Sandworm
Russia-attributed threat group operated by GRU Unit 74455. Responsible for the most destructive cyberattacks on record including the 2015 and 2016 Ukrainian power grid attacks, NotPetya, and attacks on the 2018 Winter Olympics.
Attribution signal
?Score = mentions × confidence weight, summed across all attributed sources. Higher source diversity increases the score.≥ 10 High≥ 3 Moderate< 3 LowAttribution signals
11 mentions · 2 sources"The group is commonly attributed to Unit 74455 of the Russian Main Intelligence Directorate (GRU)."
"The Sandworm group (aka VoodooBear) has been attributed by the UK NCSC to a new Internet-of-Things (IoT) malware dubbed CyclopsBlink"
"ESET has also previously attributed an attack against the Polish energy sector in December 2025 to Sandworm activity."
"which we attribute to Sandworm with high confidence"
"ESET Research has now found that the attack was the work of the notorious Russia-aligned APT group Sandworm."
"captured multiple malicious samples from APT-C-13 (Sandworm) organization conducting targeted attacks"
"Google's threat analysts have separately tied to Sandworm, Turla and other Russian operators"
"Based on our analysis of the malware and associated TTPs, we attribute the attack to the Russia-aligned Sandworm APT with medium confidence due to a strong overlap with numerous previous Sandworm wiper activity we analyzed"
"We attribute DynoWiper to Sandworm with medium confidence"
"Some have graduated and joined both Fancy Bear and the notorious Sandworm group, which has been linked to attacks on Ukraine's power grid, the Winter Olympics, and the NotPetya malware that caused billions of damage around the world"
Hedge terms observed