Sandworm Team
What is Sandworm Team?
Sandworm TeamRussian GRU Unit 74455 (APT44), responsible for NotPetya, Ukrainian power-grid attacks, and the Olympic Destroyer campaign against the 2018 PyeongChang Games.
Sandworm Team, also tracked as APT44, Voodoo Bear, Iron Viking, and TeleBots, is a destructive cyber unit of Russia's military intelligence service GRU, specifically Unit 74455 of the Main Centre for Special Technologies (GTsST). US Department of Justice indictments from October 2020 and elsewhere attribute to Sandworm the 2015 and 2016 Ukrainian power-grid blackouts using BlackEnergy and Industroyer, the June 2017 NotPetya wiper that caused more than USD 10 billion in global damage, the 2018 Olympic Destroyer attack, and ongoing wiper campaigns in Ukraine since 2022 such as HermeticWiper, CaddyWiper, and Industroyer2. Mandiant elevated the cluster to APT44 in April 2024, citing its strategic role in Russian wartime operations and continued targeting of critical infrastructure.
● Examples
- 01
June 2017 NotPetya wiper outbreak causing over USD 10 billion in global damage.
- 02
2018 Olympic Destroyer attack against the PyeongChang Winter Olympics infrastructure.
● Frequently asked questions
What is Sandworm Team?
Russian GRU Unit 74455 (APT44), responsible for NotPetya, Ukrainian power-grid attacks, and the Olympic Destroyer campaign against the 2018 PyeongChang Games. It belongs to the Malware category of cybersecurity.
What does Sandworm Team mean?
Russian GRU Unit 74455 (APT44), responsible for NotPetya, Ukrainian power-grid attacks, and the Olympic Destroyer campaign against the 2018 PyeongChang Games.
How does Sandworm Team work?
Sandworm Team, also tracked as APT44, Voodoo Bear, Iron Viking, and TeleBots, is a destructive cyber unit of Russia's military intelligence service GRU, specifically Unit 74455 of the Main Centre for Special Technologies (GTsST). US Department of Justice indictments from October 2020 and elsewhere attribute to Sandworm the 2015 and 2016 Ukrainian power-grid blackouts using BlackEnergy and Industroyer, the June 2017 NotPetya wiper that caused more than USD 10 billion in global damage, the 2018 Olympic Destroyer attack, and ongoing wiper campaigns in Ukraine since 2022 such as HermeticWiper, CaddyWiper, and Industroyer2. Mandiant elevated the cluster to APT44 in April 2024, citing its strategic role in Russian wartime operations and continued targeting of critical infrastructure.
How do you defend against Sandworm Team?
Defences for Sandworm Team typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for Sandworm Team?
Common alternative names include: APT44, Voodoo Bear, Iron Viking, TeleBots, GRU Unit 74455.
● Related terms
- malware№ 100
BlackEnergy
A modular malware family used by the Russian Sandworm group for espionage and destructive attacks, including the December 2015 Ukrainian power-grid blackout.
- malware№ 744
NotPetya
A June 2017 destructive wiper masquerading as ransomware, spread via a backdoored M.E.Doc update and attributed to Russia's Sandworm.
- ot-iot№ 530
Industroyer / CrashOverride
Modular ICS malware used in the 2016 Ukraine power-grid attack and updated as Industroyer2 in 2022, capable of speaking native grid protocols to trip substations.
- attacks№ 017
Advanced Persistent Threat (APT)
A stealthy, well-resourced threat actor — typically state-sponsored — that gains long-term, undetected access to a target network to steal data or pre-position for disruption.
- malware№ 1243
Wiper Malware
Destructive malware whose primary goal is to irreversibly erase or corrupt data, firmware, or boot records — not financial gain.