Module 2: Threat actors & case studies(4/4)
Modern operators: Sandworm, Volt Typhoon, ransomware crews
title: "Modern operators: Sandworm, Volt Typhoon, ransomware crews" duration: "40 min"
The threat landscape today
Stuxnet, Industroyer, and TRITON were the opening chapters. The current threat landscape is defined by three categories of adversary, each with different motivations, capabilities, and operational tempos.
| Category | Primary motivation | Dwell time | Example groups |
|---|---|---|---|
| Nation-state APTs | Pre-positioning for future conflict; espionage; strategic disruption | Months to years | Sandworm, Volt Typhoon, APT33/Elfin |
| Ransomware crews | Financial extortion | Days to weeks | LockBit, BlackCat/ALPHV, Clop, Conti |
| Hacktivists / insiders | Ideological disruption; revenge | Hours to days | Cyber Av3ngers, disgruntled employees |
Sandworm (Russia / GRU Unit 74455)
Sandworm is the most capable and persistent ICS-targeted threat group publicly tracked. Attributed to Russia's GRU military intelligence, Sandworm is responsible for:
- 2015 Ukraine grid attack — BlackEnergy + KillDisk; first known cyber-caused power outage.
- 2016 Industroyer — automated, protocol-native grid attack (covered in lesson 2.2).
- 2017 NotPetya — supply-chain attack via Ukrainian tax software M.E.Doc; $10B+ in global collateral damage.
- 2022 Industroyer2 — updated variant deployed against Ukrainian grid infrastructure during the Russia-Ukraine war.
Key takeaway
Sandworm's evolution
Between 2015 and 2022, Sandworm progressed from manual HMI manipulation to fully automated, protocol-native attacks deployable against any IEC 104 grid. Each iteration was faster, more modular, and harder to detect.
Industroyer2 (2022)
Deployed in April 2022, Industroyer2 was a streamlined version of the 2016 original:
- Single executable (no modular DLLs).
- IEC 104 payload only (dropped IEC 61850 and OPC-DA).
- Hard-coded target IPs and IOA addresses for specific Ukrainian substations.
- Paired with CaddyWiper to destroy Windows hosts post-execution.
Ukrainian defenders, assisted by ESET and CERT-UA, detected and neutralised the attack before breakers were opened.
Volt Typhoon (China / PRC)
In May 2023, Microsoft and the Five Eyes intelligence alliance disclosed Volt Typhoon — a PRC-sponsored group that had been pre-positioning inside U.S. critical infrastructure for at least two years.
What makes Volt Typhoon different
Unlike Sandworm, Volt Typhoon has not (publicly) executed a destructive attack. Instead, it focuses on persistence and access maintenance:
- Living-off-the-land — uses built-in Windows tools (PowerShell, WMI, netsh) instead of custom malware. No malware means no signature for antivirus to detect.
- SOHO router compromise — hijacks small-office/home-office routers to proxy traffic, making attribution harder.
- Targets — water treatment, power, communications, transportation, maritime ports.
Worked example
CISA advisory AA24-038A (February 2024) confirmed that Volt Typhoon had maintained access to multiple U.S. critical-infrastructure networks for at least five years in some cases. The group's objective is assessed as pre-positioning for disruption in the event of a geopolitical crisis — specifically, a Taiwan Strait scenario.
IEC 62443 relevance
Volt Typhoon's living-off-the-land techniques bypass traditional signature-based detection. The relevant IEC 62443 controls are:
- FR 6 – Timely Response to Events — behavioural monitoring, not just signature matching.
- FR 1 – Identification & Authentication — MFA on all remote and privileged access.
- FR 2 – Use Control — principle of least privilege; audit PowerShell and WMI usage.
Ransomware targeting OT
Ransomware crews have historically targeted IT systems, but the blast radius increasingly reaches OT:
Colonial Pipeline (May 2021)
DarkSide ransomware encrypted Colonial Pipeline's billing and IT systems. The company shut down the OT pipeline as a precaution — not because the OT was compromised, but because they could no longer meter and bill fuel deliveries. The result: fuel shortages across the U.S. East Coast, a $4.4M ransom paid, and a national emergency declaration.
JBS Foods (May 2021)
REvil ransomware forced JBS — the world's largest meat processor — to shut down plants in the U.S., Canada, and Australia. $11M ransom paid.
Norsk Hydro (March 2019)
LockerGoga ransomware forced the aluminium giant to switch to manual operations across 170 plants in 40 countries. Estimated cost: $71M.
Key takeaway
The IT/OT convergence risk
In Colonial Pipeline, the OT was never infected — but the business could not operate without the IT billing system. This demonstrates that IT and OT are operationally coupled even when they are network-separated. Your risk assessment must account for IT dependencies.
Ransomware trends in OT (2024–2025)
Hand-drawn chart
ICS-impacting ransomware incidents by sector (2024)
- Manufacturing is the most-targeted sector because downtime cost is immediate and the willingness to pay is high.
- Water/wastewater is increasingly targeted because municipal utilities have minimal security budgets.
- Double extortion (encrypt + exfiltrate) is now the default model.
Hacktivists and insiders
Cyber Av3ngers (Iran-linked)
In November 2023, the Iran-affiliated group Cyber Av3ngers compromised a Unitronics PLC at the Municipal Water Authority of Aliquippa, Pennsylvania. The attack defaced the HMI with an anti-Israel message and temporarily disrupted a booster pump station. The PLC had a default password and was directly exposed to the internet.
Insider threats
The Maroochy Shire case (lesson 0.4) remains the canonical insider-threat case for ICS. Modern insider risks include:
- Contractors with persistent VPN access.
- Disgruntled employees with engineering-workstation credentials.
- Social engineering targeting OT operators who are not trained in cybersecurity.
Mapping threats to IEC 62443 security levels
| SL-T | Threat actor capability | Example |
|---|---|---|
| SL 1 | Casual or accidental | Malware via USB, untrained insider |
| SL 2 | Motivated individual or hacktivist | Cyber Av3ngers, disgruntled contractor |
| SL 3 | Sophisticated group with ICS expertise | Ransomware crews with OT playbooks |
| SL 4 | State-sponsored with extensive resources | Sandworm, Volt Typhoon, Stuxnet developers |
Key Takeaways
- Sandworm (GRU) is the most capable ICS-targeted group; Industroyer2 (2022) shows continued evolution.
- Volt Typhoon (PRC) pre-positions inside U.S. critical infrastructure using living-off-the-land techniques — no custom malware.
- Ransomware increasingly impacts OT, even when only IT is encrypted (Colonial Pipeline effect).
- Hacktivists and insiders exploit default credentials and internet-exposed PLCs.
- IEC 62443 Security Levels (SL 1–4) map directly to threat-actor capability classes.
Quick check
A water utility asks you: "Should we be worried about nation-state attacks? We're just a small town." Draft a three-sentence response using the Aliquippa incident and the Volt Typhoon advisory.
Knowledge Check
3 questions — test your understanding before moving on.
Q1.What distinguishes Volt Typhoon's operational approach from Sandworm's?
- Volt Typhoon targets only manufacturing while Sandworm targets only energy.
- Volt Typhoon uses living-off-the-land techniques (built-in OS tools) instead of custom malware, making signature-based detection ineffective.
- Volt Typhoon conducts destructive attacks while Sandworm focuses on espionage.
- Volt Typhoon only targets systems outside the United States.
Volt Typhoon uses built-in Windows tools (PowerShell, WMI, netsh) instead of custom malware. No malware means no signature for antivirus to detect. This living-off-the-land approach requires behavioural monitoring (FR 6) rather than traditional signature-based detection.
Q2.In the Colonial Pipeline incident, why did the company shut down its OT pipeline?
- The OT systems were directly infected by ransomware.
- The PLCs were physically damaged by the attack.
- The IT billing and metering systems were encrypted, and the company could not operate the pipeline without them.
- A government agency ordered the shutdown.
The OT pipeline itself was never infected. Colonial shut it down because the IT billing system was encrypted and they could not meter or bill fuel deliveries. This demonstrates that IT and OT are operationally coupled even when network-separated — risk assessments must account for IT dependencies.
Q3.Which IEC 62443 Security Level maps to the capability of a well-resourced nation-state actor like Sandworm?
- SL 1 — casual or accidental
- SL 2 — motivated individual
- SL 3 — sophisticated group
- SL 4 — state-sponsored with extensive resources
SL 4 represents the highest threat-actor capability: state-sponsored groups with extensive resources, ICS expertise, and the ability to develop custom tools and zero-day exploits. Sandworm (GRU Unit 74455) exemplifies this category.