top of page



Sandworm (also known as VooDoo Bear, Telebots, IRIDIUM, Seashell Blizzard and Iron Viking) is the name given to Russia’s GRU intelligence unit, Military Unit 74455, specialising in cyber attacks and espionage. Its exact founding date is unknown, however, it is believed to have been commissioned in the 2000s and operated unknown to the outside world until its discovery in 2015. As a military unit which falls under the direction of Russia’’s Ministry of the Interior, it carries out operations based on the Russian Federation’s military and political objectives. Many of its operations have been carried out against Ukraine. 


The independent American intelligence corporation iSight made the breakthrough responsible for unearthing Sandworm in 2015. It uncovered a “zero-day” (a hole in an organisation’s cyber security they are unaware of and therefore, have zero days to respond to in case of an attack) in a PowerPoint presentation on key figures in the pro-Russian breakaway areas of Ukraine. With PowerPoint’s large global user base, the spyware could easily be spread across multiple continents, to thousands of users, and given the content of what it was attached to, to high-profile users. Comparing the code it unearthed to other samples in its database, iSight uncovered multiple similar strands that had been in use on different platforms since the mid-2000s. (1)

The malware had the name arrakis02 - a reference to the desert planet setting of the science fiction series Dune. There were other references to Dune too - leading iSight to name it after the characteristic Sandworms which roam beneath the planet and are used by the series’ protagonists in its battle against their enemies. The combination of its nickname and its series of daring cyber attacks led to the group gaining notoriety quickly after its discovery. (2)

Sandworm had been responsible for multiple cyber attacks in different countries. It successfully knocked out Ukraine’s power grid twice, in 2015 and 2016. Evidence suggests it has targeted European elections, including French President Emmanual Macron’s party. Its wide range of targets has also included the Winter Olympics and civilian and government infrastructure in the United Kingdom and the United States. (3) While its exact founding date is unknown, it is blamed for cyberattacks during Georgia’s 2008 election and was named responsible for operations against American and European infrastructure in 2023. It is likely that the group is still active and operating. (4)


According to Western intelligence and the cybersecurity company CrowdStrike, Sandworm operates in accordance with the Russian state’s geopolitical objectives, which is to be expected if it operates under the GRU’s command. They cite its particular focus on Ukrainian targets and Western political figures as evidence of this claim. (5)


No other attack demonstrates the level of damage Sandworm is capable of than its 2017 NotPetya cyberattack. Launched on the eve of Ukraine’s Constitution Day, the Notpetya malware targeted several industries across Ukraine and Europe. Ukrainian banks, communications, television, metro, and electric companies across the public and private sectors were targeted and brought down. Several other companies under European or American ownership were also targeted. The estimated cost of the cyberattack was $10 billion. (6)

Approach to Resistance

The group uses both malware and distributed denial-of-service (DDoS) attacks to target its opponents. Sandworm used “Black Energy” malware to disable the Ukrainian power grid. Accessing corporate networks through phishing emails containing Black Energy, the group remotely turned off multiple power substations across the country. Simultaneously, they bombarded tech support centers with DDoS attacks, which flooded the recipient network with repeated requests causing access to them to slow dramatically. (7)

Sandworm continues to target Ukrainian military and civilian infrastructure using hardware. This has become especially important during its war with Ukraine. In 2023, western intelligence uncovered Sandworm-linked malware that attempted to target Android devices that would scan for pertinent information to extract. The hackers attempted to extract financial information, communications, media, and VPN data. (8)

International Relations

Other countries, particularly the United States, view Sandworm as a profound threat. Following cyberattacks that took place near the beginning of Russia’s invasion of Ukraine in 2022, the US offered $10 million for any info that might help identify or track down six members its government had indicted for their role in carrying out cyber attacks. The six targeted members, Artem Ochichenko, Anatoliy Kovalev, Petr Pliskin, Yuriy Andrienko, Sergey Detistov, and Pavel Frolov, are yet to be caught. (9)

FBI wanted poster for members of Sandworm

Currently, no country apart from the United States is offering an award to help track down the hackers. Other countries, such as the United Kingdom and Canada have contributed efforts to help track the group’s movements and uncover its malware. While Western powers still view China as the biggest cybersecurity threat, Sandworm ensures that they must also be cautiously aware of Russia.


bottom of page