Sandworm is a Russia GRU-linked threat actor/hacking unit, commonly associated with GRU Unit 74455 and also referenced in the content as APT44 and Seashell Blizzard. The content describes Sandworm as active since at least 2013 and linked by Western governments and researchers to major disruptive and destructive cyber operations, including the 2015 attacks on Ukraine’s power grid, NotPetya, KillDisk, FoxBlade, Prestige, the 2017 targeting of Emmanuel Macron’s campaign, the 2018 South Korean Winter Olympics attack, and interference related to the Salisbury poisoning investigation.
Recent reporting in the content states that Sandworm deployed destructive wiper malware against Poland’s energy grid in December 2025. That campaign targeted more than 30 distributed energy resource sites, mainly wind and photovoltaic grid-connection substations, as well as a large combined heat-and-power plant and an industrial manufacturing site. Reported behaviors included initial access via internet-exposed edge appliances such as VPN/firewall gateways and web management interfaces, exploitation of default or weak credentials and lack of MFA, credential harvesting, persistence, movement from edge devices into OT environments, Windows-based wiper deployment on HMI hosts, factory resets of network and serial devices, and corrupted or malicious firmware uploads to RTUs and other controllers. Effects included loss of monitoring visibility and remote control, disabled HMIs and RTUs, device failures requiring replacement, and delayed recovery due to reset configurations and IP reassignment. The attempted attack was reportedly stopped before causing physical disruption, and some wiper activity was blocked by EDR.
The content also states that Amazon tracked a Sandworm campaign beginning in 2021 focused on Western critical infrastructure, particularly the energy sector, with more than 10 victim organizations. In that activity, Sandworm targeted misconfigured network edge devices hosted on AWS rather than AWS vulnerabilities, stole credentials from intercepted traffic, and used them for lateral movement and persistent access. Amazon reported additional targeting of electric utilities, energy providers, managed security service providers, telecom providers, and technology companies. The content notes a tactical shift from exploiting vulnerabilities such as CVE-2022-26318 in WatchGuard firewalls, CVE-2021-26084 and CVE-2023-22518 in Confluence, and CVE-2023-27532 in Veeam, toward exploiting misconfigured edge devices.
The content further links Sandworm to Russia’s broader hybrid operations against NATO countries and critical infrastructure, and notes that a Bauman Moscow State Technical University pipeline allegedly feeds graduates into GRU cyber units including Unit 74455. High-confidence aliases directly mentioned in the content include APT44 and Seashell Blizzard.
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
4 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
GRU-linked offensive cyber capability described here as deploying destructive wiper malware against Poland’s energy grid to cause physical disruption.
Russian GRU-linked hacking group associated with Unit 74455 and destructive cyber-attacks including against Ukraine’s power grid and other high-profile targets.
Named Russia-linked activity clusters are referenced for attribution overlap; the content does not name any specific malware family/tool used by these actors beyond generic 'custom wipers' and destructive scripts.
Sandworm is a Russian GRU-linked advanced persistent threat group known for targeting critical infrastructure, especially in the energy sector, using a variety of tactics including exploiting vulnerabilities and misconfigured network edge devices. The group is responsible for high-profile destructive attacks such as NotPetya, KillDisk, and FoxBlade.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.