This threat actor targets industrial control systems, using a tool called Black Energy, associated with electricity and power generation for espionage, denial of service, and data destruction purposes. Some believe that the threat actor is linked to the 2015 compromise of the Ukrainian electrical grid and a distributed denial of service prior to the Russian invasion of Georgia. In 2018, Germany’s domestic intelligence agency released a technical alert about this threat actor, and the United Kingdom attributed the actor to Russian military intelligence.In May 2020, the NSA publicly accused the group of targeting email servers worldwide.Sandworm is associated with Telegram accounts which have taken credit for sabotage attacks on critical infrastructure (water facilities) in Poland, the U.S., and France.