G0034 Nation-stateour call,
not MITRE’s ATT&CK Group

Sandworm Team

How MITRE ATT&CK characterizes this group¹: Sandworm Team is a destructive threat group that has been attributed to Russia's General Staff Main Intelligence Directorate (GRU) Main Center for Special Technologies (GTsST) military unit 74455. This group has been active since at least 2009. In October 2020, the US indicted six GRU Unit 74455 officers associated with Sandworm Team for the following cyber operations: the 2015 and 2016 attacks against Ukrainian electrical companies and government…

Attributed to Russia — GRU (Unit 74455, Main Centre for Special Technologies) by government advisory.¹¹²¹¹³

Also tracked as: ELECTRUM Telebots IRON VIKING BlackEnergy (Group) Quedagh Voodoo Bear IRIDIUM Seashell Blizzard FROZENBARENTS APT44 — ATT&CK group page¹

Read this as · tier is our editorial call, not MITRE’s

Read as a state-directed operator, not a smash-and-grab.

A nation-state classification means patience, tradecraft, and an intelligence objective. When this name attaches to a vulnerability, the question shifts from “will someone exploit it” to “has a well-resourced service already built it into an operation.” All tradecraft below is sourced to MITRE ATT&CK.

Techniques

ATT&CK count¹

Named tools / malware

ATT&CK count²

Attributed campaigns

ATT&CK count¹

Tactics spanned

ATT&CK count¹

~2015–2022approx.

Activity bounds (campaign floor)

approximate¹

Known for

— signature moves, each sourced to ATT&CK

Campaign2016 Ukraine Electric Power Attack. ATT&CK tracks this attributed operation as C0025.¹⁰⁹

Campaign2015 Ukraine Electric Power Attack. ATT&CK tracks this attributed operation as C0028.¹¹⁰

ArsenalNamed tooling. ATT&CK attributes 27 tools/malware to this group, including Mimikatz, PsExec, Net, BlackEnergy.⁸²

ReachFurthest outcome. This actor's cited tradecraft reaches as far as outcome 5 — Lights out — disruption & extortion. (editorial mapping over ATT&CK tactics).

Tradecraft heatmap

— ATT&CK techniques mapped onto the five attacker-outcome narratives

Each row is a documented technique (MITRE ATT&CK). Each column is one of the five attacker-outcome narratives a defender funds against. A filled cell means this technique’s own ATT&CK tactic defensibly advances that outcome. The mapping of technique→outcome is our editorial alignment over ATT&CK's tactic data, not a separately-sourced MITRE edge. A filled cell means one of the technique's own ATT&CK tactics defensibly advances that outcome; enabler tactics (C2, Defense Evasion, Discovery) heat no column.

1Front door

2Keys to the kingdom

3Lateral reach

4Data at risk

5Lights out

T1003.001 LSASS MemoryCredential Access

●

T1003.003 NTDSCredential Access

●

T1005 Data from Local SystemCollection

●

T1018 Remote System DiscoveryDiscovery

T1021.002 SMB/Windows Admin SharesLateral Movement

●

T1027 Obfuscated Files or InformationDefense Evasion

T1027.010 Command ObfuscationDefense Evasion

T1033 System Owner/User DiscoveryDiscovery

T1036 MasqueradingDefense Evasion

T1036.005 Match Legitimate Resource Name or LocationDefense Evasion

T1040 Network SniffingCredential Access / Discovery

●

T1041 Exfiltration Over C2 ChannelExfiltration

●

T1047 Windows Management InstrumentationExecution

●

T1049 System Network Connections DiscoveryDiscovery

T1053.005 Scheduled TaskExecution / Persistence / Privilege Escalation

●

T1056.001 KeyloggingCredential Access / Collection

●

T1059.001 PowerShellExecution

●

T1059.005 Visual BasicExecution

●

T1070.004 File DeletionDefense Evasion

T1071.001 Web ProtocolsCommand & Control

T1072 Software Deployment ToolsExecution / Lateral Movement

●

T1078 Valid AccountsInitial Access / Persistence / Privilege Escalation / Defense Evasion

●

T1078.002 Domain AccountsInitial Access / Persistence / Privilege Escalation / Defense Evasion

●

T1082 System Information DiscoveryDiscovery

T1083 File and Directory DiscoveryDiscovery

T1087.002 Domain AccountDiscovery

T1087.003 Email AccountDiscovery

T1090 ProxyCommand & Control

T1102.002 Bidirectional CommunicationCommand & Control

T1105 Ingress Tool TransferCommand & Control

T1106 Native APIExecution

●

T1132.001 Standard EncodingCommand & Control

T1133 External Remote ServicesInitial Access / Persistence

●

T1140 Deobfuscate/Decode Files or InformationDefense Evasion

T1190 Exploit Public-Facing ApplicationInitial Access

●

T1195 Supply Chain CompromiseInitial Access

●

T1195.002 Compromise Software Supply ChainInitial Access

●

T1199 Trusted RelationshipInitial Access

●

T1203 Exploitation for Client ExecutionExecution

●

T1204.001 Malicious LinkExecution

●

T1204.002 Malicious FileExecution

●

T1213.006 DatabasesCollection

●

T1218.011 Rundll32Defense Evasion

T1219 Remote Access ToolsCommand & Control

T1485 Data DestructionImpact

●

T1486 Data Encrypted for ImpactImpact

●

T1489 Service StopImpact

●

T1490 Inhibit System RecoveryImpact

●

T1491.002 External DefacementImpact

●

T1499 Endpoint Denial of ServiceImpact

●

T1505.003 Web ShellPersistence

●

T1539 Steal Web Session CookieCredential Access

●

T1555.003 Credentials from Web BrowsersCredential Access

●

T1561.002 Disk Structure WipeImpact

●

T1566.001 Spearphishing AttachmentInitial Access

●

T1566.002 Spearphishing LinkInitial Access

●

T1570 Lateral Tool TransferLateral Movement

●

T1571 Non-Standard PortCommand & Control

T1583 Acquire InfrastructureResource Development

T1583.001 DomainsResource Development

T1583.004 ServerResource Development

T1584.004 ServerResource Development

T1584.005 BotnetResource Development

T1585.001 Social Media AccountsResource Development

T1585.002 Email AccountsResource Development

T1586.001 Social Media AccountsResource Development

T1587.001 MalwareResource Development

T1588.002 ToolResource Development

T1588.006 VulnerabilitiesResource Development

T1589.002 Email AddressesReconnaissance

T1589.003 Employee NamesReconnaissance

T1590.001 Domain PropertiesReconnaissance

T1591.002 Business RelationshipsReconnaissance

T1592.002 SoftwareReconnaissance

T1593 Search Open Websites/DomainsReconnaissance

T1594 Search Victim-Owned WebsitesReconnaissance

T1595.002 Vulnerability ScanningReconnaissance

T1598.003 Spearphishing LinkReconnaissance

T1608.001 Upload MalwareResource Development

Reach: this actor’s cited techniques light columns 1·2·3·4·5 — furthest is 5 · Lights out. (furthest-position idiom, reused from the landing map).

A dot = this technique advances that outcome

Editorial: the technique→outcome alignment is our call over ATT&CK’s tactic data, not a separately-sourced MITRE edge — same basis the landing page declares. Enabler tactics (C2, defense evasion, discovery) heat no column.¹

Arsenal

— named tools & malware ATT&CK attributes to this group

MimikatzS0002 · Tool

ATT&CK S0002 ↗

PsExecS0029 · Tool

ATT&CK S0029 ↗

NetS0039 · Tool

ATT&CK S0039 ↗

BlackEnergyS0089 · Malware

ATT&CK S0089 ↗

Cobalt StrikeS0154 · Malware

ATT&CK S0154 ↗

SDeleteS0195 · Tool

ATT&CK S0195 ↗

Invoke-PSImageS0231 · Tool

ATT&CK S0231 ↗

GreyEnergyS0342 · Malware

ATT&CK S0342 ↗

+19 moreCoverage

ATT&CK attributes 27 tools/malware to G0034 in total; the full list is on the group page.

ATT&CK G0034 ↗

Campaign highlights

— attributed operations in the ATT&CK record

2016 Ukraine Electric Power Attack — ATT&CK Campaign C0025

Attributed operation

ATT&CK records 2016 Ukraine Electric Power Attack (C0025) — roughly 2016–2016 as an operation attributed to this group.¹⁰⁹

Open ATT&CK C0025 ↗

2015 Ukraine Electric Power Attack — ATT&CK Campaign C0028

Attributed operation

ATT&CK records 2015 Ukraine Electric Power Attack (C0028) — roughly 2015–2016 as an operation attributed to this group.¹¹⁰

Open ATT&CK C0028 ↗

2022 Ukraine Electric Power Attack — ATT&CK Campaign C0034

Attributed operation

ATT&CK records 2022 Ukraine Electric Power Attack (C0034) — roughly 2022–2022 as an operation attributed to this group.¹¹¹

Open ATT&CK C0034 ↗

Latest activity

— with explicit confidence, and what we cannot yet claim

ATT&CK
snapshot

The most recent cited activity in this card is the ATT&CK record itself. We do not paste a “last seen this week” line we cannot source. Recency from secondary reporting appears here only when attached to a named advisory.

ATT&CK snapshot, compiled 2026-06-22Coverage gap — live “currently active” status not asserted

CVE ↔ actor bridge: no confirmed CVE link is established for this group. ATT&CK provides no first-class group→CVE relationship, so this card does not claim specific CVEs as “exploited by this actor” unless a named advisory says so. Absence of a CVE here is a coverage gap, never a clean bill — confirmed links surface as a cited, linked list as the advisory bridge grows.

Coverage & confidence

— what we know, and what we don’t

Established (cited)

Group identity, aliases, description — MITRE ATT&CK group page

79 techniques — ATT&CK technique pages (linked per row)

27 software (arsenal) — ATT&CK software pages

3 attributed campaign(s) — ATT&CK campaign pages

Origin / sponsor (Russia — GRU (Unit 74455, Main Centre for Special Technologies)) — curated government advisory (cited)

15 third-party research citations — ATT&CK external references

Coverage gaps — stated, not hidden

Threat tier is OUR editorial classification (rule-based), not a MITRE field — labeled as such.

Technique → outcome heatmap is editorial alignment over ATT&CK tactic data, not a separately-sourced MITRE edge.

Activity bounds are a floor from attributed-campaign dates only — flagged approx., not a true active-since range.

ATT&CK has no first-class group→CVE relationship; this card asserts no specific CVE without a named advisory.