Mandiant exposes APT44, Russia’s Sandworm cyber sabotage unit, targeting global critical infrastructure

Threat intelligence firm Mandiant unveiled a detailed report on Wednesday exposing APT44, identified as Russia’s infamous cyber sabotage unit known as Sandworm. APT44 primarily targets government, defense, transportation, energy, media, and civil society organizations in Russia’s near abroad. Government bodies and other Critical Infrastructure and Key Resources (CIKR) operators in Poland, Kazakhstan, and within Russia have frequently been included in the group’s recent targeting. 

Due to its history of aggressive use of network attack capabilities across political and military contexts, APT44 presents a persistent, high severity threat to governments and critical infrastructure operators globally where Russian national interests intersect, Mandiant researchers said in a blog post on Wednesday. “The combination of APT44’s high capability, risk tolerance, and far-reaching mandate to support Russia’s foreign policy interests places governments, civil society, and critical infrastructure operators around the world at risk of falling into the group’s sights on short notice.” 

“APT44 has repeatedly targeted Western electoral systems and institutions, including those in current and prospective North Atlantic Treaty Organization (NATO) member countries,” Mandiant identified in its report. “As part of this activity, APT44 has attempted to interfere with democratic processes in select countries by leaking politically sensitive information and deploying malware to access election systems and misreport election data.” 

Also, In less discriminate operations, Mandiant continues to observe APT44 conduct widespread credential theft targeting public and private sector mail servers globally. This campaign, which dates back to at least 2019, has targeted various mail environments including Exim, Zimbra and Exchange servers across a wide-range of industry verticals. 

Furthermore, Mandiant detailed that APT44 also frequently targets journalists, civil society organizations, and non-governmental bodies involved in research or investigations into the Russian government. “Examples include the 2018 operation targeting the Organization for the Prohibition of Chemical Weapons (OPCW) for its role in the Novichok poisoning investigations and a phishing campaign by an assessed APT44 initial access cluster between December 2023 and January 2024 which targeted Bellingcat and other investigative journalism entities.”

Sponsored by Russian military intelligence, APT44 is a dynamic and operationally mature threat actor that is actively engaged in the full spectrum of espionage, attack, and influence operations, the researchers added. “While most state-backed threat groups tend to specialize in a specific mission such as collecting intelligence, sabotaging networks, or conducting information operations, APT44 stands apart in how it has honed each of these capabilities and sought to integrate them into a unified playbook over time. Each of these respective components, and APT44’s efforts to blend them for combined effect, are foundational to Russia’s guiding “information confrontation” concept for cyber warfare.”

They added that APT44 has aggressively pursued a multi-pronged effort to help the Russian military gain a wartime advantage and is responsible for nearly all of the disruptive and destructive operations against Ukraine over the past decade. Patterns of activity over time indicate that APT44 is tasked with a range of different strategic priorities and is highly likely seen by the Kremlin as a flexible instrument of power capable of serving both enduring and emerging intelligence requirements. 

“Throughout Russia’s war, APT44 has waged a high intensity campaign of cyber sabotage inside of Ukraine,” according to Mandiant researchers. “Through the use of disruptive cyber tools, such as wiper malware designed to disrupt systems, APT44 has sought to impact a wide range of critical infrastructure sectors. At times, these operations have been coordinated with conventional military activity, such as kinetic strikes or other forms of sabotage, in an attempt to achieve joint military objectives.” 

However, as the war has endured, APT44’s relative focus has transitioned away from disruption to intelligence collection. The group’s targets and methods shifted significantly in the second year of the war, with increasing emphasis placed on espionage activity intended to provide battlefield advantage to Russia’s conventional forces. For example, one long-running APT44 campaign has assisted forward-deployed Russian ground forces to exfiltrate communications from captured mobile devices to collect and process relevant targeting data. APT44’s approach to supporting Russia’s military campaign has evolved considerably over the past two years.

The researchers “assess with high confidence that APT44 is seen by the Kremlin as a flexible instrument of power capable of servicing Russia’s wide-ranging national interests and ambitions, including efforts to undermine democratic processes globally.”  

Despite being an arm of Russia’s military, the group’s sabotage activity is not limited to military objectives and also spans Russia’s wider national interests, such as driving the Kremlin’s political signaling efforts, responses to crises, or intended non-escalatory responses to perceived slights to Moscow’s stature in the world.  

“APT44’s support of the Kremlin’s political objectives has resulted in some of the largest and most consequential cyber attacks in history,” the researchers said. “These operations include first-of-their-kind disruptions of Ukraine’s energy grid in the winters of 2015 and 2016, the global NotPetya attack timed to coincide with Ukraine’s Constitution Day in 2017, and the disruption of the opening ceremony of the 2018 Pyeongchang Olympics in response to Russia’s doping ban from the games, to name a few.”

The researchers also judge APT44 to present a significant proliferation risk for new cyber attack concepts and methods. “Continued advancements and in-the-wild use of the group’s disruptive and destructive capabilities has likely lowered the barrier of entry for other state and non-state actors to replicate and develop their own cyber attack programs. Russia itself is almost certainly alert to and concerned about this proliferation risk, as Mandiant has observed Russian cybersecurity entities exercise their ability to defend against categories of disruptive cyber capabilities originally used by APT44 against Ukraine.”

APT44 is a persistent and operationally mature adversary that uses diverse initial access methods ranging from common vectors such as phishing, credential harvesting, and known vulnerability exploitation to targeted supply chain compromises. The group commonly leverages nonselective initial access vectors that provide wide-ranging access to targets of interest, later down-selecting victims of interest for the full spectrum of follow-on activity. 

The report disclosed that APT44 frequently achieves initial access through the exploitation of edge infrastructure such as routers and virtual private network (VPN) appliances. “We have observed the group fulfill a variety of missions from footholds gained on network perimeters, including reconnaissance, information theft, downstream phishing, and the deployment of wiper malware.”

“Following in the footsteps of ETERNALPETYA (aka NotPetya), APT44 also continues to subvert software supply chains for initial access. In one recent case, access to a software developer resulted in the downstream compromise of critical infrastructure networks in Eastern Europe and Central Asia, followed by the deployment of wiper malware to a select victim organization,” the report detailed. “APT44 is also known to employ unconventional methods to compromise targets of interest. As of February 2024, the group continues to leverage trojanized software installers distributed via torrents on Ukrainian- and Russian-language forums as a means of achieving opportunistic initial access to potential targets of interest.” 

Once downloaded, victims of interest are manually flagged by APT44 operators with specifics such as the victim organizations or unit names, designating them for follow-on exploitation. “We have seen these victims receive payloads such as DARKCRYSTALRAT (or DCRAT), commodity malware that APT44 has also used to target telecommunications entities in Ukraine.” 

Looking ahead, the Mandiant researchers identified that APT44 will almost certainly continue to present one of the widest and highest severity cyber threats globally. “It has been at the forefront of the threat landscape for over a decade and is responsible for a long list of firsts that have set precedents for future cyber attack activity. Patterns of historical activity, such as efforts to influence elections or retaliate against international sporting bodies, suggest there is no limit to the nationalist impulses that may fuel the group’s operations in the future.”

As Russia’s war continues, the researchers added “we anticipate Ukraine will remain the principal focus of APT44 operations. However, as history indicates, the group’s readiness to conduct cyber operations in furtherance of the Kremlin’s wider strategic objectives globally is ingrained in its mandate. We therefore assess that changing Western political dynamics, upcoming elections, and emerging issues in Russia’s near abroad will also continue to shape APT44’s operations for the foreseeable future.”

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.