{"id":47530,"date":"2022-07-15T15:16:44","date_gmt":"2022-07-15T15:16:44","guid":{"rendered":"https:\/\/www.darkreading.com\/threat-intelligence\/sandworm-apt-trolls-researchers-on-its-trail-while-it-targets-ukraine"},"modified":"2022-07-15T15:16:44","modified_gmt":"2022-07-15T15:16:44","slug":"sandworm-apt-trolls-researchers-on-its-trail-as-it-targets-ukraine","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/sandworm-apt-trolls-researchers-on-its-trail-as-it-targets-ukraine\/","title":{"rendered":"Sandworm APT Trolls Researchers on Its Trail as It Targets Ukraine"},"content":{"rendered":"
<\/div>\n

The infamous Sandworm threat group operating out of Russia’s military GRU unit has no qualms about taunting researchers when it finds it is being watched. Just ask Robert Lipovsky and his fellow researchers at ESET, who got the message loud and clear when they dissected one of Sandworm’s newer malware variants earlier this year: The Sandworm attackers disguised the loader for one of its data-wiping variants as the IDAPro reverse-engineering tool \u2014 the very same tool the researchers had used to analyze the attackers’ malware. <\/p>\n

Lipovsky, principal threat intelligence researcher at ESET, knew it was no coincidence. Sandworm most likely was brazenly \u2014 and sarcastically \u2014 making a point that the group knew ESET was on its trail. “There’s no reason to use IDAPro” in an attack on an engineering substation because that’s not a tool that would be used on that system, he explains. “It’s fairly clear the attackers are fully aware we are onto them and blocking their threats. They are maybe trolling us, I would say.”<\/p>\n

That wasn’t the only message Sandworm seemed to be sending. The group also dropped a Trojan-ridden version of ESET’s security software in its targeting of Ukrainian networks. “They were sending a message that they were aware we are doing our job protecting the users in Ukraine,” Lipovsky says.<\/p>\n

Lipovsky was part of the ESET team that \u2014 along with Ukraine’s computer emergency response team (CERT-UA) and Microsoft \u2014 in April blocked a cyberattack by Sandworm on an energy company in Ukraine using a new version of its game-changing Industroyer malware weapon, Industroyer2. Had it not been thwarted in time, the attack would have knocked several high-voltage substations from part of the nation’s electric grid.<\/p>\n

Industroyer2 is a more custom version of the first iteration (Industroyer) that Sandworm unleashed in December 2016<\/a>, temporarily knocking out power in parts of Kyiv, the capital of Ukraine. The Industroyer2 attack attempt in April also came with destructive disk-wiping tools designed to destroy engineering workstations running Windows, Linux, and Solaris, in an attempt to thwart recovery operations when the attackers’ planned power blackout hit. Industroyer was the first known malware able to shut out the lights, and it can communicate with ICS hardware in electrical substations \u2014 circuit breakers and protective relays, for instance \u2014 via popular industrial network protocols.<\/p>\n

Even after the high-profile foiling of the Industroyer2 attack attempt on Ukraine in April, Sandworm continues to relentlessly hammer at Ukraine’s cyber defenses. “It didn’t end with Industroyer2. It continues today,” says Lipovsky, who with ESET senior malware researcher Anton Cherepanov will share their insiders’ view<\/a> of Sandworm and dissect the group’s Industroyer2 malware at Black Hat USA in Las Vegas next month<\/a>. <\/p>\n

“There are more wipers today \u2026 and new execution chains being used,” he says.<\/p>\n

Most of the current attack attempts by Sandworm against Ukraine’s infrastructure now carry disk-wiping weapons. “We’ve seen disruption activity [attempts] at an increased rates since February,” he says, when Russia first invaded Ukraine. Intel-gathering via cyber-espionage attacks also has been active, he adds, noting that while Sandworm is the most prominent Russian threat actor targeting Ukraine, it’s not the only one. <\/p>\n

Industroyer2 up Close<\/h2>\n

In their Black Hat talk, Lipovsky and Cherepanov plan to reveal more technical details about Sandworm that haven’t yet been made public, as well as share recommendations for utilities to defend against the nation-state group’s attacks.<\/p>\n

Lipovsky and his team describe Industroyer2 as a simpler, more streamlined version of the first version. Unlike the first Industroyer, Industroyer2 speaks just one OT protocol, IEC 104. The original version used four different industrial protocols. It’s likely more efficient and focused that way: “[IEC 104 is] one of most common [OT] protocols and a regional thing” in Europe, he notes. <\/p>\n

The disk-wiping capabilities with Industroyer2 eclipse that of the first version. “The first one was a framework with multiple components, and it was also calling additional modules that were there for wiping,” he says. Industroyer2 is more “self-contained” and offers wipers as separate executables, he says, malware weapons that have been discovered in other recent cyber incidents. <\/p>\n

CaddyWiper<\/a> is the main disk wiper used with Industroyer2. Sandworm pointed CaddyWiper at a Ukrainian bank 24 hours before Russia invaded Ukraine in February, at a government agency in early April, and on some Windows workstations at the targeted Ukrainian energy firm. Sandworm also set destructive malware programs ORCSHRED, SOLOSHRED, and AWFULSHRED on Linux and Solaris workstations there. And, as a final touch, Sandworm had scheduled CaddyWiper to execute on April 8 as a way to erase all evidence of Industroyer2, but it was blocked.<\/p>\n

Interestingly, Sandworm does not typically wipe domain controllers, so as not to disrupt its own foothold in the victim’s network. “They wipe regular workstations to disrupt a target’s operations, but they want to keep their presence once they’ve infiltrated an environment,” Lipovsky says.<\/p>\n

Even with all that ESET and other researchers now know about Industroyer2, there is still no full picture of the initial attack vector in the Industroyer2 attack on the Ukrainian energy firm. CERT-UA said the attack appeared to be in two stages, the first one likely in February of this year and the other in April, when the goal was to disconnect the electrical substations and sabotage the power operations on April 8.<\/p>\n

Defense Against Industroyer, Sandworm<\/h2>\n

While Industroyer2 has been trained on Ukraine, its emergence has shaken the OT industry.  “Industroyer was a wake-up call for the whole ICS community. This is a serious threat,” Lipovsky says.<\/p>\n

The playbook for protecting an OT network from Industroyer and related attacks isn’t much different than others. “It’s what we’ve always been saying: Have visibility into the environment; have EDR, XDR tools; multiple layers of security in the stack; and access controls,” Lipovsky says.<\/p>\n

In their talk at Black Hat Lipovsky and Cherepanov also will share EDR rules, configuration suggestions to stop lateral movement, and rules for Snort and YARA tools<\/p>\n

They also plan to reiterate that engineering workstations in OT networks have become major targets, so they have to be part of the security equation. “A lot of SCADA software and monitoring is happening on regular workstations that run Windows or Linux. These machines should have the appropriate security measures and solutions that are multilayered,” including running EDR or XDR tools, he says.<\/p>\n

 <\/p>\n

Read More HERE<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

Researchers who helped thwart the Russian nation-state group’s recent attack on Ukraine’s power supply will disclose at Black Hat USA what they found while reverse-engineering the powerful Industroyer2 malware used by the powerful hacking team.Read More HERE<\/a><\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_layout":"default_layout","footnotes":""},"categories":[151],"tags":[],"class_list":["post-47530","post","type-post","status-publish","format-standard","hentry","category-darkreading-ti"],"yoast_head":"\nSandworm APT Trolls Researchers on Its Trail as It Targets Ukraine 2026 | ThreatsHub Cybersecurity News<\/title>\n<meta name=\"description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.threatshub.org\/blog\/sandworm-apt-trolls-researchers-on-its-trail-as-it-targets-ukraine\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Sandworm APT Trolls Researchers on Its Trail as It Targets Ukraine 2026 | ThreatsHub Cybersecurity News\" \/>\n<meta property=\"og:description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.threatshub.org\/blog\/sandworm-apt-trolls-researchers-on-its-trail-as-it-targets-ukraine\/\" \/>\n<meta property=\"og:site_name\" content=\"ThreatsHub Cybersecurity News\" \/>\n<meta property=\"article:published_time\" content=\"2022-07-15T15:16:44+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/eu-images.contentstack.com\/v3\/assets\/blt66983808af36a8ef\/blt63cbf9324ab1c9b7\/62d09ad0b35d9f73ad5a6a4e\/powergrid_Brian_Guest_Alamy.jpeg\" \/>\n<meta name=\"author\" content=\"TH Author\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@threatshub\" \/>\n<meta name=\"twitter:site\" content=\"@threatshub\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"TH Author\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"5 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/sandworm-apt-trolls-researchers-on-its-trail-as-it-targets-ukraine\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/sandworm-apt-trolls-researchers-on-its-trail-as-it-targets-ukraine\\\/\"},\"author\":{\"name\":\"TH Author\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\"},\"headline\":\"Sandworm APT Trolls Researchers on Its Trail as It Targets Ukraine\",\"datePublished\":\"2022-07-15T15:16:44+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/sandworm-apt-trolls-researchers-on-its-trail-as-it-targets-ukraine\\\/\"},\"wordCount\":1106,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/sandworm-apt-trolls-researchers-on-its-trail-as-it-targets-ukraine\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/eu-images.contentstack.com\\\/v3\\\/assets\\\/blt66983808af36a8ef\\\/blt63cbf9324ab1c9b7\\\/62d09ad0b35d9f73ad5a6a4e\\\/powergrid_Brian_Guest_Alamy.jpeg\",\"articleSection\":[\"DarkReading |TI\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/sandworm-apt-trolls-researchers-on-its-trail-as-it-targets-ukraine\\\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/sandworm-apt-trolls-researchers-on-its-trail-as-it-targets-ukraine\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/sandworm-apt-trolls-researchers-on-its-trail-as-it-targets-ukraine\\\/\",\"name\":\"Sandworm APT Trolls Researchers on Its Trail as It Targets Ukraine 2026 | ThreatsHub Cybersecurity News\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/sandworm-apt-trolls-researchers-on-its-trail-as-it-targets-ukraine\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/sandworm-apt-trolls-researchers-on-its-trail-as-it-targets-ukraine\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/eu-images.contentstack.com\\\/v3\\\/assets\\\/blt66983808af36a8ef\\\/blt63cbf9324ab1c9b7\\\/62d09ad0b35d9f73ad5a6a4e\\\/powergrid_Brian_Guest_Alamy.jpeg\",\"datePublished\":\"2022-07-15T15:16:44+00:00\",\"description\":\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/sandworm-apt-trolls-researchers-on-its-trail-as-it-targets-ukraine\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/sandworm-apt-trolls-researchers-on-its-trail-as-it-targets-ukraine\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/sandworm-apt-trolls-researchers-on-its-trail-as-it-targets-ukraine\\\/#primaryimage\",\"url\":\"https:\\\/\\\/eu-images.contentstack.com\\\/v3\\\/assets\\\/blt66983808af36a8ef\\\/blt63cbf9324ab1c9b7\\\/62d09ad0b35d9f73ad5a6a4e\\\/powergrid_Brian_Guest_Alamy.jpeg\",\"contentUrl\":\"https:\\\/\\\/eu-images.contentstack.com\\\/v3\\\/assets\\\/blt66983808af36a8ef\\\/blt63cbf9324ab1c9b7\\\/62d09ad0b35d9f73ad5a6a4e\\\/powergrid_Brian_Guest_Alamy.jpeg\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/sandworm-apt-trolls-researchers-on-its-trail-as-it-targets-ukraine\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Sandworm APT Trolls Researchers on Its Trail as It Targets Ukraine\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"name\":\"ThreatsHub Cybersecurity News\",\"description\":\"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform\",\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"alternateName\":\"Threatshub.org\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\",\"name\":\"ThreatsHub.org\",\"alternateName\":\"Threatshub.org\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"contentUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"width\":432,\"height\":435,\"caption\":\"ThreatsHub.org\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/x.com\\\/threatshub\"]},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\",\"name\":\"TH Author\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"caption\":\"TH Author\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Sandworm APT Trolls Researchers on Its Trail as It Targets Ukraine 2026 | ThreatsHub Cybersecurity News","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.threatshub.org\/blog\/sandworm-apt-trolls-researchers-on-its-trail-as-it-targets-ukraine\/","og_locale":"en_US","og_type":"article","og_title":"Sandworm APT Trolls Researchers on Its Trail as It Targets Ukraine 2026 | ThreatsHub Cybersecurity News","og_description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","og_url":"https:\/\/www.threatshub.org\/blog\/sandworm-apt-trolls-researchers-on-its-trail-as-it-targets-ukraine\/","og_site_name":"ThreatsHub Cybersecurity News","article_published_time":"2022-07-15T15:16:44+00:00","og_image":[{"url":"https:\/\/eu-images.contentstack.com\/v3\/assets\/blt66983808af36a8ef\/blt63cbf9324ab1c9b7\/62d09ad0b35d9f73ad5a6a4e\/powergrid_Brian_Guest_Alamy.jpeg","type":"","width":"","height":""}],"author":"TH Author","twitter_card":"summary_large_image","twitter_creator":"@threatshub","twitter_site":"@threatshub","twitter_misc":{"Written by":"TH Author","Est. reading time":"5 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.threatshub.org\/blog\/sandworm-apt-trolls-researchers-on-its-trail-as-it-targets-ukraine\/#article","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/sandworm-apt-trolls-researchers-on-its-trail-as-it-targets-ukraine\/"},"author":{"name":"TH Author","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476"},"headline":"Sandworm APT Trolls Researchers on Its Trail as It Targets Ukraine","datePublished":"2022-07-15T15:16:44+00:00","mainEntityOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/sandworm-apt-trolls-researchers-on-its-trail-as-it-targets-ukraine\/"},"wordCount":1106,"commentCount":0,"publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/sandworm-apt-trolls-researchers-on-its-trail-as-it-targets-ukraine\/#primaryimage"},"thumbnailUrl":"https:\/\/eu-images.contentstack.com\/v3\/assets\/blt66983808af36a8ef\/blt63cbf9324ab1c9b7\/62d09ad0b35d9f73ad5a6a4e\/powergrid_Brian_Guest_Alamy.jpeg","articleSection":["DarkReading |TI"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/www.threatshub.org\/blog\/sandworm-apt-trolls-researchers-on-its-trail-as-it-targets-ukraine\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/www.threatshub.org\/blog\/sandworm-apt-trolls-researchers-on-its-trail-as-it-targets-ukraine\/","url":"https:\/\/www.threatshub.org\/blog\/sandworm-apt-trolls-researchers-on-its-trail-as-it-targets-ukraine\/","name":"Sandworm APT Trolls Researchers on Its Trail as It Targets Ukraine 2026 | ThreatsHub Cybersecurity News","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/sandworm-apt-trolls-researchers-on-its-trail-as-it-targets-ukraine\/#primaryimage"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/sandworm-apt-trolls-researchers-on-its-trail-as-it-targets-ukraine\/#primaryimage"},"thumbnailUrl":"https:\/\/eu-images.contentstack.com\/v3\/assets\/blt66983808af36a8ef\/blt63cbf9324ab1c9b7\/62d09ad0b35d9f73ad5a6a4e\/powergrid_Brian_Guest_Alamy.jpeg","datePublished":"2022-07-15T15:16:44+00:00","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","breadcrumb":{"@id":"https:\/\/www.threatshub.org\/blog\/sandworm-apt-trolls-researchers-on-its-trail-as-it-targets-ukraine\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.threatshub.org\/blog\/sandworm-apt-trolls-researchers-on-its-trail-as-it-targets-ukraine\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/sandworm-apt-trolls-researchers-on-its-trail-as-it-targets-ukraine\/#primaryimage","url":"https:\/\/eu-images.contentstack.com\/v3\/assets\/blt66983808af36a8ef\/blt63cbf9324ab1c9b7\/62d09ad0b35d9f73ad5a6a4e\/powergrid_Brian_Guest_Alamy.jpeg","contentUrl":"https:\/\/eu-images.contentstack.com\/v3\/assets\/blt66983808af36a8ef\/blt63cbf9324ab1c9b7\/62d09ad0b35d9f73ad5a6a4e\/powergrid_Brian_Guest_Alamy.jpeg"},{"@type":"BreadcrumbList","@id":"https:\/\/www.threatshub.org\/blog\/sandworm-apt-trolls-researchers-on-its-trail-as-it-targets-ukraine\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.threatshub.org\/blog\/"},{"@type":"ListItem","position":2,"name":"Sandworm APT Trolls Researchers on Its Trail as It Targets Ukraine"}]},{"@type":"WebSite","@id":"https:\/\/www.threatshub.org\/blog\/#website","url":"https:\/\/www.threatshub.org\/blog\/","name":"ThreatsHub Cybersecurity News","description":"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform","publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"alternateName":"Threatshub.org","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.threatshub.org\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.threatshub.org\/blog\/#organization","name":"ThreatsHub.org","alternateName":"Threatshub.org","url":"https:\/\/www.threatshub.org\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","width":432,"height":435,"caption":"ThreatsHub.org"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/x.com\/threatshub"]},{"@type":"Person","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476","name":"TH Author","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","caption":"TH Author"}}]}},"_links":{"self":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/47530","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/comments?post=47530"}],"version-history":[{"count":0,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/47530\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media?parent=47530"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/categories?post=47530"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/tags?post=47530"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}