Sandworm (APT44 / Seashell Blizzard): Threat Actor Profile
Sandworm (APT44 / Seashell Blizzard) is the Russian GRU unit behind NotPetya — the most financially destructive cyberattack on record — and the first cyber-induced power blackouts. A full threat-actor profile.
Reviewed & fact-checked against primary sources by the TI News Feed Editorial Team. See our editorial & corrections policy.
Sandworm is a Russia-linked GRU cyber unit and the most financially destructive publicly attributed threat actor on record. It is best known for the 2015 and 2016 attacks on Ukraine's power grid — the first confirmed blackouts caused by a cyberattack — the Industroyer/CrashOverride ICS malware, Olympic Destroyer, and above all NotPetya, the 2017 wiper that masqueraded as ransomware and spread worldwide.
Sandworm: at a glance
- Aliases: Sandworm Team, APT44, Voodoo Bear, TeleBots, IRON VIKING, Seashell Blizzard, ELECTRUM, BlackEnergy (Group)
- Country / affiliation: Russia — GRU military intelligence (Unit 74455), per U.S. charging documents
- Assessed status (as of July 2026): Active
- Primary objectives: Destructive disruption, critical-infrastructure sabotage, intelligence collection, military support, and influence operations
- Financial destruction / gain: >$10 billion in global damage from NotPetya alone; the U.S. DOJ tied NotPetya to nearly $1 billion in losses among just three named victims
- Type: Nation-state APT (destructive cyberwarfare)
Who is Sandworm?
Unlike financially motivated crews, Sandworm exists to cause disruption and support Russian military and geopolitical objectives. It remains active in 2026 under overlapping vendor names such as Seashell Blizzard and APT44, focused on espionage, sabotage, and war-support access operations against Ukraine and critical infrastructure worldwide.
Aliases and attribution
Different vendors track this single actor under many names, a common source of confusion in cyber attribution. Microsoft calls it Seashell Blizzard; Google/Mandiant designate it APT44; older reporting uses Voodoo Bear, TeleBots, and IRON VIKING. U.S. prosecutors attribute it to GRU Unit 74455, and in 2020 the DOJ charged six GRU officers in connection with NotPetya and other destructive operations.
Financial impact and damage
NotPetya is the benchmark for cyber destruction: public estimates put global damage above $10 billion, hitting shipping giant Maersk, Merck, FedEx's TNT Express, and others through a compromised Ukrainian accounting-software update. The 2020 U.S. indictment alone tied the malware to nearly $1 billion in losses among the three named victims. Because Sandworm's mission is destruction rather than extortion, its true economic footprint dwarfs most ransomware totals.
Sandworm timeline
- 2015: Ukraine power-grid disruption — first cyber-induced blackout
- 2016: Industroyer/CrashOverride attack on the Kyiv grid
- 2017: NotPetya global destructive worm via M.E.Doc supply-chain compromise
- 2018: Olympic Destroyer disrupts the Winter Olympics
- 2022: Ukraine-focused destructive operations during the invasion
- 2025: BadPilot / Seashell Blizzard multi-year global access operations reported by Microsoft
Notable attacks and campaigns
NotPetya was delivered through a supply-chain compromise of Ukrainian tax software M.E.Doc, then wiped systems irreversibly while displaying a fake ransom note. The Ukraine grid attacks proved cyber operations can cause physical, real-world outages. Microsoft's 2025 reporting on the BadPilot campaign shows Sandworm still compromising edge infrastructure for persistent global access.
Tactics, techniques, and procedures (TTPs)
The techniques below are compact, high-confidence mappings to the MITRE ATT&CK framework, drawn from the group's MITRE ATT&CK profile and corroborating government and vendor reporting. The live ATT&CK matrix remains the authoritative reference for full coverage.
- T1195 — Supply Chain Compromise: NotPetya was delivered by compromising the M.E.Doc software-update channel. Monitor signed update channels, enforce software provenance, and segment update servers.
- T1485 / T1561 — Data Destruction / Disk Wipe: Sandworm deploys destructive malware (NotPetya, KillDisk) that rewrites files and tampers with the MBR. Hunt for mass file rewrites, MBR changes, and simultaneous service failures; keep offline recovery paths.
- T1071 / T1105 — Application-Layer C2 / Ingress Tool Transfer: Modern access operations use compromised edge devices and follow-on tooling. Alert on outbound beacons from routers and VPN appliances and unexpected tool drops. See command and control.
Detection and defense against Sandworm
Because Sandworm blends supply-chain compromise, destructive wipers, and OT/ICS targeting, defense centers on resilience and integrity monitoring rather than ransom readiness:
- Separate IT and OT networks and tightly control engineering-workstation access.
- Enforce software provenance and integrity checks on all update channels; segment update servers.
- Maintain tested, offline backups and recovery paths that survive a full wiper event.
- Harden internet-facing edge devices (routers, VPNs) and alert on anomalous admin-panel use and outbound beacons.
- Watch for mass file-rewrite, MBR tampering, and shadow-copy deletion as early destruction indicators.
The bottom line
Sandworm is the definitive destructive nation-state actor — proof that code can inflict billions in damage and physical disruption at national scale. See how Sandworm ranks among the most dangerous threat actors, and track its latest activity on our live threat intelligence feed, aggregated from dozens of authoritative sources.
Frequently asked questions
Who is Sandworm?
Sandworm is a Russian GRU cyber unit (Unit 74455), also tracked as APT44, Voodoo Bear, and Seashell Blizzard. It specializes in destructive cyberwarfare and is best known for the 2017 NotPetya attack and the 2015-2016 Ukraine power-grid blackouts.
What is Sandworm's most famous attack?
NotPetya, in 2017 — a destructive wiper disguised as ransomware that spread globally and caused an estimated $10 billion in damage, making it the most financially destructive cyberattack on record.
Is Sandworm still active in 2026?
Yes. Sandworm remains active under the Seashell Blizzard / APT44 names, with continued espionage, sabotage, and access operations targeting Ukraine and critical infrastructure, including the BadPilot campaign reported by Microsoft.
What country is Sandworm from?
Russia. U.S. charging documents attribute Sandworm to Unit 74455 of the GRU, Russia's military intelligence agency.
Primary sources & further reading
This guide is reviewed and fact-checked against authoritative primary sources: