top of page

Sandworms And Ransomware Gangs: How Russia Remains A Cyber Superpower

Written by Mark Bruno


In May 2023, Danish critical infrastructure experienced what has been described as the "largest cyber attack" against it in its history, targeting 22 companies in the energy sector. The tools utilized were extremely sophisticated and had the potential to enable external control over portions of the energy grid. This attack was linked to Russian threat actors, Sandworm – an entity also known as Unit 74455 within Russia’s GRU.

Another attack against a major institution, attributed to a Russian threat actor, was the recent ransomware attack on the Industrial and Commerce Bank of China by the LockBit ransomware gang. The attack had a huge impact on the Treasury market in both the US and China, temporarily displacing $9 billion at their Financial Services Division in New York. LockBit, while not associated with the Russian government, is a criminal organization that has operated with relative immunity, as long as their attacks are primarily focused outside of Russian territory. This perceived tolerance by the Russian authorities is a common trait among several ransomware groups.

Both events are emblematic of two kinds of cyberattack coming out of Russia: those explicitly carried out by the state, and those tolerated or encouraged by the state. Both threats have been exacerbated and become an essential part of Russian operations as the nation finds itself increasingly isolated from the international community.

Russia Ransomware and Sandworms Cyber Threats

State-Backed VS. State-Tolerated

While these particular events seem brazen, Russian cyber operations are certainly influenced by its increasing international pariah status. Facing global isolation, Russia actively resorts to destructive cyber activities as a tool of geopolitical influence, while doing nothing to discourage actors that contribute to these goals voluntarily.

State Backed

Russian state-backed threat actors have been confirmed to operate in positions within the General Staff of the Main Intelligence Directorate (GRU). This means that they answer to the highest offices within the Defense Ministry–they are uniformed military intelligence. The most infamous of these threat actors is a team known to cybersecurity professionals as Sandworm, active since at least 2009, and has been known over the years by numerous names, including ELECTRUM, Telebots, IRON VIKING, BlackEnergy Group, Quedagh, Voodoo Bear, and IRIDIUM. Sandworm’s advanced capabilities have been used to attack critical infrastructure such as power grids, hospital networks, and financial systems throughout EU and NATO member states.

Russia’s Foreign Intelligence Service (SVR) has its own array of threat actors as well, who answer directly to the office of the President. Among their assets is a threat actor commonly known as Cozy Bear. Cozy Bear has been in operation since at least 2008, targeting government, thinktank, and research institution networks in EU and NATO member states, as well.

The Internet Research Agency is a Russian entity that was allegedly dissolved after the coup attempt by Yevgeny Prigozhin–who founded it. Established in 2013, its focus was using the cyber realm to reinforce information and psychological operations to advance strategic and tactical objectives for the Russian Government. This was done particularly through the use of disinformation in Social Media. Despite claims of its dissolution, the tactics and strategies employed by the IRA continue to be relevant in discussions about cybersecurity, information warfare, and the integrity of political processes in the digital age.

State Tolerated

Russia has a history of utilizing non-state-backed cyber assets and taking advantage of pro-Russian hacktivism, especially in the context of the conflict with Ukraine. The Kremlin has been known to leverage relationships with cybercriminal groups, using them indirectly to conduct cyber operations that align with state interests. Russia's robust cybercrime ecosystem provides a pool of skilled individuals and resources that can be mobilized for state-aligned objectives, including espionage, misinformation, and disruptive cyberattacks. An advantage for encouraging such activity is a chance for deniability to delay an escalation of conflicts or sanctions, while creating confusion and instability. The gray zone tactics are beneficial for both kinetic and constructing narratives.

Some of these individuals and groups are incredibly powerful for-profit enterprises that hold international organizations’ infrastructure hostage through Ransomware, or sell stolen data and malware to those who might use them for criminal purposes. The most famous of these is LockBit, who have attacked various industries globally, with the healthcare and education sectors being major victims. The United States, India, and Brazil are among the top targeted countries.

Russia cyber threats website defacement
An example of a recent website defacement

Other threat actors are dedicated to the interferences and nuisance-level threats caused through Distributed Denial of Service (DDoS) attacks or defacements. A DDoS is an attack wherein a digital service is overwhelmed with fake requests until it is shut down. Pro-Russian hacktivists conduct cyberattacks supporting Russian geopolitical goals in this capacity. These groups often target Western entities or those opposing Russian interests.

Among the most famous of these entities are pro-Russian cybercriminal groups, KillNet, Anonymous Sudan, and NoName057(16). At any given time, these groups are involved in conducting dozens of DDoS and defacement attacks on websites, almost always based on Russian strategic objectives. By using non-state actors, Russia can engage in cyber activities while maintaining plausible deniability. These assets have been involved in targeting critical infrastructure in countries opposing Russian interests, demonstrating the potential for significant disruption.

What Are They Capable Of?

A question that gets asked a lot by outsiders is “what are the real consequences of these sorts of attacks?” The effects of cyber tactics seem more obvious in traditional warfare when paired with conventional weapons, electronic warfare, or intelligence-gathering operations. Just this month, reputable cybersecurity firm Mandiant released a report about Sandworm executing a cyberattack that crippled infrastructure in an area simultaneously targeted by a missile strike, very likely increasing its lethality. However, it can technically be argued that no one has died in the history of cyber warfare in respect to attacks that remain in that domain. There is no way to “hack combatants to death”. But when hospital services are interrupted, when the power or heating infrastructure is impacted on winter nights, when supply chains are interrupted during times of war or global pandemics, can that point truly be defended?

NotPetya, a novel malware deployed by Sandworm, was part of a campaign initiated on June 27, 2017. It represented one of the most aggressive and widespread cyber attacks in history. The event inflicted severe disruptions in various sectors, including banking, airports, and power companies, and is considered one of the most destructive cyber-attacks ever. Initially targeting Ukraine, it rapidly spread globally, affecting over 80 companies in Ukraine, and at least 2,000 organizations worldwide. NotPetya, an advanced version of an older ransomware called “Petya”, connected the already potent malware strain to a highly aggressive viral worm. Unlike ransomware utilized by many for-profit and criminal gangs, NotPetya was never intended to honor ransoms, and effectively destroyed the file systems on whatever network it touched. 49,000 computers belonging to Danish logistics giant, Maersk, were taken offline. The company claims that its repair costs alone totaled over 300 million USD.

Petya ransomware screen Russia cyber threats
An example of a Petya ransomware screen upon infection

Another similar disruption was caused by Cozy Bear in their infamous 2020 SolarWinds hack, a sophisticated supply chain breach involving the SolarWinds Orion system. Orion is a valuable target, as it allows large enterprises to manage their information assets and software suites. The compromise of Orion led to one of the most extensive and complex cyber operations against both the US government and the private sector. It impacted a significant portion of SolarWinds' customers, a number of which were based in Europe, including key government agencies and numerous private entities. The attack's far-reaching implications affected governments around the world, highlighting the heightened vulnerability and interconnected nature of global cybersecurity.

On September 6, 2022, KillNet launched a Distributed Denial-of-Service (DDoS) attack on the website belonging to the Port of Nagoya, Japan. The port, one of the country's largest, is significant for international shipments of heavy machinery, and the single largest in operation with the Toyota corporation. This assault overwhelmed the website with malicious traffic, rendering it inaccessible for approximately 40 minutes. The attack, while brief, indicated the port's vulnerability to cyber threats.

On July 4, 2023, the port was targeted by a ransomware attack conducted by the LockBit group. This resulted in significant operational disruptions, halting more than half of the container shifting operations and causing a failure in the port's unified terminal system. The attack impacted major logistical operations, and led to a shutdown of the port's activities for over two days, illustrating the substantial impact of ransomware on critical infrastructure. These events demonstrate a growing threat posed by cyberattacks, where both unsophisticated DDoS and more impactful ransomware attacks can cause significant operational disruptions and economic consequences. The involvement of groups like Killnet and LockBit illustrates the escalating sophistication and impact of cyberattacks aligned with geopolitical interests.

A Cornered Bear

As Russia becomes increasingly sidelined on the global stage, its propensity to engage in or tacitly endorse destructive cyber activities grows. This tactic serves as a powerful tool in asserting influence and disrupting perceived adversaries, with fewer diplomatic repercussions, and much lower practical costs.

Russia's sophisticated state-backed operations, coupled with its tolerance of rogue cyber gangs like LockBit or KillNet, form a two-pronged strategy in cyberspace that offers an increasingly potent-but-deniable arsenal to a regime with a gradually shrinking list of options.

20231124_Sandworms and Ransomware Gangs_How Russia Remains a Cyber Superpower
Download PDF • 3.39MB

About the author: Mark Bruno

Mark Bruno is a noncommissioned officer in the United States military, where he serves as a Combat Medic and a Public Affairs Representative. He holds a Master’s Certificate in Information Assurance from the University of Maryland, and a Bachelor of Science in Communication from the State University system of New York. All statements made in this article are his own, and do not reflect any policies or positions of the United States Department of Defense.

112 views0 comments


bottom of page