Mandiant exposé on APT44

General blogs Mark 23/04/2024 0 Comments

Mandiant – the Google-owned Cyber Security company have released an in-depth exposé on the Russian threat actor group known as APT44, more commonly known as Sandworm.

The full 40-page report can be downloaded from the link above, but for those who prefer a shorter read – I cover the salient points here:

APT44 is a dynamic and operationally mature threat actor who are Sponsored by Russian military intelligence, and are actively engaged in the full spectrum of espionage, attack, and influence operations.
APT44 has aggressively pursued a multi-pronged effort to help the Russian military gain a wartime advantage and is responsible for nearly all of the disruptive and destructive operations against Ukraine over the past decade.
APT44 is seen by the Kremlin as a flexible instrument of power capable of servicing Russia’s wide ranging national interests and ambitions, including efforts to undermine democratic processes globally.
Due to the group’s history of aggressive use of network attack capabilities across political and military contexts, APT44 presents a persistent, high severity threat to governments and critical infrastructure operators globally where Russian national interests intersect.
APT44 primarily targets government, defense, transportation, energy, media, and civil society organizations in Russia’s near abroad. Government bodies and other Critical Infrastructure and Key Resources (CIKR) operators in Poland, Kazakhstan, and within Russia have frequently been included in the group’s recent targeting.
APT44 has repeatedly targeted Western electoral systems and institutions, including those in current and prospective NATO member countries. As part of this activity, APT44 has attempted to interfere with democratic processes in select countries by leaking politically sensitive information and deploying malware to access election systems and misreport election data.
APT44 frequently targets journalists, civil society organizations, and nongovernmental bodies involved in research or investigations into the Russian government.
- Examples include the 2018 operation targeting the Organization for the Prohibition of Chemical Weapons (OPCW) for its role in the Novichok poisoning investigations and a phishing campaign by an assessed APT44 initial access cluster between December 2023 and January 2024 which targeted Bellingcat and other investigative journalism entities .

Who are APT 44?

APT 44 (A.K.A. Sandworm, FROZENBARENTS, and Seashell Blizzard) is a Russian Federation backed threat group attributed by multiple governments to Unit 74455 within the Main Directorate of the General Staff of the Armed Forces of the Russian Federation (GU), commonly known as the Main Intelligence Directorate (GRU).

Publicly available images of the unit’s anniversary insignia places the group’s formation in 2009.

APT44 Tactics, Techniques, & Procedures

APT44 is a highly dynamic and adaptive threat actor with multiple Tactics, Techniques, and Procedures (TTPs), and as such, gain initial access to victim networks by multiple methods including phishing, credentials stuffing, vulnerability exploitation, and supply chain attacks.

For more specific attacks, APT44 has used leveraged the deployment of trojanised software installers typically distributed via Russian & Ukrainian language forums.

Once downloaded, the infected devices are flagged by APT44 operators for further exploitation with other malware such as DarkCrystalRat which gives operators full, remote-control of the victim device.

Living off the land (LOTL) techniques are frequently used by APT44 operators to stay stealthy whilst navigating through victim networks and is known to use a low equity approach to the deployment of further malware.

This means that they typically use open-source, or criminally obtained malware as opposed to their own in-house developed assets. The group only deploys their own malware on high-value targets.

Mandiant assess that APT44 has likely long viewed criminally sourced tools and infrastructure as a latent pool of disposable capabilities that can be operationalised on short notice without immediate attributive links to its past operations.