As the war rages, the APT group with a long résumé of disruptive cyberattacks enters the spotlight again
For cybersecurity pundits, it has become a doctrine that cyberdisruption, whether perpetrated directly or via proxy groups, can be expected to accompany military, political, and economic action as a way of softening up targets or of strategically applying pressure via subterfuge. Thus, in a time of war in Ukraine, the spotlight has also naturally turned to cyberwarfare, both past and present.
Since at least 2014, companies in Ukraine or with network access to the region have suffered the likes of malware such as BlackEnergy, TeleBots, GreyEnergy, Industroyer, NotPetya, Exaramel, and, in 2022 alone, WhisperGate, HermeticWiper, IsaacWiper, and CaddyWiper. In all cases, except the last four, the cybersecurity community discovered enough code similarities, shared command and control infrastructure, malware execution chains and other hints to attribute all the malware samples to one overarching group – Sandworm.
Who is Sandworm?
The moniker Sandworm was chosen by researchers at iSIGHT Partners, a threat intelligence company, who discovered references to Frank Herbert’s novel Dune in BlackEnergy malware binaries in 2014. At that time, ESET researchers were presenting their findings on several targeted BlackEnergy attacks in Ukraine and Poland at a Virus Bulletin conference, but also discovered the same, unmistakable references in the code: arrakis02, houseatreides94, BasharoftheSardaukars, SalusaSecundus2, and epsiloneridani0.
While some speculated that Sandworm was a group working from Russia, it wasn’t until 2020 that the US Department of Justice (DoJ) concretely identified Sandworm as Military Unit 74455 of the Main Intelligence Directorate (GRU) – which was changed to the Main Directorate (GU) in 2010, although “GRU” seems to have stuck in Western parlance – of the General Staff of the Armed Forces of the Russian Federation, located at 22 Kirova Street, Khimki, Moscow in a building colloquially called “the Tower”: