top of page

Threat Actor Profile - Sandworm

Threat Actor: Sandworm

Date of Activity: ~2013-Present

Overview: Sandworm is a notorious cyber-espionage group that has been operating for several years. The group is believed to be based in Russia and has been responsible for several high-profile attacks on government agencies and private companies around the world.

The Sandworm team gained notoriety in 2014 when it was linked to the BlackEnergy malware campaign that targeted Ukrainian government and energy sector computer systems. The attack resulted in widespread power outages across Ukraine, which was seen as a demonstration of the group's capabilities.

Since then, Sandworm has been linked to a number of other attacks, including the NotPetya ransomware attack in 2017. This attack caused widespread damage to businesses around the world, costing billions of dollars in losses.

The Sandworm team is known for using sophisticated and complex malware tools, such as the Snake rootkit, which can remain undetected on infected systems for long periods of time. They are also skilled at using various tactics to evade detection, such as using legitimate software and exploiting vulnerabilities in widely-used software and hardware.

In addition to its cyber-espionage activities, Sandworm has also been linked to other forms of cybercrime, such as stealing sensitive information, intellectual property theft, and financial fraud.

While the exact motives behind the Sandworm team's activities remain unclear, experts believe that the group is likely working on behalf of the Russian government. Some have suggested that Sandworm is part of a larger cyber warfare unit within the Russian military, while others believe that the group is affiliated with Russian intelligence agencies.

The activities of the Sandworm team highlight the growing threat posed by state-sponsored cyber-espionage and cyber warfare. As governments around the world become more reliant on digital systems, the risks of cyber attacks continue to increase. It is therefore essential that businesses and governments take steps to protect themselves from cyber threats, such as by implementing strong cybersecurity measures and investing in cyber defense capabilities.


• Advanced tool set; to include implants, exploits and RATs

• Intelligence collection against militaries and governments

• Sophisticated malware

• Implementing encrypted communications

• Long-term access to networks with deep access

• Supply-chain exploitation

• Multiple target entities, techniques, tools kits, and activities

7 views0 comments

Recent Posts

The Latest

Get the daily newsletter that intelligence professionals rely on to stay informed.

Want Even More Content?