Security news that informs and inspires

Sandworm Group Shifts to Espionage Attacks, Hacktivist Personas


Recent activity by the well-known Sandworm group - which researchers with Mandiant have started calling APT44 - relies on a mix of espionage efforts and hacktivist personas, and shows how the group continues to pose a “persistent, high severity threat” to governments and critical infrastructure entities globally.

The threat group, which has been around for at least 15 years and is known for being affiliated with the Russian GRU, has played key roles in cyber operations supporting Russia’s military campaign as it enters its third year of war in Ukraine. Though the group is known for its destructive malware attacks, Mandiant researchers in a Wednesday analysis said that recently APT44 has increasingly conducted espionage-related attacks that likely support Russian military operations, such as intercepting communications via mobile networks or devices in order to gain a tactical military advantage. For instance, in August 2023 multiple governments warned of APT44’s Infamous Chisel malware used to collect information about Android devices and applications specific to the Ukrainian military. Even with the ongoing war researchers have seen the group launching espionage operations across North America, Europe, the Middle East, Central Asia and Latin America.

“APT44 is the most brazen threat actor there is, in the midst of one of the most intense campaigns of cyber activity we've ever seen, in full-blown support of Russia’s war of territorial aggression,” said Dan Black, principal analyst on the cyber espionage team with Google's Mandiant. “There is no other threat actor today that is more worthy of our collective attention, and the threat APT44 poses is evolving rapidly. Over the course of the war, we have seen APT44’s posture shift away from disruption as its primary focus toward espionage to provide battlefield advantage to Russia’s conventional forces.”

One emerging feature of APT44’s campaigns has been its emphasis on creating psychological operations that amplify the impact of its campaigns. For instance, the group has created hacktivist identities on Telegram channels to claim responsibility for its various disruptive wartime operations. Due to various clues including infrastructure similarities, Google’s Threat Analysis Group assesses that APT44 has created and controlled a persona called “CyberArmyofRussia_Reborn,” for instance. In January, this group’s Telegram channel posted videos that took credit for the manipulation of human machine interfaces used in water utilities in the U.S. and Poland. Mandiant researchers said they couldn’t independently verify these claims of intrusion or their links to APT44, but noted that impacted U.S. utility officials have publicly acknowledged the incidents at the same entities that the CyberArmyofRussia_Reborn video advertised as victims.

“Given the active and persistent threat to governments and critical infrastructure operators globally, Mandiant has decided to graduate the group into APT44.”

“The attacks on the water sector and other critical infrastructure in the US and Europe by Cyber Army of Russia Reborn (CARR) are very serious, though it’s not clear if this was actually the GRU,” said John Hultquist, Mandiant’s chief intel analyst. “APT44 has leveraged the hacktivist group as a front for its operations before, but it is possible others have become associated with CARR and are operating outside of the GRU’s control or direction. Nonetheless, the GRU’s proximity to this activity is worrying.”

The Russian threat group, which has been attributed by the U.S. Department of Justice and by the UK National Cyber Security Centre to the Russian GRU Unit 74455, has been behind several high-profile attacks, particularly leveraging malware with destructive functionalities in the 2010s. In 2015 and 2016, the group was behind malware attacks against Ukraine’s electric power grids using malware known as BlackEnergy, Industroyer and KillDisk. The group also launched the NotPetya malware attacks in 2017 against companies worldwide and the Olympic Destroyer malware campaigns against the 2018 PyeongChang Winter Olympic Games.

Part of what sets the group apart is its ability to specialize in various missions like collecting intelligence or conducting information operations, and integrate them into a unified playbook over time, said researchers. APT44 has also used a diverse range of tactics, living-off-the-land techniques and and initial access methods, from phishing or exploiting known vulnerabilities, to targeted supply-chain compromises.

Mandiant on Wednesday announced it has “graduated” Sandworm into APT44. Mandiant researchers will frequently “graduate” threat clusters to named APTs as they collect more information over time and their knowledge of the group’s activities increases. APT44 has been extensively tracked by Mandiant for more than a decade, but researchers said that the near-term threat that the group poses for undermining elections in 2024 - a year where at least 64 countries worldwide will hold elections - is one particular factor.

“Mandiant continues to see operations from the group that are global in scope in key political, military, and economic hotspots for Russia,” said Mandiant researchers in their analysis on Wednesday. “Given the active and persistent threat to governments and critical infrastructure operators globally, Mandiant has decided to graduate the group into APT44.”