Skip to content
CBCyber Breaches
Search

Attacker profile

Sandworm Six (GRU Unit 74455)

Six Russian GRU officers indicted by the U.S. DOJ in October 2020 for NotPetya, the 2018 Olympics destructor, attacks on Ukraine's electric grid, and the 2017 French election hack-and-leak.

On 19 October 2020, the U.S. Department of Justice unsealed an indictment in the Western District of Pennsylvania naming six members of Russian military intelligence (GRU) Unit 74455 as the operators behind a remarkable run of state cyber operations spanning 2015–2019.

The six named officers

  • Yuriy Sergeyevich Andrienko
  • Sergey Vladimirovich Detistov
  • Pavel Valeryevich Frolov
  • Anatoliy Sergeyevich Kovalev
  • Artem Valeryevich Ochichenko
  • Petr Nikolayevich Pliskin

All six were identified as officers of GRU Unit 74455 — also known publicly as Sandworm, Voodoo Bear, Telebots, and Iron Viking. The unit was assessed as the operational home of Russia's most destructive cyber operations.

Operations attributed

The indictment charged the six with conspiracy to commit fraud, computer hacking, and damage to protected computers in connection with:

  • Attacks on Ukrainian electric utilities (2015 and 2016) — the first publicly-attributed cyber operation to cause physical blackouts. ~225,000 customers lost power across western Ukraine in December 2015.
  • NotPetya (June 2017) — the destructive wiper disguised as ransomware that propagated via a compromised Ukrainian accounting software supply chain. Estimated $10 billion in global damage, with Maersk, Merck, FedEx-TNT, Mondelez, and Saint-Gobain each reporting hundreds of millions in losses. The single most damaging cyberattack in history at the time.
  • French presidential election hack-and-leak (May 2017) — targeting Emmanuel Macron's campaign with timed releases coordinated to disrupt the election.
  • PyeongChang Olympics destructor (February 2018) — wiper attack during the opening ceremony that crashed broadcasting and ticketing infrastructure.
  • Novichok investigation targeting (2018) — attempted intrusions against the OPCW investigation into the Salisbury poisoning.
  • Georgia-wide defacement campaign (2019) — pre-positioning attacks against ~2,000 Georgian websites.

Significance

The Sandworm Six indictment is the most-charged cyber operations case in U.S. history to date. The unit has since been re-attributed to:

  • Olympic Games 2018 destructor technical post-mortems
  • Industroyer / CrashOverride ICS malware analyzed by ESET / Dragos
  • Numerous attacks on Ukrainian critical infrastructure during the 2022 invasion (including "Industroyer2", "AcidRain", and a series of wiper variants)
  • Operations against satellite operators (Viasat KA-SAT, February 2022)

The named officers remain in Russia. The indictment's value, as with Park Jin Hyok and the Equifax PLA officers, lies in public attribution: it makes hands-on-keyboard operators known by name, and creates the legal framework for sanctions, designations, and (for any officer who travels) potential extradition.