A comprehensive, evidence-labeled cyber threat intelligence report on Sandworm/APT44 (GRU Unit 74455) covering 2009 through March 2026. The report details the group's evolution from bespoke ICS attacks (Ukraine grid disruptions, NotPetya, Industroyer) to a scalable wartime playbook combining edge-device compromise, Living-off-the-Land techniques, GPO-based wiper deployment, and influence persona operations. Key findings include: a sustained shift toward misconfigured edge-device targeting for initial access, an active wiper development pipeline (ZEROLOT, Sting, ZOV, DynoWiper, LazyWiper), expansion into tactical battlefield intelligence support via Signal/Telegram interception (WaveSign tool) and drone supply-chain targeting, and integration with criminal marketplaces. The report includes a full malware portfolio, ATT&CK-aligned TTPs, IOC compendium, SOC detection engineering guidance, a 30-minute wiper/OT defensive playbook, and NIST CSF-lite controls mapping. Attribution confidence is assessed as high at cluster level, with specific incident-level caveats (e.g., contested December 2025 Poland energy incident).
Table of contents
2009–2014 (Pre-Blackout Development Period)December 2015 (Ukraine Grid Disruption)December 2016 (Kyiv Grid / Industroyer)2017 (NotPetya and BadRabbit)2018 (Olympic Destroyer and Novichok-Linked Intrusions)2019 (Georgia Defacement Campaign)2019–2022 (Kapeka/KnuckleTouch Backdoor Development)2021–2025 (Edge Misconfiguration-Focused Access Campaign)February 2022 (Cyclops Blink Public Exposure + Wiper Wave)April 2022 (Industroyer2 + Multi-Wiper Attack Chain)October 2022 (MicroSCADA Native-Binary Disruption)2022–2023 (Battlefield Intelligence and Tactical Support Expansion)2022–2024 (Hacktivist-Persona Coordination Layer)2023 (Doctrine Formalization + Mobile Expansion)2024 (APT44 Naming + Expanded Tooling + Telecom Disruption)2025 (High-Tempo Wiper Period + Edge Pivot Confirmation)December 2025 — January 2026 (Poland Energy/Industrial Incident)Timeline SynthesisSort: