Connect with us

Hi, what are you looking for?

Friday, Feb 14, 2025
Mugglehead Investment Magazine
Alternative investment news based in Vancouver, B.C.

Cyber Security

Mandiant report sheds light on cyber-threats to democracy

In 2020, authorities charged six Sandworm members for deploying malware against Ukrainian organizations in 2017

Mandiant report sheds light on cyber-threats to democracy
Image from Jenn Liv via NPR.

Google-owned global threat intelligence vendor Mandiant promoted the Russian hacker group Sandworm to APT44 status because of the threat it poses to global government and critical infrastructure organizations.

The company rated the hacker group in a blog post on Wednesday, specifically revealing the reasons for the upgrade because of its role in the ongoing conflict between Russia and Ukraine, and its highly adaptive nature.

The designation APT stands for Advanced Persistent Threat, which indicates that this group employs advanced cyber tactics, maintains persistence in target networks, and aims to fulfill long-term objectives, typically aligned with state-sponsored espionage and disruption activities. For clarity, APT44 is also the name of a Russian hacker group, so it exists as both a designation and the name of a group.

While both Sandworm and APT44 are highly skilled Russian hacking groups with suspected government backing, their exact connection is debated. Some experts believe Sandworm is a subgroup of another APT group (APT29, also known as Cozy Bear or Ryuk), while others think they are simply different names for the same actor. The true relationship between these two notorious groups remains unclear.

What is clear is that for the past decade, Russia’s military intelligence unit known as Sandworm has acted as the Kremlin’s most aggressive cyberattack force. It has triggered blackouts in Ukraine and unleashed self-spreading, destructive code in incidents that rank among the most disruptive hacking events in history.

Mandiant placed emphasis on how dangerous organizations with this designation is when compared to other threat groups due to its ability to deploy attacks, influence operations and conduct espionage while backed by the Russian Main Intelligence Directorate (GRU).

Read more: BTQ Technologies teams with University of Waterloo institute to improve information security

Read more: HEAL Security secures $4.6 million in funding for healthcare cybersecurity

Mandiant discovered APT44 primarily targets government entities

Since Mandiant exposed Sandworm a decade ago, the group has conducted many successful campaigns.

In 2020, authorities charged six Sandworm members for deploying the highly disruptive NotPetya malware against Ukrainian organizations in 2017. Sandworm also orchestrated the WannaCry ransomware attack in 2017.

“To date, no other Russian government-backed cyber group has played a more central role in shaping and supporting Russia’s military campaign,” Mandiant said in the report.

More recently, what Mandiant now identifies as APT44 has been heavily involved in the Russia-Ukraine war.

Mandiant watched APT44 launch a disruptive campaign since Russia’s initial invasion of Ukraine, and this campaign continues today. During several attacks, APT44 deployed wiper malware, which can cause permanent data loss.

In one 2022 attack, APT44 operators targeted Ukraine’s energy grid, resulting in power outages. While Mandiant highlighted the formidable threat that APT44 poses to Ukraine, the vendor also warned that other adversaries of Russia should be on alert. The vendor observed APT44 conducting espionage operations across North America, Europe, the Middle East, Central Asia, and Latin America.

“Due to the group’s history of aggressive use of network attack capabilities across political and military contexts, APT44 represents a persistent, high severity threat to governments and critical infrastructure operators globally where Russian national interests intersect,” the report read.

APT44’s principle targets include government entities along with defense, transportation, energy, media, and civil society organizations located near Russia. Additionally, APT44 frequently targets government organizations and other critical infrastructure operators in Poland and Kazakhstan, as well as within Russia itself.

Read more: Cybersecurity firm promotes making it illegal to pay ransomware

Read more: Ransomware payments surpassed $1 billion in 2023

APT44 is a threat to democracy

Regarding U.S. targets, recent APT44 activities have targeted the water utility sector. Mandiant tracks GRU activities through the messaging platform Telegram. In January, researchers found a video on Telegram posted by a user known as CyberArmyofRussia_Reborn, who experts believe is associated with the GRU.

In the video, CyberArmyofRussia_Reborn claimed “credit for the manipulation of human machine interfaces (HMI) and controlling operational technology (OT) assets at Polish and U.S. water utilities.” That same month, Cybersecurity and Infrastructure Security Agency (CISA), a U.S. federal agency under the Department of Homeland Security (DHS), issued an incident response guide for U.S. water and wastewater sectors and urged operators to strengthen their security protocols.

Furthermore, the company warned that APT44 should also be considered a threat to the democratic elections process.

It noted that the organization has repeatedly targeted electoral systems and institutions in the west, which includes the current and prospective North Atlantic Treaty Organization (NATO) member nations.

“We assess with high confidence that APT44 is seen by the Kremlin as a flexible instrument of power capable of servicing Russia’s wide ranging national interests and ambitions, including efforts to undermine democratic processes globally,” the report read.

For example, APT involved itself in the 2016 U.S. presidential election. Mandiant said that APT’s methods to disrupt the elections process by releasing politically sensitive information and through the use of malware in order to manipulate election data.

Read more: ‘Gay furry hackers’ hack into nuclear power labs network to ransom employee records

Read more: Terminally ill cybersecurity expert pleads guilty to hospital hack

APT44 involved in widespread credential theft

Dan Black, principal analyst at Mandiant and Google Cloud, said that APT44 has thrived for a decade because of its real-world operational experience. Supporting Russia’s political and military interests for the past 10 years allowed APT44 to continuously adapt its methods.

Black also said the group has shown an enduring interest in U.S. critical infrastructure over the past decade, emphasizing its role in influencing public opinions to manipulate elections.

Mandiant observed that APT44 conducted widespread credential theft targeting public and private sector mail servers globally. First discovered in 2019, the campaign targeted servers for Exim, Zimbra, and Exchange email servers.

“Graduating Sandworm into APT44 is not only a reflection of the severity of the threat posed but also our depth of understanding of how the group operates,” Black said.

“The intensity of APT44’s operations in Ukraine has allowed us to develop a more holistic understanding of its methods and capabilities and the ability to strengthen our attribution around the group’s past operations.”

APT44 exploited a remote code execution vulnerability in Exim to showcase its persistence. As a result, organizations using Exim endured attacks for over a year.

After penetrating networks, Mandiant observed that operators employ living off the land (LOTL) techniques to deepen access, establish persistence, and extract information.

These techniques refer to the practice where attackers use tools that are already present on the victim’s system or network to carry out their malicious activities.

To avoid detection, operators use pre-existing tools for reconnaissance, lateral movement, and data exfiltration within target networks.

.

Follow Mugglehead on X

Like Mugglehead on Facebook

Follow Joseph Morton on X

joseph@mugglehead.com

Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

You May Also Like

Gold

The bank has met all traceability requirements, enabling it to purchase more than 18 metric tons since May 2023

Cyber Security

Quantum computers pose cybersecurity threats because they solve problems much faster than classical computers

AI and Autonomy

The researchers are working to accelerate quantum research by breaking down the traditional barriers between industry and academia

Uranium

CanAlaska has mobilized three drills to the West McArthur project site and drilling has begun on the Pike Zone