Security news that informs and inspires

A Decade of Sandworm: Digging into APT44’s Past and Future


After Mandiant recently “graduated” the notorious Sandworm group into APT44, Decipher’s Lindsey O’Donnell-Welch and Mandiant analysts Dan Black and Gabby Roncone reflect on the most pivotal moments from Sandworm over the last decade, from NotPetya to the Ukraine electric power grid attacks. Below is a lightly edited transcript from the video interview conversation.

Lindsey O’Donnell-Welch: This is Lindsey O'Donnell Welch with Decipher and I'm joined today by two analysts with Mandiant, and we're going to talk about some new research that Mandiant released this week on the Sandworm group, now known as APT44. So here with me today is Dan Black, Mandiant principal analyst with Google Cloud, and Gabby Roncone, Mandiant senior analyst for the advanced practices team with Google Cloud. Dan and Gabby, Sandworm has been around for more than a decade, it's been affiliated with the Russian GRU, but Mandiant this week graduated Sandworm into an official APT group. Can you tell me a little bit about the decision process behind that? The group's been around for fifteen or so years - why now, and what went into that?

Gabby Roncone: Mandiant’s graduation process is this very unique, analytically rigorous process that we do and we've done since APT1, to essentially look back at all of our threat groups that are related to a certain threat actor, and do a rigorous deep dive on each one of those threat groups - try to understand the historical activity that we've seen and the current activity that we're seeing, and tie them together in In order to graduate them into an APT.

This is something that gets kicked off when we believe that a threat group is especially deserving of the higher threat assessment kind of associated with the title. So for us, Sandworm was this group that obviously has been incredibly active over the last ten years, since we've been tracking them, but has been sort of the primary cyber sabotage unit for the Russian military intelligence since the war in Ukraine started. And when we saw sort of the prominent role that Sandworm was taking in Ukraine, and we were also undergoing so much of our own research in Ukraine with incident response engagements and such, we believed that we needed to undergo the graduation process as well, to make sure that our understanding of that group was really as in-depth as it could be. So, we spent over a year going through every single cluster of activity we thought might be related to Sandworm in the past and the present, and we were luckily able to tie those major historical incidents to the group that we are now seeing in Ukraine.

Lindsey O’Donnell-Welch: Can you talk a little bit about the advantages of having an APT designation like this and how it fits into giving threat intelligence that's associated with this group's activities more context in the future?

“The most obvious sort of pivotal moment to me is their movement into wartime operations, but I think that, even though our classification of the Russia war in Ukraine started on February 24, 2022, the really disruptive attacks in Ukraine start after the invasion in 2014.”

Dan Black: Yeah, so I think to reflect a little bit on what Gabby said as well, the process of graduating something from an UNC to maybe a temporary name that we give something - so Sandworm was very much a temporary name that we had designated - you can think of the step to take it to an APT as us reflecting a very deep level of understanding and confidence in what we are talking about, and so this is kind of like the latest stage of a process for us to say “hey this is a very high severity threat, this is something that we have a very refined understanding of and we want to make sure that our customers, the public are understanding that threat in the same way that we are.” So a lot of what we tried to do in this report is write something that will hold the test of time to really contextualize what we've seen from a group over the past decade - its proclivities, its tendencies, what it likes to do, the wide scope of activity that it it partakes in - in hopes that that'll help people understand for their own threat models for the next decade in terms of what to expect, when they should think that they might be in the targeting scope of this group and what they should think about seeing in their networks if that's the case.

Lindsey O’Donnell-Welch: When I'm writing about these threat actors I always like to go down history lane and Sandworm has an absolutely extensive history in part because they've been behind super high-profile attacks. But then also, in the 2010s, it was really crazy to see these types of attacks where the group was using such destructive types of malware. So from your vantage point looking at anything from the Industroyer Ukraine electric power grid attacks to the NotPetya attacks, what have been some of the more pivotal moments over the years of tracking Sandworm from a threat Intel perspective?

Gabby Roncone: I feel like we can both take this one because I feel that we'll maybe have the same answer or maybe we'll have different answers. I feel like with this group everyone sort of picks their own thing that they really enjoy tracking. The most obvious sort of pivotal moment to me is their movement into wartime operations, but I think that, even though our classification of the Russia war in Ukraine started on February 24, 2022, the really disruptive attacks in Ukraine start after the invasion in 2014. A year after the invasion, you have the first blackout with BlackEnergy 2 in the Ukrainian power grid, and then almost exactly a year later you have the next one with Industroyer. It seems like this group has been able to propel itself forward by actioning these really specific high-level mandates that align really strongly with the Russian government interests at the time. And you see them just be active in every single geopolitical event that Russia seems to be having high stakes in. But kind of going off of that, you don't necessarily see the wartime pace of activity and just the rapid adaptation, prior to 2022, that then you do and in war times. So it's been really interesting to see how this group that's sort of been at the forefront of a lot of these novel operations that seem to almost push the line in the sand a little bit for what we see as norms in cyberspace over and over, for the last ten years, and then just suddenly ramping up their efforts very significantly during wartime.

“When you have a group that's moving first, that often means that there's lessons to be learned to identify from what they've done.”

Dan Black: Yeah. If I could reflect on something Gabby kept saying there - “novel,” “first,” “innovative” - all these concepts and the fact that they've often been the first mover in the threat landscape for some of the most brazen and reckless things we've seen. The first group to try to disrupt an energy grid with manual interaction and with custom malware to do that. The first to do this brazen case of digital election interference in 2016 with the U.S. elections, then trying to double down with that in 2017 in the French elections. The petty disruption of the Olympic Games in 2018 because they weren't allowed to participate under their national flag. It's a series of firsts in this space, and the thing that really drove us to want to report on this in-depth is the proliferation risk we see from some of that. When you have a group that's moving first, that often means that there's lessons to be learned to identify from what they've done, and the challenge that we see is when they do those kind of things is that either countries that are developing cyber attack programs, non-state actors who want to cause a little bit of chaos, they have this body of evidence to learn from because they're so forward-leaning in terms of the risk appetite. Their willingness to act is unparalleled. I think when you see other countries talked about in terms of developing cyber attack programs, they tend to do this in a test range or a test environment, something where they can collect the evidence they need but not expose it to the world. It almost seems like you know over the course of ten years, Sandworm/APT44 has participated in what's equivalent to live fire exercises. They've just done it in the real world with no concern for the downstream risks, the second order consequences, of what they're doing. The proliferation risk from this stuff, whether you think about back to 2015 when they first used Industroyer, to some of the stuff that we reported on just last year, about that they used in October 2022, the MicroSCADA, the living off the land attacks against OT technologies, they're the first ones to take these steps and other folks are going to absorb some of those lessons, iterate, adapt from what they've done, and they just make the threat landscape a little bit more dangerous every time they do that.

Gabby Roncone: I think also, one of the things kind of building on Dan's point here, that we found really interesting looking Sandworm’s wiper operations even from the beginning of the war, is that they went from using these wipers that we call multifaceted - so they have different components to them, they can do multiple things outside of wiping - to these pure wipers. And the pure wipers I guess are just wipers that wipe. They aren’t setting persistence, they have no network communications, they're not really doing anything other than to just be a lightweight tool to cause some disruption. But they are also moving into using sort of fake ransomware and you kind of see echoes of ransomware tactics in some of Sandworm's operations too, which I think goes along with the brazenness of the actor, but also that bit of proliferation risk that Dan's talking about. Not only is sandworm learning from ransomware actors that are causing real-time disruption in hospitals, in very high-risk environments, but they're also teaching the APT threat environment how to do that as well. So it's a very interesting situation.

Lindsey O’Donnell-Welch: That is an interesting dynamic. Now in more recent years I know that you guys have done a lot of research into what some of the activities of the group have been especially as it relates to both the war with Ukraine, but then also kind of some of the espionage activities that they've launched even outside of that situation. That was also highlighted in your research this week. One thing that stuck out to me has been this shift a little more towards espionage efforts that was outlined in the research. Can you talk a little bit more about what you're seeing there with the group, because, like you said, there's a lot there in terms of both using destructive malware but then also having these other elements to its attacks and I think espionage is one very interesting area that this group is carved out.

“So it's not necessarily about the enterprise networks that we saw them targeting in the beginning, but really more towards the high value targets of the front lines, ways that they can influence the outcomes of the conflict.”

Dan Black: Yeah I can take a first stab at least so I think one of the interesting things in thinking about Sandworm’s operations or APT44’s operations from the beginning of the war until today, is that Russia's war aims - what they've tried to achieve during the war - have evolved over that time. I think we all understand from reading all the different things that were out there that Russia thought it was going to win a very quick war at the beginning right? They thought that this thing was going to be over in a couple of weeks and so they kind of threw everything against the wall. We saw this mass wave of disruptions, all kinds of different wiper malware being used and a really really high intensity campaign of operations in those opening months of the war. After the first few months, it started to become very apparent that this wasn't going to be a war that was going to end overnight, that it is going to be a longer war, that they were going to have to settle in for the long term. And so in that adjustment, in terms of Putin, Russia, the understanding though that the war aims had fundamentally changed and what they could achieve had changed, we started to see a shift in the types of operations we saw from Sandworm. It's been very instructive to see that as they settled into thinking this is a long war that this wasn't going to be a war that moved rapidly from one front to another, but that the front was going to move inch by inch, that they really settled into thinking about targeting mobile devices about the the platforms, the networks that are being used on the frontline. So it's not necessarily about the enterprise networks that we saw them targeting in the beginning, but really more towards the high value targets of the front lines, ways that they can influence the outcomes of the conflict. And I think they learned very fast that being able to collect that intelligence in different forms from the front lines, that tactical type of intelligence, has a real benefit to the conventional forces. So Russia has this thing they call reconnaissance strike complex, it’s about how you pull data in to be able to support targeting all the different kind of outcomes on the front ends of the battlefield. They've really shifted towards that outcome at this point in time. So I think you know understanding what we're seeing here is really about understanding the different contours of the conflict and how they’ve learned to adapt to innovate, to absorb lessons of how to best support a long war, as their wider war aims changed.

Lindsey O’Donnell-Welch: Yeah, definitely. It’s interesting you mention the context there too because I do feel like there is so much geopolitical history that goes into not just the more recent years but just Sandworm and its activities over the past decade or 15 years. So I'd imagine having a deep knowledge as researchers and analysts of these different pieces of context and understanding the motives behind what Russia is doing or like why it might be doing one thing or the other also plays into a lot of how you view these different activity clusters.

Dan Black: Yeah, you know one other point I would make is that before 2022 we had never seen a high intensity armed conflict like this, with cyber operations supporting it at the scale, the intensity that we've seen, right? And so the change that we've seen from 2022 to 2024 is in part Sandworm learning how to best do that. If there's one thing that's true about this group, it’s that they tend to have more operational experience than anyone because they've been so forward leaning over the years, but the the strategic context of an armed conflict is so different than the things that we've seen the day-to-day, and they really had to change the way they needed to operate to be able to support that environment when they're no longer in a kind of standalone role doing things like NotPetya but trying to support the movements of conventional forces on the ground - very, very different outcomes and no amount of theory is going to make you ready for what's going happen in practice right? There's a steady evolution, adaptation, that learning process that's going on throughout the course of the war, they're doing that and it's our belief that in 2024 they're going to look very different than they did in 2023 as well. That learning process is still ongoing. They were on the defensive in 2023, and Russia's going back on the offensive so that may change the scope and the type of operations that we may see in the future as well.

“There's a steady evolution, adaptation, that learning process that's going on throughout the course of the war, they're doing that and it's our belief that in 2024 they're going to look very different than they did in 2023 as well.”

Lindsey O’Donnell-Welch: In the research that you talked a little bit about the adoption of personas - these identities that essentially is the group creating these identities on Telegram channels or other areas to claim either responsibility for various disruptive wartime operations or to kind of add that extra psychological like emphasis to amplify its attacks and one persona that was mentioned was the CyberArmyofRussia_Reborn. Can you talk a little bit about what you're seeing with these personas and how they've been adopted by Sandworm/ APT44 throughout the research that you've done on them?

Gabby Roncone: So Sandworm/APT44 has been using personas for a very long time. They have always had a really interesting blend of different types of operations that they conduct. So we consider Sandworm/APT44 to be a full spectrum threat actor and what this means is that they conduct disruptive operations, espionage operations, but also these influence operations. And these types of operations often are used to support each other for that psychological effect. With APT44 you might hear the name Guccifer 2.0 and have nightmares about 2016. Using these personas in cyber enabled influence operations allows them to take their operation to a different audience, create additional impacts and really show off their own successes or perceived successes. Those goals, those aims are basically what's happening here but in a different context.

We have seen three primary hacktivist personas since the war began in February 2022, but CyberArmyofRussia_Reborn is a particularly notable one because of how closely we've linked this group with actual APT44 disruptive operations. In one case, we saw a mismatch essentially between a hackivist car posting a claim for a wiper operation before the wiper operation actually successfully was deployed. So there's clearly a very close coordination between APT44 and CyberArmyofRussia_Reborn. There are several different reasons why CyberArmyofRussia_Reborn may be utilized in this way. They could be used in some cases to sort of take the effects of the war off of the front and make them amplified into civil society - especially since a lot of these wiper attacks aren't actually hitting military targets, they're hitting government and civil society organizations for the most part. So CyberArmyofRussia_Reborn also has elements to it that, even though they're coordinating with APT44, they are definitely doing some weird like DDoS stuff that - who knows if that's necessarily tied to - APT44 or not so we have to be a bit careful with our assessment there.

Lindsey O’Donnell-Welch: Thank you both so much for coming on, especially as we continue to look at where Sandworm and APT44 is going in the future - should be really interesting to see how this group continues to evolve.