[13][14] Then-United States Attorney for the Western District of Pennsylvania Scott Brady described the group's cyber campaign as "representing the most destructive and costly cyber-attacks in history.

[15] On 23 December 2015, hackers launched a coordinated cyberattack against 3 energy companies in Ukraine and succeeded in temporarily disrupting the supply of electricity to about 230,000 Ukrainians for 1-6 hours.

While the outage was ultimately short, a report released 3 years after the attack by security firm Dragos outlines a theory that the malware, known as Industroyer or CRASHOVERRIDE, was meant to destroy physical electrical equipment.

[18] Attribution of the Olympic Destroyer malware proved difficult as it appeared the author(s) had included code samples belonging to multiple threat actors as false flags.

[6][a] Concurrent with the US indictment announcement, the UK's National Cyber Security Centre (NCSC) published a report which publicly associated Sandworm with the 2018 Winter Olympics attack.

[2] On 28 May 2020 the National Security Agency published a cybersecurity advisory warning that the Sandworm group was actively exploiting a remote code execution vulnerability (referred to as CVE-2019-10149) in Exim[32] to gain full control of mail servers.

[35] In late March 2022, human rights investigators and lawyers in the UC Berkeley School of Law sent a formal request to the Prosecutor of the International Criminal Court in The Hague.

[39] On 31 August 2023, the cybersecurity agencies of the US, UK, Canada, Australia, and New Zealand (collectively known as Five Eyes) jointly published a report on a new malware campaign and attributed it to Sandworm.

[40] The name "Sandworm" was dubbed by researchers at iSight Partners (now Mandiant) due to references in the malware source code to Frank Herbert's novel Dune.