APT44 (Sandworm Team) – Quick Facts
- Type: Advanced Persistent Threat (APT)
- Aliases: Sandworm, Sandworm Team, Seashell Blizzard, Iron Viking, Telebots, Voodoo Bear, Iridium, FrozenBarents
- Origin: Russia, linked to MUN 74455, a cyberwarfare unit of the GRU, Russia’s military intelligence service
- Active Since: 2004
- Primary Targets: Western corporations, government organizations, defense contractors
- Motivation: Cybersabotage , Data theft
Tactics & Techniques (CLICK TO OPEN)
Tactics & Techniques:
Initial Access
– T1190 – Exploit Public-Facing Application.
– T1203 – Exploitation for Client Execution.
– T1199 / related: Spearphishing / Use of malicious files (spearphishing attachments / malicious files)
Execution
– T1059 – Command and Scripting Interpreter.
– T1059.001 – PowerShell.
– T1059.003 – Windows Command Shell.
– T1059.005 – Visual Basic (VBS).
Persistence
– T1543 / Create or Modify System Process (Service techniques) – z. B. Windows Service / Systemd service modifications.
– T1053.005 – Scheduled Task (Scheduled Task used via GPOs / scheduled jobs).
Privilege Escalation
– (verschiedene techniques observed in campaign artifacts; see Mandiant for low-level syscall / evasive behaviors)
Defense Evasion
– T1140 – Deobfuscate/Decode Files or Information (Base64, TripleDES, GZip usage).
– T1202 / Obfuscated Files or Information (software packing / obfuscation).
– T1562 / Impair Defenses – e.g., Disable or Modify Tools; Disable Windows Event Logging.
Credential Access
– T1555.003 – Credentials from Password Stores: Credentials from Web Browsers.
– T1003 (OS Credential Dumping) – e.g., LSASS memory dumping observed historically.
– T1056.001 – Input Capture: Keylogging (SetWindowsHookEx keylogger observed).
Discovery
– T1087.002 – Account Discovery: Domain Account discovery via LDAP queries.
– T1592.002 – Gather Victim Host Information: Software.
– T1018 – Remote System Discovery.
– T1046 / Network Service Scanning (Active Scanning / vulnerability scanning).
Lateral Movement
– T1021.002 – Remote Services: SMB/Windows Admin Shares (use of ADMIN$, net use).
– T1570 – / Lateral Tool Transfer / Ingress Tool Transfer (copying payloads, using network shares).
Collection
– T1213 – Data from Information Repositories (databases) – e.g., use of Adminer to exfiltrate DB data.
– T1005 – Data from Local System (internal docs, files).
Exfiltration
– T1041 – Exfiltration Over C2 Channel (HTTP C2 exfil observed).
Command and Control
– T1071.001 – Application Layer Protocol: Web Protocols (HTTP used by BCS-server and other tools).
– Protocol Tunneling / non-standard channels have also been used in some campaigns.
Impact
– T1486 – Data Encrypted for Impact (ransomware / Prestige used).
– T1561.002 – Disk Wipe: Disk Structure Wipe (KillDisk/CaddyWiper usage).
– T1484.001 – Domain or Tenant Policy Modification: Group Policy Modification (used to deploy wipers via GPO).
– T1499 – Endpoint Denial of Service (observed in disruption campaigns).
– T1491.002 – Defacement: External Defacement (mass website defacements).
Resource Development / Recon & Support (preparation)
– T1583 – Acquire Infrastructure (domains, servers, covert leased infrastructure).
– T1583.001 – Domains (register spoofing domains).
– T1583.004 – Server (use of leased / reseller infrastructure).
– T1595.002 – Active Scanning: Vulnerability Scanning (scanning target infrastructure).
Other observed behaviours / capabilities
– Use of custom destructive malware families (NotPetya, Industroyer variants, Olympic Destroyer, CaddyWiper, etc.).
– Use of third-party services for phishing campaigns and use of spoofed pages for credential harvesting.
- Notable Campaigns:
- Exfiltration of corporate data across multiple industries, including aerospace, energy, and technology
- Attributed Tools & Malware:
- BlackEnergy (BlackEnergy 3) – former backdoor/botnet framework used in attacks on Ukrainian energy suppliers (2015), among others.
- KillDisk (various wiper variants) – Destructive component used to destroy hosts in multiple campaigns.
- NotPetya / ExPetr (wiper masquerading as ransomware) – large-scale destruction/worm campaign in 2017.
- Industroyer / Industroyer2 (CrashOverride) – specifically designed for industrial control systems (ICS); the Industroyer family has been observed in Ukrainian infrastructure operations.
- Olympic Destroyer – Wiper/disruption malware used against the Pyeongchang Olympics; attribution was complicated, but often linked to Sandworm.
- CaddyWiper / other GPO/AD wipers – modern wiper variants that have appeared in recent sabotage campaigns.
- Infamous Chisel (Android components / Infamous Chisel family) – Persistent access/backdoor components for Android (2023 reports on Android targets).
- SwiftSlicer / AD-viper / Active Directory wipers – local/AD-targeted wiper components that appear in attack reports in 2023–2024.
- Custom C2/Beacon implementations & loaders (TeleBots / bespoke tooling) – Sandworm used its own C2 backdoors, beacon implementations, and droppers; TeleBots branding appears in connection with NotPetya.
- Downloaders / droppers / Android wrappers / malicious app wrappers – previous campaigns showed downloader wrappers in Play Store apps and disguised Android apps to deliver additional components.
- Malware Samples:
Description
APT44 (commonly tracked as Sandworm Team or GRU Unit 74455) is a state-sponsored Russian cyber-espionage and sabotage actor known for highly targeted, persistent operations against government, military, critical-infrastructure, and high-value private sector targets. The group blends sophisticated custom tooling with commodity malware and living-off-the-land techniques to gain access, escalate privileges, move laterally, and maintain stealthy persistence. Its campaigns range from long-term intelligence collection to disruptive, destructive actions, deploying modular router malware, destructive wipers, and ICS-focused toolsets when operational goals demand sabotage. Operators demonstrate strong operational security, anti-sandbox/anti-analysis measures, and careful timing to align cyber activity with geopolitical objectives.