Google's Mandiant elevates Russian threat group Sandworm to APT44


Google’s Mandiant gives the Russian military-backed hacker collective Sandworm a new identity – APT44 – distinguishing the cyberespionage group as a continuously evolving and formidable threat, not just impacting Ukraine but the entire geo-political landscape.

“Given the active and diffuse nature of the threat posed by Sandworm globally, Mandiant decided to graduate the group into a named Advanced Persistent Threat: APT44,” said the Google-owned cybersecurity firm.

Mandiant’s threat intel group Wednesday released a 40-page report titled “APT44: Unearthing Sandworm.”

The report can be described as a dossier on the group's history, how it operates, detailing its relentless cybercampaigns against Ukraine, the dozens of malware variants identified in its arsenal, and what to expect next from the Kremlin-sponsored group.

Observed in the wild since 2009, Mandiant calls APT44 “a uniquely dynamic threat actor that is actively engaged in the full spectrum of cyber espionage, attack, and influence operations.”

Mandiant said it has observed “further advancements” in the Russian collective’s capabilities to create new cyberattack concepts and methods, including “a new variant of Industroyer and Operational Technology (OT)-specific living-off-the-land attack capabilities.”

Mandiant APT44 report cover
Mandiant report: Unearthing APT44: Russia’s Notorious Cyber Sabotage Unit Sandworm. Image by Mandiant.

In the report, Mandiant provides a 23-page section detailing all the malware researchers observed APT44 using since 2018.

Mandiant said it divided the section into three parts: custom malware unique to APT44, malware that is publicly or commercially available but modified and customized by APT44, and publicly or commercially available malware used by APT44.

Sandworm, also known as FROZENBARENTS or Seashell Blizzard, has also been tied to another Russian military-backed cyber sabotage group, APT28, identified over the years and also profiled extensively by the ESET Research group.

Although both are under the auspices of the Kremlin's Information Operations Division (Unit 55111) run by the Main Intelligence Directorate of the General Staff of the Armed Forces – commonly referred to as the GRU – Mandiant’s report clearly separates the two.

  • APT28 - Unit 26165 of the 85th Main Special Services Center (GTsSS)
  • APT44 - Unit 74455 (Sandworm) of the Main Center for Special Technologies (GTsST)
Mandiant APT44 GRU breakdown
GRU VIO Structure including Unit 74455 from Mandiant report: Unearthing APT44: Russia’s Notorious Cyber Sabotage Unit Sandworm. Image by Mandiant.

APT28, formed in 2004 and also known as FancyBear, is best known for its handiwork infiltrating the US Democratic National Committee and Hillary Clinton’s campaign in an attempt to interfere with the 2016 US presidential elections, as well as breaking into the US and World Anti-Doping Agencies the same year.

Still going strong, this February, APT28 was caught unleashing a massive Russian botnet to attack the US and other governments, using spear-phishing campaigns, brute-force password attacks, and stealing router login credentials.

The Sandworm team, or Unit 74455, has been targeting sensitive infrastructure in Ukraine and other parts of the world since 2009. The GRU-sponsored unit is known for using DDoS and wiper attacks, releasing more than half a dozen new wiper malware strains since the Russian invasion.

"Sandworm is an apex predator, capable of serious operations, but they aren't infallible. It's increasingly clear that one of the reasons attacks in Ukraine have been moderated is because defenders there are very aggressive and very good at confronting Russian actors," Mandiant’s Chief Analyst John Hultquist said about the hacker group in April 2022, after it had attacked Ukraine’s power supply just weeks into the official start of the war.

Sandworm is also responsible for the notorious NotPetya attacks on Ukraine in 2017. The encrypting malware devastated the country’s IT infrastructure, interfered with monitoring systems at the Chornobyl Nuclear Power Plant, and disrupted several major banks, airports, the Ukrainian railway, and other critical organizations.

More recently, a known front for the Sandworm group named Solntsepyok claimed responsibility for the December 2023 attack on Ukraine’s largest mobile and internet provider, Kyivstar, which left half the country’s population without service for nearly a week.

Unrelenting, on X Wednesday, along with its report, Mandiant revealed “that a “hacktivist” persona created by APT44, has recently targeted & disrupted U.S. and Polish water utilities, as well as a French dam.”

Mandiant warns that APT44's in-the-wild “disruptive and destructive capabilities has likely lowered the barrier of entry for other state and non-state actors to replicate and develop their own cyberattack programs.”

Because of this Mandiant expects APT44 to continue to present itself as one of the “widest and highest severity cyber threats globally.”

The Russian state-sponsored group's stealthiness has proven its “patience, resourceful, and able to remain undetected for long periods of time in victim environments,” Mandiant explains.

“Patterns of historical activity, such as efforts to influence elections or retaliate against international sporting bodies, suggest there is no limit to the nationalist impulses that may fuel the group’s operations in the future,” Mandiant said.


More from Cybernews:

Boston Dynamics announces new electric Atlas

Millions of Magic Rampage players at risk

GTA creators laying off five percent of staff

Investigation finds 18 data centers secretly mining crypto in Sweden

YouTube testing new option to display personalized content

Subscribe to our newsletter



Leave a Reply

Your email address will not be published. Required fields are markedmarked