Microsoft ties January Ukraine attack to notorious Sandworm group

Expect to see more attacks, Microsoft says.
Tulips in blossom on Independence Square on April 27, 2022 in Kyiv, Ukraine. Following Russia's retreat from areas around the Ukrainian capital, signs of normal life have returned to Kyiv. (Photo by Alexey Furman/Getty Images)

Microsoft on Wednesday tied a January data-wiping malware attack in Ukraine to notorious Russian hacking group Sandworm.

The new link fleshes out the operations of the group, also dubbed Iridium by Microsoft, during a heated war between Russia and Ukraine. Ukraine has already blamed the Sandworm group, which is affiliated with Russia’s GRU military agency for staging a malware attack on Ukraine’s power grid earlier this month — the third time in the group’s history.

Microsoft reports observing close to 40 destructive attacks targeting hundreds of systems since the conflict started. Roughly 32% of the attacks went after Ukrainian governmental organizations while more than 40% of destructive attacks were aimed at organizations in critical infrastructure sectors. Microsoft’s timeline of Russia’s cyber operations indicated that it began pre-positioning for conflict as early as March 2021, working to gain a foothold in Ukrainian systems and gain access to supply chain vendors critical to Ukraine.

The report found that Russia’s use of cyberattacks appears to be sometimes timed with its physical warfare. For instance, around the same time Russian forces invaded Mariupol, Russian operatives began sending emails posing as a Mariupol resident claiming the Ukrainian government had abandoned its people.


Microsoft also noted some limited espionage-related attacks against other NATO member states and some disinformation.

Victor Zhora, the deputy chief of Ukraine’s State Service of Special Communication and Information Protection, suggested to reporters on Wednesday that Russia’s cyberattacks had plateaued in severity.

“If they wanted to arrange anything very destructive they had two months to do that,” Zhora said.

Microsoft estimates that Russia has deployed at least eight destructive malware families on Ukrainian networks, including the industrial control system-specific malware used in the electric grid attack, Industroyer2. Zhora says that the Ukrainian government has not observed signs of Industroyer2 being used against any other energy companies but doesn’t rule out the possibility.

Microsoft was more negative in its few of Russia’s potential for scaling up operations.


“If threat actors can maintain the current pace of development and deployment, we anticipate more destructive malware will be discovered as the conflict continues,” Microsoft vice president Tom Burt warned in a blog post.

AJ Vicens contributed to this story.

Russia declared war against Ukraine on Feb. 24., 2022. Before, during and after the military campaign began, the CyberScoop staff has been tracking the cyber dimensions of the conflict.

This story was featured in CyberScoop Special Report: War in Ukraine

Tonya Riley

Written by Tonya Riley

Tonya Riley covers privacy, surveillance and cryptocurrency for CyberScoop News. She previously wrote the Cybersecurity 202 newsletter for The Washington Post and before that worked as a fellow at Mother Jones magazine. Her work has appeared in Wired, CNBC, Esquire and other outlets. She received a BA in history from Brown University. You can reach Tonya with sensitive tips on Signal at 202-643-0931. PR pitches to Signal will be ignored and should be sent via email.

Latest Podcasts