APT44, also known as Sandworm, is a Russian state-sponsored Advanced Persistent Threat (APT) group with a track record of executing significant cyberattacks. This group has been identified by various names over the years, such as Voodoo Bear, Iridium, Seashell Blizzard, Iron Viking, Telebots, and most recently, APT44. The name “Sandworm” was derived from code references to the “Dune” series found in their malware.
Over the years, Sandworm has evolved from conducting espionage to executing destructive cyberattacks and ransomware campaigns. Active since at least 2009, they are believed to be associated with the GRU (Main Intelligence Directorate), a branch of Russian military intelligence. Their activities generally align with Russian geopolitical objectives, often aiming to disrupt critical infrastructure in targeted countries.
Sandworm has been credited with nearly all of the disruptive and destructive cyber operations against Ukraine over the last decade. Since Russia’s invasion of Ukraine in 2022, Sandworm has acted as a central hub for various cyber activities targeting Ukraine and its allies, ranging from influence operations and hacktivist-led disruptions to outright destructive attacks.
Earlier this year, Sandworm targeted 20 critical infrastructure facilities in Ukraine, impacting energy, water, and heating systems across 10 regions. Coordinated with Russian military strikes, these attacks exploited supply chain vulnerabilities and utilised new malware strains like BIASBOAT and LOADGRIP, enabling network infiltration and persistence.
Additionally, operating under the hacktivist identity CyberArmyofRussia_Reborn, Sandworm also claimed responsibility for cyberattacks on water utilities in the United States, Poland, and France. These incidents affected human-machine interfaces (HMIs) that manage vital operations, causing a water tank to overflow in the U.S. and disruptions at a hydroelectric plant in France.
Sandworm is infamous for several disruptive attacks that targeted governments, critical infrastructure, and private enterprises:
2015 and 2016 Ukraine Power Grid Attacks: Sandworm carried out cyberattacks on Ukraine’s power grid, causing widespread blackouts affecting hundreds of thousands of people. They used the BlackEnergy malware for initial access and Industroyer (also known as CrashOverride) to disrupt industrial control systems.
NotPetya (2017): One of the most devastating ransomware attacks, NotPetya, initially appeared as ransomware but was, in fact, a destructive malware attack that crippled businesses globally. It targeted Ukrainian infrastructure but rapidly spread, causing over $10 billion in damages worldwide.
Olympic Destroyer (2018): Sandworm launched a cyberattack against the Pyeongchang Winter Olympics, disrupting IT systems just before the opening ceremony. The group used malware designed to erase data and spread quickly, causing significant chaos.
Viasat Attack (2022): During Russia’s invasion of Ukraine, the group conducted a cyberattack on the US-based satellite communications company Viasat, disabling satellite modems used by Ukraine’s military. The attack resulted in widespread outages affecting communications infrastructure in Ukraine and parts of Europe.
Unlike most state-sponsored cyber groups, Sandworm doesn’t focus on a single mission like intelligence gathering or sabotage. Instead, they engage in espionage, attacks, and influence operations. They often mix spying with cyber sabotage using various tactics, such as:
1. Hacktivist Fronts: Sandworm has increasingly used hacktivist fronts like CyberArmyofRussia_Reborn, XAKNET, and Solntsepek to obscure their identity. By operating under these guises, they can launch attacks while propagating pro-Russian narratives, making attribution difficult.
2. Infrastructure Hijacking: The group uses YouTube and Telegram channels connected to these fronts to spread disinformation, leak exfiltrated data, and deflect attention from its state-sponsored nature.
3. Ransomware Deployment: Sandworm has recently adopted ransomware as a primary tool. Their ability to encrypt critical systems and demand ransom payments puts public and private organisations at significant risk. They are known to use malware strains like NotPetya and Industroyer.
4. Targeted Phishing Campaigns: The group frequently uses spear-phishing emails to gain initial access to systems, often masquerading as legitimate correspondence to lure targets into compromising their networks.
5.Exploitation of Zero-Day Vulnerabilities: Sandworm exploits unpatched vulnerabilities and uses custom malware to gain persistence in their targets’ networks. They often leverage destructive malware alongside ransomware to cause further disruption.
To defend against the evolving and highly sophisticated tactics of Sandworm, organisations should adopt a comprehensive, multi-layered security approach:
1. Network Segmentation: Isolate critical systems to limit lateral movement in the event of a breach. Ensure operational technology (OT) and IT environments are properly segmented.
2. Regular Patching and Vulnerability Management: Implement rigorous patch management processes to ensure that systems are up-to-date with the latest security patches, particularly for known vulnerabilities that Sandworm exploits.
3. Employee Training: Conduct regular cybersecurity awareness training for employees to recognise phishing attempts and other social engineering tactics used by APT groups.
4. Advanced Endpoint Protection: Deploy endpoint detection and response (EDR) tools that can identify and block ransomware and malware strains typically used by Sandworm. Leverage threat intelligence platforms to stay updated on emerging threats.
5. Backup and Recovery: Ensure regular, secure backups of critical data and systems. Maintain an incident response plan to restore operations quickly in the event of a ransomware attack.
6. Network Monitoring and Threat Hunting: Use advanced monitoring solutions, such as Security Information and Event Management (SIEM) systems, to detect unusual activities early. Proactive threat hunting can help identify breaches before they escalate.
Adarma provides customised cybersecurity solutions to assist businesses in achieving future-ready cyber resilience. Our approach enables organisations to decrease cyber risks by implementing effective threat intelligence, exposure management, and detection and response capabilities. We offer tailored threat intelligence, technological solutions, and strategic consultations that cater to our customer’s specific security requirements and business goals. Our expertise guarantees a balanced approach between security and operational efficiency, safeguarding our customers’ most crucial infrastructure and data.
Discover our tailored services and find out why we are the preferred security partner for FTSE 350 firms.
If you would like to learn more about how Adarma can support your organisation’s cyber resilience, please get in touch with us at hello@adarma.com.
To hear more from us, check out the latest issue of ‘Cyber Insiders,’ our c-suite publication that explores the state of the threat landscape, emerging cyber threats, and most effective cybersecurity best practices.
You can also listen to our new podcast, which explores what it’s really like to work in cybersecurity in today’s threat landscape.
Stay updated with the latest threat insights from Adarma by following us on X and LinkedIn.
![adarma_logo_twgt-black[11615449]](https://adarma.com/wp-content/uploads/2022/10/adarma_logo_twgt-black11615449.png){kind=logo}
