Martin - Fotolia

Mandiant formally pins Sandworm cyber attacks on APT44 group

Mandiant has formally attributed a long-running campaign of cyber attacks by a Russian state actor known as Sandworm to a newly designated advanced persistent threat group to be called APT44

Google Cloud’s threat intel and research unit, Mandiant, has today formally attributed the cyber espionage and warfare campaigns carried out by a Russian actor widely known as Sandworm, pinning its attacks on a new, standalone advanced persistent threat (APT) group that it will henceforth be tracking as APT44.

With its intrusions dating back to Russia’s illegal annexation of Crimea in 2014, APT44 has been active for over a decade, and was involved in many high-profile Russian state cyber attacks, including hack-and-leak attacks on the 2016 US elections, the NotPetya incident, and attacks on the 2018 Olympic Winter Games in South Korea.

Since late 2021, its work has largely centred Ukraine, where it helped lay the groundwork for Moscow’s February 2022 attack on Kyiv with a campaign of cyber attacks deploying destructive wiper malware. Since then, the unit has conducted multiple attacks against targets in Ukraine.

APT44 is run by Unit 74455 at the Main Centre for Special Technologies (GTsST) at the Main Directorate of the General Staff of the Armed Forces of the Russian Federation (GU), better known as the Main Intelligence Directorate (GRU), founded by Joseph Stalin during the Soviet era, although not to be confused with the KGB.

“APT44 is the most brazen threat actor there is, in the midst of one of the most intense campaigns of cyber activity we’ve ever seen, in full-blown support of Russia’s war of territorial aggression,” said Dan Black, manager for cyber espionage analysis at Mandiant, and one of the lead authors of Mandiant’s new report on APT44. “There is no other threat actor today that is more worthy of our collective attention, and the threat APT44 poses is evolving rapidly.

“Over the course of the war, we have seen APT44’s posture shift away from disruption as its primary focus toward espionage to provide battlefield advantage to Russia’s conventional forces,” he said. “This is not to say that sabotage is off the table, but that APT44 seems much more calculated about the targets it pursues and the capabilities it opts to use. This is a highly adaptive and innovative adversary that is clearly absorbing lessons on how cyber operations can best support a long war and is adjusting its methods accordingly.”

Mandiant said APT44’s operations in support of Moscow’s aims have proven “tactically and operationally adaptable”, and that the operation was remarkably well integrated with the activities of Russia’s military. No other Russian government APT has played a more central role in shaping the conventional war in Ukraine, it added.

Why now?

Cyber security experts tend to be unanimous that attribution is a complex beast that requires intense research and evaluation of the evidence. This holds true even when a specific group’s activities are well known in the security community, and extensively documented in blog posts, research papers and in the media.

If there is even a slight degree of doubt over the evidence available, it can be extremely unhelpful, even unwise, to firmly attribute any cyber campaign to a known individual or group, even if well intentioned. To do so can cause problems for defenders who may mistakenly go chasing the wrong thing, and invites other, unintended consequences. It may even upset threat actors, who are notoriously self-obsessed and thin-skinned, and cause them to lash out in unforeseen ways.

As such, it has not really been possible to make confident statements on Sandworm’s precise nature up to now for a number of reasons – among them talk of operational overlap between APT44 and other groups such as APT28 (aka Fancy Bear) – which does indeed “sit across the corridor” under the auspices of the GTsST’s Unit 26165 (the two operations have likely worked together on a number of high-profile campaigns, according to Mandiant).

But by giving it a formal and confident designation, Mandiant said it will be easier for defenders globally to identify and track its activity, sharing intelligence more appropriately in the hope of thwarting the group’s goals.

Why should they need to do so? Because, said Mandiant, the threat posed by APT44 is far from limited to Ukraine. APT44 operations have been observed around the world, and given the group has a history of interfering in democratic processes, its threat potential is highly elevated in 2024 given the number of elections taking place that are likely to be targeted for Russian interference.

Indeed, Mandiant describes APT44 as a persistent and high-severity threat both to governments and operators of critical national infrastructure in states where Russia perceives it has a national interest, the UK included. APT44, with its advanced capabilities, high risk tolerance and mandate to support the Kremlin’s foreign policy goals, places such organisations at risk of falling into its clutches with little to no notice.

Added to this, Mandiant said APT44 represents a significant proliferation risk for new cyber attack tactics, techniques and procedures, lowering the barrier of entry for both state-backed and financially motivated threat actors to develop their own campaigns.

Read more about cyber warfare in Ukraine

  • Russian cyber activity has seen an unprecedented evolution in scale and pace over the past year, but Ukraine’s resilience has enabled it to mount a masterful response, says the NCSC.
  • Mandiant intelligence reveals how the APT known as Sandworm has been evolving its playbook, twisting legitimate executables known as LoLBins into malicious tools as it seeks to disrupt daily life in Ukraine.
  • Prime minister Rishi Sunak announces an expansion to the Ukraine Cyber Programme, with a cash boost of up to £25m over the next two years.

Looking ahead, the researchers said APT44 would “almost certainly” continue to represent one of the widest and highest cyber threats globally for the foreseeable future. Its history of involvement with some of the most widely known cyber attacks of the past decade suggests “no limit to the nationalist impulses” feeding its operations.

And just because it has been tied up in Ukraine does not mean it will not pivot to the UK and US if its paymasters feel doing so is warranted. The upcoming showdowns between Rishi Sunak and Keir Starmer and Joe Biden and Donald Trump may well draw its attention.

“The threat from APT44 does not end at Ukraine’s borders,” said Black. “Despite the ongoing war, we continue to see APT44 operations globally. We’ve seen the group experiment with using ransomware against transportation and logistics networks in Europe.

“And with a number of pivotal elections on the horizon, some of which will shape the trajectory of future Western military aid to Ukraine, APT44’s history of attempting to interfere in democratic processes means vigilance around this group is of utmost importance,” he said.

Read more on Hackers and cybercrime prevention