Mandiant, a leading cybersecurity firm, has released a comprehensive report related to a Russian nation-state sponsored Sabotage unit APT44 (aka Sandworm Team). The report paints a concerning picture of a persistent and multifaceted attacker group, adept at espionage, disruptive attacks, and information warfare operations. This article delves into offering valuable insights for cybersecurity professionals tasked with defending critical infrastructure and government networks.
What is APT44?
APT44, also known as Sandworm Team, is a highly skilled and well-resourced cyber threat group linked to Russia’s GRU (Main Intelligence Directorate). Other names for APT44 are: ELECTRUM, Telebots, IRON VIKING, BlackEnergy (Group), Quedagh, Voodoo Bear, IRIDIUM, Seashell Blizzard, FROZENBARENTS. They’ve gained notoriety for their sophisticated attacks, ranging from espionage and information operations to devastating cyberattacks crippling critical infrastructure.
How Does APT44 Work?
One of the most striking aspects of APT44 is its versatility. Unlike many state-backed actors focusing on specific objectives (e.g., intelligence gathering), Sandworm demonstrates proficiency across a broad spectrum of cyber operations. In its recent report, Mandiant highlights the core capabilities of APT44:
- Espionage: APT44 possesses a sophisticated arsenal of tools and techniques for compromising networks, stealing sensitive data, and maintaining long-term persistence. Their tactics include spear phishing campaigns, watering hole attacks, and exploitation of zero-day vulnerabilities.
- Destructive Attacks: Sandworm is notorious for deploying malware designed to cripple critical infrastructure. The infamous NotPetya wiperware attack in 2017, attributed to APT44, serves as a stark reminder of their capacity for widespread disruption.
- Information Warfare Operations: APT44 actively engages in campaigns aimed at manipulating public opinion and sowing discord. This can involve social media manipulation, website defacement, and the leaking of stolen information to influence political narratives.
APT44 Sandworm Team Mitre Attack TTPs (Tactics Techniques and Procedures)
APT44 or Sandworm Team utilizes a multi-stage attack lifecycle, often blending various techniques to achieve their goals:
- Initial Access: Spear phishing emails [T1566], watering hole attacks [T0817], and exploitation of unpatched vulnerabilities on remotely accessible applications [T1190] [T1133] are common entry points.
- Execution: The group leverages Windows in-built capabilities like PowerShell [T1059.001], Command Line [T1059.003], and Windows Management Instrumentation (WMI) [T1047] for their malicious purposes.
- Lateral Movement: Once inside a network, APT44 uses stolen credentials and compromised accounts [T1078] and exploits remote desktop protocol (RDP) services [1021.001] to move laterally and gain access to high-value targets.
- Persistence: The group attempts to capture and crack the domain account and other high-profile account credentials to maintain persistence in the infected systems. They also exploit remote services [T1133] and scheduled tasks [T1053.005] in Windows systems to maintain long-term access to compromised systems.
- Command and Control (C2): To avoid detection, communication with compromised machines is often achieved through encoded C2 channels [T1132.001] on non-standard application ports and protocols [T1571] [T1095], in addition to leveraging remote access applications [T1219] and so on.
- Data Exfiltration: Stolen data is exfiltrated through covert C2 channels [T1041].
- Impact: Depending on the target organization’s type, the APT44 group performs activities like encrypting data on infected systems [T1486], destructive attacks [T1485], or endpoint denial of service attacks [T1499]. In some cases, APT44 deploys wiper malware designed to erase data and render systems inoperable [T1485].
Mitre Att&ck tracks the activities of the APT44 group, which is assigned a Mitre ID G0034 for the Sandworm Team. For detailed TTPs, see the Mitre Att&ck TTPs related to APT44 or Sandworm Team on Mitre Att&ck Navigator.
For more cybersecurity news and updates, follow us on Cybersecurity – The SOC Labs.
Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The SOC Labs assumes no liability for the accuracy or consequences of using this information.