CEA
← All Actors

Sandworm Team (GRU Unit 74455)

Russia — GRU (Main Intelligence Directorate), assessed to be Unit 74455

Mission Type

Disruption and destruction of critical infrastructure, strategic sabotage in support of Russian military and geopolitical objectives

Primary Sectors

EnergyTelecommunicationsCritical InfrastructureGovernment

Operational Period

2014 – present

Attributed Cases

6

Attributed Cases

NotPetya2017
DestructiveUnpeace 100
Ukraine Grid I2015
SabotageUnpeace 80
Ukraine Grid II2016
SabotageUnpeace 80
Viasat KA-SAT2022
DestructiveUnpeace 100
Industroyer22022
SabotageUnpeace 70
Kyivstar2023
DestructiveUnpeace 100

TTP Pattern Summary

Sandworm consistently demonstrates ICS/SCADA-targeting capability, deploying purpose-built malware to interact directly with industrial protocols (IEC 104, IEC 61850). The group chains supply-chain compromise or credential-based access with disk-wiping components to delay forensic analysis. In wartime operations, Sandworm coordinates cyber attacks with kinetic military operations, as seen in the Viasat and Industroyer campaigns.

Impact (8)Impact (ICS) (4)Initial Access (3)Persistence (2)Execution (2)Lateral Movement (1)

Behavioural Signature

Sandworm pursues strategic-level disruption with a willingness to accept collateral damage. Its operations exhibit progressive sophistication across multi-year attack cycles (2015 manual grid attack → 2016 automated Industroyer → 2022 Industroyer2). The group tolerates high visibility and attribution risk, suggesting its operations serve primarily as demonstrations of capability and coercive signalling rather than covert intelligence collection.

Governance Footprint

Subject to the broadest multilateral attribution campaign of any cyber actor. Named in US DOJ indictments (2020), Five Eyes joint attribution (2018), EU sanctions. Sandworm operations have been central to international debates on IHL applicability to cyber operations in armed conflict.