From 2021 to 2025, Amazon exposed that Sandworm (GRU Unit 74455)—the team behind NotPetya and Ukraine's grid attacks—had shifted to infiltrating misconfigured devices at Western utilities, energy companies, and security providers. They compromised edge devices, harvested credentials, and penetrated networks across North America and Europe.
This wasn't a smash-and-grab raid—it was patient reconnaissance at scale. Amazon Threat Intelligence tracked Sandworm's campaign for years, watching it pivot from explosive headline-grabbing attacks to infiltration designed to map critical systems. The unit that left 230,000 Ukrainians without power in 2015 and unleashed $10 billion in NotPetya damages is now inside Western energy infrastructure, and the full scope of what they've accessed remains unknown.
12 events
Latest: December 15th, 2025 · 5 months ago
Showing 8 of 12
JK to step
Tap a bar to jump to that date
Jump to
December 2025
Amazon Exposes Five-Year Campaign
LatestIntelligence Disclosure
Amazon Threat Intelligence publicly disclosed Sandworm's sustained 2021-2025 campaign targeting Western energy infrastructure. Amazon identified 10+ victim organizations, notified customers, remediated compromised systems, and shared intelligence with partners.
CISA Advisory on Pro-Russia Hacktivists
Government Advisory
CISA, FBI, NSA, DOE, and EPA issued joint advisory detailing pro-Russia hacktivist groups exploiting VNC connections to attack water, agriculture, and energy sectors—lower sophistication than APT44 but demonstrating sustained focus.
August 2025
FBI Warns of FSB Targeting Network Devices
Government Advisory
FBI issued warning that Russian FSB cyber actors were exploiting SNMP protocols and end-of-life networking devices to broadly target U.S. and global entities, complementing GRU's infrastructure campaign.
April 2024
Mandiant Upgrades to APT44 Designation
Intelligence Assessment
Google's Mandiant threat intelligence graduated Sandworm to APT44, recognizing the unit's full-spectrum capabilities across espionage, attack, and influence operations and its threat to governments and critical infrastructure globally.
January 2024
Tactical Shift to Misconfiguration Targeting
Operational Evolution
Sandworm reduced investment in zero-day exploitation, pivoting to sustained targeting of misconfigured network edge devices—VPNs, routers, firewalls—with exposed management interfaces. Campaign targeted energy utilities and MSSPs.
April 2022
Industroyer2 Attack Thwarted in Ukraine
Attempted Cyberattack
Sandworm deployed Industroyer2 targeting a Ukrainian energy supplier, scheduled to cut power for a region affecting 2 million people. CERT-UA and ESET researchers identified and stopped the attack before execution.
January 2021
Western Infrastructure Campaign Begins
Cyber Espionage
Sandworm launched sustained targeting of Western critical infrastructure, initially exploiting zero-day and N-day vulnerabilities in WatchGuard, Confluence, and other network edge devices across North America and Europe.
October 2020
DOJ Indicts Six Unit 74455 Officers
Legal Action
Federal grand jury in Pittsburgh charged Yuriy Andrienko, Sergey Detistov, Pavel Frolov, Anatoliy Kovalev, Artem Ochichenko, and Petr Pliskin with conducting the most destructive cyber-attacks in history. $10 million reward offered.
February 2018
Olympic Destroyer Disrupts Winter Games
Destructive Cyberattack
Sandworm deployed Olympic Destroyer malware during the 2018 Winter Olympics opening ceremony in Pyeongchang, compromising thousands of computers in retaliation for Russia's doping ban from the games.
June 2017
NotPetya Unleashed Globally
Destructive Cyberattack
Unit 74455 deployed NotPetya via compromised Ukrainian accounting software M.E.Doc. Disguised as ransomware, it was actually a wiper causing over $10 billion in global damages across thousands of organizations.
December 2016
Ukraine Grid Hit with Industroyer
Destructive Cyberattack
Sandworm deployed Industroyer, the first malware specifically designed to attack electrical grids, targeting Kyiv's 330 kilowatt electrical substation and cutting one-fifth of the city's nighttime power consumption.
December 2015
Sandworm's First Power Grid Attack
Destructive Cyberattack
GRU Unit 74455 executed the first successful cyberattack on a power grid, targeting three Ukrainian energy companies with BlackEnergy malware. Attackers opened breakers at 30 substations, leaving 230,000 residents without power for up to six hours.
Historical Context
3 moments from history that rhyme with this story — and how they unfolded.
1 of 3
December 23, 2015
2015 Ukraine Power Grid Attack (BlackEnergy)
GRU Unit 74455 executed the first successful cyberattack on a power grid, targeting three Ukrainian energy distribution companies. Attackers delivered BlackEnergy malware via spearphishing eight months before the attack, conducted extensive reconnaissance of OT networks, then remotely opened breakers at 30 substations. The attack lasted minutes but left 230,000 residents without power for up to six hours. KillDisk malware wiped systems and corrupted master boot records, rendering them inoperable.
Then
Six-hour blackout affecting 230,000 people; attackers demonstrated ability to translate cyber operations into kinetic effects on critical infrastructure.
Now
Established blueprint for industrial control system attacks; prompted global critical infrastructure cybersecurity investments; led to Ukraine developing world-class defensive capabilities through necessity.
Why this matters now
The 2021-2025 Western campaign follows the same unit's playbook: patient reconnaissance, credential harvesting, and pre-positioning for potential destructive attacks. The difference is scale—Western grids serve millions, not thousands.
2 of 3
June 27, 2017
2017 NotPetya Attack ($10B Damages)
Sandworm compromised the update mechanism of M.E.Doc, Ukrainian accounting software used by thousands of organizations. On June 27, they pushed NotPetya—malware disguised as ransomware but actually a wiper designed to destroy data. The attack spread globally within hours, crippling Maersk shipping, pharmaceutical giant Merck, FedEx subsidiary TNT, and thousands of other organizations. Total damages exceeded $10 billion, making it the most costly cyberattack in history.
Then
Global business disruption; Maersk reinstalled 4,000 servers and 45,000 PCs; Merck's vaccine production halted; hundreds of organizations suffered permanent data loss.
Now
Demonstrated that cyber operations could achieve strategic economic impact comparable to conventional military action; prompted insurance industry to reconsider cyber coverage; established precedent for nation-state malware causing collateral damage far beyond intended targets.
Why this matters now
NotPetya proved Unit 74455 is willing to cause massive economic damage even when collateral impact extends globally. The current campaign's targeting of Western energy infrastructure carries similar—or greater—destructive potential.
3 of 3
March 2020 - December 2020
2020 SolarWinds Supply Chain Compromise
Russian SVR intelligence (not GRU, but demonstrating Russian doctrine) compromised SolarWinds Orion software, used by 18,000 organizations including U.S. government agencies and Fortune 500 companies. Attackers inserted malicious code into legitimate software updates, turning SolarWinds into an unwitting distribution mechanism for espionage malware. The campaign remained undetected for nine months until FireEye discovered they'd been breached.
Then
Massive incident response effort across U.S. government and private sector; multiple agencies confirmed compromised; extensive forensic investigation required.
Now
Fundamentally shifted understanding of supply chain risk; prompted Executive Order 14028 on cybersecurity; established that software supply chain is a viable strategic attack vector for espionage at scale.
Why this matters now
Sandworm's targeting of managed security service providers in the current campaign follows similar logic—compromise one provider to access many clients. The combination of Russia's SolarWinds-proven supply chain methodology with Unit 74455's destructive track record is especially concerning.
