Cyber Threat Actor: Sandworm
| Actor Type | Location | Known Incidents |
Nation State
|
Russia
|
74 incidents |
|---|
Profile
The threat actor known by the aliases Voodoo Bear, UAC‑0082, Sandworm and Berserk Bear is described in the source material as a Russia‑based group linked to the Russian General Staff Main Intelligence Directorate (GRU). The actor has been observed targeting a range of sectors that include the energy sector—specifically power grids, combined heat and power plants and renewable energy facilities—as well as broader critical infrastructure such as water and heat suppliers, media and news organizations, government institutions and satellite communications providers. Observed objectives attributed to the group have included disruptive operations intended to cause power outages or disrupt industrial control systems, espionage efforts aimed at gathering sensitive information from entities like the International Criminal Court, and hybrid‑information campaigns intended to destabilize political environments, as seen in the alleged leak of Moldovan government communications.
The actor’s tactics, techniques and procedures repeatedly involve the deployment of wiper malware families such as DynoWiper, LazyWiper, CaddyWiper, ZeroWipe, SDelete, AwfulShred, BidSwipe, Industroyer/Industroyer2, QUEUESEED, BIASBOAT, LOADGRIP, AcidRain, BlackEnergy and NotPetya to destroy or corrupt data on Windows, Linux and Solaris systems. Initial access has been achieved through the exploitation of internet‑exposed virtual private network devices using default credentials and the absence of multi‑factor authentication, through supply‑chain compromises involving poisoned software or abused vendor maintenance access, and through the abuse of Group Policy Objects to distribute destructive payloads across Windows environments. Additional tooling observed includes the use of PowerShell scripts, Impacket for remote command execution, Tor relay infrastructure for anonymity, and specialized Linux wipers such as Orcshred, Soloshred and Awfulshred to target non‑Windows platforms. The actor has also demonstrated the ability to modify firmware, delete files, reset remote terminal units, protection relays, human‑machine interfaces and serial device servers in industrial control settings, and to erase attack traces with data‑wiping utilities after conducting operations.
Representative operations attributed to the actor include a December 2025 wiper attack on the Polish power grid that used DynoWiper against combined heat and power plants and a renewable energy management system, a concurrent December 2025 campaign against Polish renewable energy facilities that exploited default credentials on FortiGate VPN devices, moved into industrial control systems, corrupted firmware and deployed DynoWiper and LazyWiper on Windows hosts, and a March 2024 campaign against approximately twenty Ukrainian critical‑infrastructure facilities that employed QUEUESEED, BIASBOAT and LOADGRIP malware obtained via supply‑chain compromises to disrupt information systems in support of concurrent physical attacks. Earlier activity includes a January 2023 destructive malware assault on Ukraine’s Media Center Ukraine‑Ukrinform that leveraged Group Policy Objects to spread CaddyWiper, ZeroWipe, SDelete, AwfulShred and BidSwipe, causing a brief broadcast interruption, and a September 2023 espionage‑oriented intrusion against the International Criminal Court that was linked to heightened threats against court officials following arrest warrants for Russian officials. Additional noted incidents involve a 2022 hack‑and‑leak operation targeting Moldovan government communications that officials attributed to Russian hybrid warfare, and a February 2022 disruption of a U.S. satellite internet provider’s KA‑SAT service that affected users across Europe. These examples illustrate the actor’s recurring focus on disruptive and espionage‑oriented actions against energy, governmental and media targets, leveraging a repertoire of wiper malware, credential‑based access and supply‑chain techniques.
