to establish clear rules banning attacks on civilian infrastructure, hospitals, and political processes, even in peacetime. However, achieving consensus is difficult as nations are reluctant to limit their own offensive capabilities.

Last updated: May 9, 2025