← Home·Gallery·Techniques
Threat Intelligence Tarot
Major Arcana · 3
Russia (GRU Unit 74455)
G0034
risk 5/5
The Destroyer
Sandworm
Sandworm Team · BlackEnergy Group · Voodoo Bear · IRIDIUM
EnergyCritical infrastructureGovernmentMedia
Active since ~2009 · Destruction, Disruption, Coercive signaling
It does not want your data. It wants your darkness. Sandworm is a weapon of punishment, sent to demonstrate that the lights can go out, the trains can stop, the hospitals can fall silent.
Tactics & Techniques
RCN
RDV
INI
EXC
PRS
PRV
EVA
CRD
DSC
LAT
COL
C2
EXF
IMP
T1561.001
Disk Content Wipe
Impact
T1499
Endpoint Denial of Service
Impact
T1059.005
Visual Basic
Execution
T1078
Valid Accounts
Initial Access
T1489
Service Stop
Impact
T1068
Exploitation for Privilege Escalation
Privilege Escalation
Notable Operations
  • Ukraine power grid attacks (2015, 2016)
  • NotPetya global wiper (2017, $10B+ damage)
  • Olympic Destroyer (2018 Winter Olympics)
  • Georgia election infrastructure (2019)
Defenses
  • OT/ICS network segmentation and unidirectional gateways
    IEC 62443
  • Immutable offline backups with tested restoration procedures
    CIS Control 11
  • Industrial protocol monitoring (Modbus, DNP3 anomalies)
    NIST CSF: DE.CM
  • Emergency response playbooks for power/utility disruption
    NIST SP 800-82
Reversed: Their Weakness
NotPetya's indiscriminate spread was a strategic miscalculation - it hit Russian companies too, and the blast radius destroyed any plausible deniability Russia might have maintained.

Share this adversary profile

swipe to browse

← PreviousThe Shadow CourtNext →The Serpent
Related Adversaries
The Dark Dividend
DarkSide
3 shared TTPs
The Wrench
Cyber Av3ngers
2 shared TTPs
The Ten Thousand
APT41
2 shared TTPs
Data sourced from MITRE ATT&CK. For educational purposes.