Skip navigation
skull and crossbone icons on a digital background Alamy

'Sandworm' Group Is Russia's Primary Cyberattack Unit in Ukraine

But even with that focus, the sophisticated threat group has continued operations against targets globally, including the U.S., says Google's Mandiant.

This article originally appeared on Dark Reading.

The formidable Sandworm hacker group has played a central role supporting Russian military objectives in Ukraine over the past two years even as it has stepped up cyberthreat operations in other regions of strategic political, economic, and military interest to Russia.

That's the upshot of the analysis of the threat actor's activities undertaken by Google Cloud's Mandiant security group. They found that Sandworm — or APT44, as Mandiant has been tracking it — to be responsible for nearly all disruptive and destructive cyberattacks in Ukraine since Russia's invasion in February 2022.

In the process, the threat actor established itself as the primary cyberattack unit within Russia's Main Intelligence Directorate (GRU) and among all Russian state-backed cybergroups, Mandiant assessed. No other cyber outfit appears as totally integrated with Russia's military operators as Sandworm is presently, the security vendor noted in a report this week that offers a detailed look at the group's tools, techniques, and practices.

"APT44 operations are global in scope and mirror Russia's wide ranging national interests and ambitions," Mandiant warned. "Even with an ongoing war, we have observed the group sustain access and espionage operations across North America, Europe, the Middle East, Central Asia, and Latin America."

One manifestation of Sandworm's broadening global mandate was a series of attacks on three water and hydroelectric facilities in the US and France earlier this year by a hacking outfit called CyberArmyofRussia_Reborn, which Mandiant believes is controlled by Sandworm.

The attacks — which appear to have been more a demonstration of capabilities than anything else — caused a system malfunction at one of the attacked US water facilities. In October 2022, a group that Mandiant believes was APT44 deployed ransomware against logistics providers in Poland in a rare instance of deploying a disruptive capability against a NATO country.

Global Mandate

Sandworm is a threat actor that has been active for more than a decade. It's well known for numerous high-profile attacks such as the one in 2022 that took down sections of Ukraine's power grid just prior to a Russian missile strike; the 2017 NotPetya ransomware outbreak, and an attack at the opening ceremony of the Pyeongchang Olympic Games in South Korea. The group has traditionally targeted government and critical infrastructure organizations, including those in the defense, transportation, and energy sectors. The US government and others have attributed the operation to a cyber unit within Russia's GRU. In 2020, the US Justice Department indicted several Russian military officers for their alleged role in various Sandworm campaigns.

"APT44 has an extremely broad targeting remit," says Dan Black, principal analyst at Mandiant. "Organizations who develop software or other technologies for industrial control systems and other critical infrastructure components should have APT44 front and center in their threat models."

Gabby Roncone, a senior analyst with Mandiant's Advanced Practices team, includes media organizations among APT44/Sandworm's targets, especially during elections. "Many key elections of high interest to Russia are taking place this year, and APT44 may attempt to be a key player" in them, Roncone says.

Mandiant itself has been tracking APT44 as a unit within Russia's military intelligence. "We track a complex external ecosystem that enables their operations, including state-owned research entities and private companies," Roncone adds.

Within Ukraine, Sandworm's attacks have increasingly focused on espionage activity with a view to gathering information for Russian military forces' battlefield advantage, Mandiant said. In many cases, the threat actor's favorite tactic for gaining initial access to target networks has been through exploitation of routers, VPNs, and other edge infrastructure. It's a tactic that the threat actor has been increasingly using since Russia's Ukraine invasion. While the group has accumulated a vast collection of bespoke attack tools, it has often relied on legitimate tools and living-off-the-land techniques to evade detection.

An Elusive Enemy

"APT44 is adept at flying under the detection radar. Building detections for commonly abused open source tools and living-off-the-land methods is critical," Black says.

Roncone also advocates that organizations map and maintain their network environments and segment networks where possible because of Sandworm's penchant for targeting vulnerable edge infrastructure for initial entry and re-entry into environments. "Organizations should additionally be wary of APT44 pivoting between espionage and disruptive goals after gaining access to networks," Roncone notes. "For folks working in media and media organizations in particular, digital safety training for individual journalists is key."

Black and Roncone perceive APT44/Sandworm's use of hacking fronts like CyberArmyofRussia_Reborn as an attempt to draw attention to its campaigns and for deniability purposes.

"We have seen APT44 repeatedly use the CyberArmyofRussia_Reborn Telegram to post evidence from and draw attention to its sabotage activity," Black says. "We cannot conclusively determine if this is an exclusive relationship but judge that APT44 has the ability to direct and influence what the persona posts on Telegram."

Black says APT44 could be using personas such as CyberArmyofRussia_Reborn as a way to avoid direct attribution in case they cross a line or provoke a response. "But the second [motive] is that they create a fake sense of popular support for Russia's war — a false impression that average Russians are self-assembling to join the cyber fight against Ukraine."

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.