SandWorm, the APT Hackers Behind NotPetya and Industroyer

SandWorm is one of the most infamous Advanced Persistent Threat (APT) groups. Its activities can be tracked back to 2009, and it has been involved in numerous attacks against entities and nations opposing Russia. Cybersecurity experts believe that the SandWorm APT group might be a sub-division of the GRU, Russia's military intelligence unit. In previous campaigns, the SandWorm hackers have also been referred to under the aliases Iron Viking, Telebots, and others.

In recent years, the SandWorm have made the news countless times, with the use of destructive and novel malware that was used in carefully orchestrated attacks. One of the most infamous implants that the SandWorm are associated with is the NotPetya Ransomware – one of the first threats aiming to damage the Master Boot Record (MBR) instead of individual files. By wiping out the MBR of hard drives, the NotPetya Ransomware ensured that the compromised systems would be unable to boot up at all.

Destructive malware seems to be SandWorm's specialty, and they are also responsible for the use of other high-profile wipers like Olympic Destroyer and Industroyer. The former was involved in a cyberattack that took place during the 2018 Winter Olympics opening. In the meantime, Industroyer is a malicious implant specifically designed to target Industrial Control Systems (ICS) used in electric grid installations. The SandWorm hackers employed Industroyer in attacks against the Ukrainian power grid in 2016.

The latest news of SandWorm is associated with Industroyer2, a successor of the infamous implant they used in 2016. The SandWorm hackers employed it in April 2022, in another attack against the Ukrainian power grid. The goal of the operation was to trigger a blackout, just like the one that the hackers had managed to orchestrate in December, 2015.