APT44 / Sandworm
Russia's Most Destructive Cyber Sabotage Unit — GRU Unit 74455
APT44 (Sandworm) is assessed to be the most destructive state-sponsored threat actor in history. The group has conducted devastating attacks including the NotPetya wiper ($10B+ global damages), Industroyer power grid attacks, and the Olympic Destroyer operation. Since 2022, they serve as the primary cyber attack unit supporting Russia's invasion of Ukraine.
Download Full Threat Actor Profile
Complete intelligence report including malware arsenal, MITRE ATT&CK mapping, IOCs, detection rules, and defensive recommendations.
Download PDF — FreeReport ID: INT-TAP-2025-APT44-SANDWORM • TLP:CLEAR
Attribution & Identity
Attribution Assessment
APT44 (Sandworm) is attributed with high confidence to Russia's Main Intelligence Directorate (GRU), specifically Unit 74455. In October 2020, the U.S. Department of Justice indicted six GRU officers for operations including NotPetya, the 2015/2016 Ukraine power grid attacks, and Olympic Destroyer. Mandiant formally graduated Sandworm to APT44 status in April 2024.
Background
APT44 (Sandworm) is assessed to be the most destructive state-sponsored threat actor in history. The group has conducted devastating attacks including the NotPetya wiper ($10B+ global damages), Industroyer power grid attacks, and the Olympic Destroyer operation targeting the 2018 Winter Olympics.
Since Russia's invasion of Ukraine in February 2022, Sandworm has served as the primary cyber attack unit supporting military operations, deploying multiple wiper malware families against Ukrainian government, energy, logistics, and agricultural targets. The group has demonstrated capability to cause physical damage through cyber means.
APT44 operates hacktivist personas like CyberArmyofRussia_Reborn to claim attacks and conduct influence operations. These should be tracked as extensions of state-sponsored activity rather than independent hacktivist groups.
2025 Activity
In 2025, Sandworm continues deploying new wiper variants (Zerolot, Sting) and has adopted living-off-the-land techniques to evade detection. They maintain connections to hacktivist personas to claim attacks and conduct influence operations aligned with Russian military objectives.
Targeting Profile
APT44 targeting aligns with Russian military and political objectives, with a primary focus on Ukraine since 2014 and expanded global operations during geopolitical conflicts.
Target Sectors
Target Technologies
| Category | Specific Targets |
|---|---|
| ICS/SCADA Systems | Power grid (IEC-104), Modbus, industrial protocols |
| Satellite Communications | Viasat KA-SAT, satellite modems |
| Network Infrastructure | SOHO routers (Cyclops Blink botnet) |
| Endpoints | Windows, Linux/Unix systems |
| Mobile | Android devices (Infamous Chisel) |
| Embedded Systems | IoT, firmware targets |
Physical Impact Capability
APT44 has demonstrated the ability to cause physical damage through cyber operations, including causing power outages affecting hundreds of thousands of people and disrupting satellite communications across Europe. The Viasat attack collaterally disabled 5,800 wind turbines in Germany.
Malware Arsenal
APT44 has developed and deployed some of the most destructive malware in history. Their arsenal includes wipers, ICS-targeting tools, botnets, and mobile spyware.
| Malware | Year | Type | Notable Impact |
|---|---|---|---|
| BlackEnergy | 2014 | RAT/Wiper | Ukraine power grid (2015) |
| Industroyer | 2016 | ICS Malware | Kiev power outage |
| NotPetya | 2017 | Wiper | $10B+ global damages |
| Olympic Destroyer | 2018 | Wiper | PyeongChang Olympics |
| Cyclops Blink | 2019 | Botnet | SOHO router compromise |
| AcidRain | 2022 | Wiper | Viasat modems (5,800 wind turbines) |
| Industroyer2 | 2022 | ICS Malware | Ukraine power grid (thwarted) |
| CaddyWiper | 2022+ | Wiper | Most used wiper in Ukraine |
| Infamous Chisel | 2023 | Android Spyware | Ukrainian military devices |
| AcidPour | 2024 | Wiper | Embedded systems |
| Zerolot/Sting | 2025 | Wiper | Ukraine government/energy |
Tactics, Techniques & Procedures
APT44 employs sophisticated techniques across all phases of the attack lifecycle, with particular expertise in ICS/SCADA systems and destructive operations.
Notable Campaigns
First confirmed cyberattacks to cause power outages. 2015 attack affected 230,000 customers using BlackEnergy. 2016 attack used Industroyer to target transmission substations in Kiev.
Destructive wiper disguised as ransomware, spread via compromised Ukrainian tax software M.E.Doc. Caused $10B+ in global damages, affecting Maersk, Merck, FedEx, and others worldwide. Considered the most destructive cyberattack in history.
Attacked 2018 PyeongChang Winter Olympics opening ceremony, disrupting ticketing, Wi-Fi, and broadcasts. Used false flags to implicate North Korea and China.
Launched hours before Russia's invasion, AcidRain wiper bricked satellite modems across Europe. Collateral damage disabled 5,800 Enercon wind turbines in Germany, demonstrating cross-border physical impact.
Ongoing deployment of Zerolot and Sting wipers targeting Ukrainian government, energy, logistics, and grain sector organizations to weaken the Ukrainian economy.
Detection & Response
Defensive Recommendations
- Segment OT/ICS Networks — Isolate industrial control systems from IT networks
- Harden ICS Protocols — Monitor IEC-104, Modbus, and other industrial protocols
- Implement Immutable Backups — Protect against wiper malware with offline backups
- Monitor for LOTL Activity — Track PowerShell, WMI, and systemd modifications
- Deploy EDR Everywhere — Cover Windows, Linux, and OT endpoints where possible
- Validate Supply Chain — Audit software update mechanisms and third-party access
- Hunt for Webshells — Regularly scan for unauthorized web shells on servers
- Exercise Incident Response — Practice recovery from destructive attacks
Track APT44/Sandworm with BRACE
BRACE delivers monthly sector-specific threat intelligence covering APT44 activity, including:
- APT44 campaign analysis and targeting patterns
- Detection rules for wiper malware and ICS attacks
- MITRE ATT&CK mappings for nation-state TTPs
- Sector-specific threat hunting playbooks
- IOCs and behavioral indicators
Get the Complete Intelligence Report
Download the full APT44/Sandworm profile including detailed malware analysis, MITRE ATT&CK mapping, IOCs, and comprehensive defensive playbooks.
Download Full Report (PDF)Stay Ahead of APT44/Sandworm
BRACE delivers monthly threat intelligence on APT44 and 175+ other threat groups with detection rules and hunting playbooks for your sector.