Sandworm (hacker group)
Organizational structure of Russian Intelligence Service (RIS). The Sandworm group operates under GRU. | |
| Formation | c. 2004–2007 |
|---|---|
| Type | Advanced persistent threat |
| Purpose | Cyberespionage, cyberwarfare |
| Headquarters | 22 Kirova Street Khimki, Russia |
Region | Russia |
| Methods | Zero-days, spearphishing, malware |
Official language | Russian |
Parent organization | GRU |
| Affiliations | Fancy Bear |
Formerly called | Voodoo Bear Iron Viking Telebots |
Sandworm is an advanced persistent threat operated by MUN 74455, a cyberwarfare unit of the GRU, Russia's military intelligence service. Other names for the group, given by cybersecurity researchers, include APT44, Telebots, Voodoo Bear, IRIDIUM, Seashell Blizzard, and Iron Viking.
The team is believed to be behind the December 2015 Ukraine power grid cyberattack, the 2017 cyberattacks on Ukraine using the NotPetya malware, various interference efforts in the 2017 French presidential election, and the cyberattack on the 2018 Winter Olympics opening ceremony. Then-United States Attorney for the Western District of Pennsylvania Scott Brady described the group's cyber campaign as "representing the most destructive and costly cyber-attacks in history."