Google-owned global threat intelligence vendor Mandiant promoted the Russian hacker group Sandworm to APT44 status because of the threat it poses to global government and critical infrastructure organizations.
The company rated the hacker group in a blog post on Wednesday, specifically revealing the reasons for the upgrade because of its role in the ongoing conflict between Russia and Ukraine, and its highly adaptive nature.
The designation APT stands for Advanced Persistent Threat, which indicates that this group employs advanced cyber tactics, maintains persistence in target networks, and aims to fulfill long-term objectives, typically aligned with state-sponsored espionage and disruption activities. For clarity, APT44 is also the name of a Russian hacker group, so it exists as both a designation and the name of a group.
While both Sandworm and APT44 are highly skilled Russian hacking groups with suspected government backing, their exact connection is debated. Some experts believe Sandworm is a subgroup of another APT group (APT29, also known as Cozy Bear or Ryuk), while others think they are simply different names for the same actor. The true relationship between these two notorious groups remains unclear.
What is clear is that for the past decade, Russia’s military intelligence unit known as Sandworm has acted as the Kremlin’s most aggressive cyberattack force. It has triggered blackouts in Ukraine and unleashed self-spreading, destructive code in incidents that rank among the most disruptive hacking events in history.
Mandiant placed emphasis on how dangerous organizations with this designation is when compared to other threat groups due to its ability to deploy attacks, influence operations and conduct espionage while backed by the Russian Main Intelligence Directorate (GRU).
Read more: BTQ Technologies teams with University of Waterloo institute to improve information security
Read more: HEAL Security secures $4.6 million in funding for healthcare cybersecurity
Mandiant discovered APT44 primarily targets government entities
Since Mandiant exposed Sandworm a decade ago, the group has conducted many successful campaigns.
In 2020, authorities charged six Sandworm members for deploying the highly disruptive NotPetya malware against Ukrainian organizations in 2017. Sandworm also orchestrated the WannaCry ransomware attack in 2017.
“To date, no other Russian government-backed cyber group has played a more central role in shaping and supporting Russia’s military campaign,” Mandiant said in the report.
More recently, what Mandiant now identifies as APT44 has been heavily involved in the Russia-Ukraine war.
Mandiant watched APT44 launch a disruptive campaign since Russia’s initial invasion of Ukraine, and this campaign continues today. During several attacks, APT44 deployed wiper malware, which can cause permanent data loss.
In one 2022 attack, APT44 operators targeted Ukraine’s energy grid, resulting in power outages. While Mandiant highlighted the formidable threat that APT44 poses to Ukraine, the vendor also warned that other adversaries of Russia should be on alert. The vendor observed APT44 conducting espionage operations across North America, Europe, the Middle East, Central Asia, and Latin America.
“Due to the group’s history of aggressive use of network attack capabilities across political and military contexts, APT44 represents a persistent, high severity threat to governments and critical infrastructure operators globally where Russian national interests intersect,” the report read.
APT44’s principle targets include government entities along with defense, transportation, energy, media, and civil society organizations located near Russia. Additionally, APT44 frequently targets government organizations and other critical infrastructure operators in Poland and Kazakhstan, as well as within Russia itself.
Mandiant reveals that a “hacktivist” persona created by APT44, has recently targeted & disrupted U.S. and Polish water utilities, as well as a French dam.
Read more on our latest findings here: https://t.co/sA5Cy1ckUB#Mandiant #APT44 pic.twitter.com/U3rHFZ47i1
— Mandiant (@Mandiant) April 17, 2024
Read more: Cybersecurity firm promotes making it illegal to pay ransomware
Read more: Ransomware payments surpassed $1 billion in 2023
APT44 is a threat to democracy
Regarding U.S. targets, recent APT44 activities have targeted the water utility sector. Mandiant tracks GRU activities through the messaging platform Telegram. In January, researchers found a video on Telegram posted by a user known as CyberArmyofRussia_Reborn, who experts believe is associated with the GRU.
In the video, CyberArmyofRussia_Reborn claimed “credit for the manipulation of human machine interfaces (HMI) and controlling operational technology (OT) assets at Polish and U.S. water utilities.” That same month, Cybersecurity and Infrastructure Security Agency (CISA), a U.S. federal agency under the Department of Homeland Security (DHS), issued an incident response guide for U.S. water and wastewater sectors and urged operators to strengthen their security protocols.
Furthermore, the company warned that APT44 should also be considered a threat to the democratic elections process.
It noted that the organization has repeatedly targeted electoral systems and institutions in the west, which includes the current and prospective North Atlantic Treaty Organization (NATO) member nations.
“We assess with high confidence that APT44 is seen by the Kremlin as a flexible instrument of power capable of servicing Russia’s wide ranging national interests and ambitions, including efforts to undermine democratic processes globally,” the report read.
For example, APT involved itself in the 2016 U.S. presidential election. Mandiant said that APT’s methods to disrupt the elections process by releasing politically sensitive information and through the use of malware in order to manipulate election data.
Read more: ‘Gay furry hackers’ hack into nuclear power labs network to ransom employee records
Read more: Terminally ill cybersecurity expert pleads guilty to hospital hack
APT44 involved in widespread credential theft
Dan Black, principal analyst at Mandiant and Google Cloud, said that APT44 has thrived for a decade because of its real-world operational experience. Supporting Russia’s political and military interests for the past 10 years allowed APT44 to continuously adapt its methods.
Black also said the group has shown an enduring interest in U.S. critical infrastructure over the past decade, emphasizing its role in influencing public opinions to manipulate elections.
Mandiant observed that APT44 conducted widespread credential theft targeting public and private sector mail servers globally. First discovered in 2019, the campaign targeted servers for Exim, Zimbra, and Exchange email servers.
“Graduating Sandworm into APT44 is not only a reflection of the severity of the threat posed but also our depth of understanding of how the group operates,” Black said.
“The intensity of APT44’s operations in Ukraine has allowed us to develop a more holistic understanding of its methods and capabilities and the ability to strengthen our attribution around the group’s past operations.”
APT44 exploited a remote code execution vulnerability in Exim to showcase its persistence. As a result, organizations using Exim endured attacks for over a year.
After penetrating networks, Mandiant observed that operators employ living off the land (LOTL) techniques to deepen access, establish persistence, and extract information.
These techniques refer to the practice where attackers use tools that are already present on the victim’s system or network to carry out their malicious activities.
To avoid detection, operators use pre-existing tools for reconnaissance, lateral movement, and data exfiltration within target networks.
.
