APT44 – Sandworm, Frozenbarents – RUSSIA

Overview

APT44, also known as Sandworm, FROZENBARENTS, and Seashell Blizzard, is a threat group backed by the Russian Federation and linked to Unit 74455 within the Main Directorate of the General Staff of the Armed Forces of the Russian Federation (GRU). Mandiant has been monitoring APT44’s activities for over a decade, with evidence suggesting its formation in 2009.

Unlike other Russian state-backed groups, APT44 is highly versatile, engaging in a wide range of cyber espionage, attack, and influence operations. This dynamic nature sets it apart, aligning closely with the full spectrum of activities typically carried out by the GRU’s Information Operation Troops (VIO), indicating a high likelihood of subordination to this unit.

Overall, APT44 embodies the concept of information confrontation (IPb) that defines Russia’s contemporary cyber forces. With its comprehensive approach to cyber activities, including espionage and influence operations, APT44 represents a significant challenge in the cyber threat landscape.

Additional Information

APT44 has played a pivotal role in enabling the Russian military to gain a strategic advantage during the ongoing conflict, spearheading disruptive and destructive operations against Ukraine. With a focus on cyber sabotage, the group has extensively targeted critical infrastructure sectors using wiper malware to disrupt systems, often in coordination with conventional military activities. However, as the conflict has persisted, APT44 has shifted its emphasis from disruption to intelligence gathering, adapting its tactics to provide battlefield advantage to Russia’s conventional forces.

In the second year of the war, APT44’s operational focus has evolved, with a notable increase in espionage activities aimed at supporting Russia’s military objectives. For instance, the group has engaged in long-term campaigns to assist ground forces by extracting communications data from captured mobile devices, aiding in the acquisition of valuable targeting information. This shift underscores APT44’s adaptability and its strategic alignment with Russia’s evolving military campaign.

Overall, APT44’s role in the conflict has transformed over time, reflecting its flexibility and responsiveness to changing military priorities. From disruptive cyber attacks to intelligence collection efforts, the group continues to play a significant role in supporting Russia’s military operations, showcasing its ability to evolve and adapt in the face of shifting battlefield dynamics.

Common targets

APT44’s operations extend globally and align closely with Russia‘s broad national interests and ambitions. While initially focusing on Ukraine in the aftermath of the Maidan Revolution, the group’s activities have expanded to encompass regions worldwide. Despite ongoing conflicts, APT44 maintains espionage operations across North America, Europe, the Middle East, Central Asia, and Latin America. This diversified approach suggests that APT44 serves as a versatile tool for the Kremlin, adapting to both established and emerging intelligence objectives.

APT44’s primary targets encompass government, defense, transportation, energy, media, and civil society organizations within Russia’s neighboring countries. Additionally, government bodies and Critical Infrastructure and Key Resources (CIKR) operators in Poland, Kazakhstan, and Russia itself have been recurrent targets of APT44’s recent activities.

Furthermore, APT44 has consistently aimed at Western electoral systems and institutions, including those within NATO member countries. In these instances, the group has sought to disrupt democratic processes by leaking sensitive information and deploying malware to manipulate election systems and data.

In broader operations, Mandiant has observed APT44 engaging in widespread credential theft across global public and private sector mail servers since at least 2019. This campaign targets various mail environments such as Exim, Zimbra, and Exchange servers across diverse industry verticals.

Moreover, APT44 frequently targets journalists, civil society organizations, and non-governmental bodies involved in research or investigations concerning the Russian government. These actions reflect the group’s broader agenda of influencing information and stifling dissent.

Attack Vectors

APT44 demonstrates persistence and operational maturity, employing a variety of initial access techniques, including phishing, credential harvesting, and exploiting known vulnerabilities. Additionally, the group utilizes targeted supply chain compromises to infiltrate its targets. By initially leveraging nonselective access vectors, APT44 gains broad access to potential targets, later refining its focus for more specific follow-up actions.

How they work

Once inside a network, APT44 commonly employs living-off-the-land (LOTL) techniques to advance its access, establish persistence, and extract information. The group adopts a “low-equity” strategy for malware delivery, prioritizing open-source or criminally sourced tools over developing custom implants.

APT44 maintains a high level of operational security and continually adjusts its tactics to evade defensive measures. The group follows a playbook aimed at scaling operations, minimizing forensic evidence, and concealing post-exploitation activities.

When deploying advanced tools, APT44 exercises caution and typically opts for lightweight, expendable options to preserve its capabilities. Custom malware, if necessary, is selected to minimize the risk of exposure.
APT44 likely relies on a diverse network of Russian companies and criminal marketplaces to acquire and sustain its offensive capabilities.

Phases of Activity Commonly Observed in APT44 Operations:

Living on the Edge: Utilizing compromised edge infrastructure for initial access to target networks.

Living off the Land: Leveraging pre-existing tools for reconnaissance, lateral movement, and data theft to avoid detection.

Going for the GPO: Establishing persistent, privileged access for deploying wipers using established scripts.

Disrupt and Deny: Employing “pure” wipers and disruptive tools in various scenarios to cause disruption.

Telegraphing “Success”: Amplifying the perception of successful disruption through hacktivist personas, irrespective of the actual impact.

MITRE Techniques used

Enterprise

Account Discovery: Domain Account (T1087.002)

Account Discovery: Email Account (T1087.003)

Account Manipulation (T1098)

Acquire Infrastructure: Domains (T1583.001)

Acquire Infrastructure: Server (T1087.004)

Active Scanning: Vulnerability Scanning (T1595.002)

Application Layer Protocol: Web Protocols (T1071.001)

Brute Force (T1110)

Command and Scripting Interpreter: PowerShell (T1059.001)

Command and Scripting Interpreter: Windows Command Shell (T1059.003)

Command and Scripting Interpreter: Visual Basic (T1059.005)

Compromise Client Software Binary (T1554)

Compromise Infrastructure: Botnet (T1584.005)

Create Account: Domain Account (T1136.002)

Create or Modify System Process: Windows Service (T1543.003)

Credentials from Password Stores: Credentials from Web Browsers (T1555.003)

Data Destruction (T1485)

Data Encoding: Standard Encoding (T1132.001)

Data Encrypted for Impact (T1486)

Data from Local System (T1005)

Defacement: External Defacement (T1491.002)

Deobfuscate/Decode Files or Information (T1140)

Develop Capabilities: Malware (T1587.001)

Disk Wipe: Disk Structure Wipe (T1561.002)

Endpoint Denial of Service (T1499)

Establish Accounts: Social Media Accounts (T1585.001)

Establish Accounts: Email Accounts (T1585.002)

Exfiltration Over C2 Channel (T1041)

Exploitation for Client Execution (T1203)

External Remote Services (T1133)

File and Directory Discovery (T1083)

Gather Victim Host Information: Software (T1592.002)

Gather Victim Identity Information: Email Addresses (T1589.002)

Gather Victim Identity Information: Employee Names (T1589.003)

Gather Victim Network Information: Domain Properties (T1590.001)

Gather Victim Org Information: Business Relationships (T1591.002)

Impair Defenses: Disable or Modify Tools (T1562.001)

Impair Defenses: Disable Windows Event Logging (T1562.002)

Indicator Removal: File Deletion (T1070.004)

Ingress Tool Transfer (T1105)

Input Capture: Keylogging (T1056.001)

Lateral Tool Transfer (T1570)

Masquerading: Match Legitimate Name or Location (T1036.005)

Masquerading: Masquerade File Type (T1036.008)

Modify Registry (T1112)

Network Sniffing (T1040)

Non-Standard Port (T1571)

Obfuscated Files or Information (T1027)

Software Packing (T1027.002)

Command Obfuscation (T1027.010)

Obtain Capabilities: Tool (T1588.002)

Obtain Capabilities: Vulnerabilities (T1588.006)

OS Credential Dumping: LSASS Memory (T1003.001)

OS Credential Dumping: NTDS (T1003.003)

Phishing: Spearphishing Attachment (T1566.001)

Phishing: Spearphishing Link (T1566.002)

Phishing for Information: Spearphishing Link (T1598.003)

Process Injection (T1055)

Proxy (T1090)

Remote Access Software (T1219)

Remote Services: SMB/Windows Admin Shares (T1021.002)

Remote System Discovery (T1018)

Search Open Websites/Domains (T1593)

Search Victim-Owned Websites (T1594)

Server Software Component: SQL Stored Procedures (T1505.001)

Server Software Component: Web Shell (T1505.003)

Software Deployment Tools (T1072)

Supply Chain Compromise: Compromise Software Supply Chain (T1195.002)

System Binary Proxy Execution: Rundll32 (T1218.011)

System Information Discovery (T1082)

System Network Connections Discovery (T1049)

System Owner/User Discovery (T1033)

Trusted Relationship (T1199)

User Execution: Malicious Link (T1204.001)

User Execution: Malicious File (T1204.002)

Valid Accounts (T1078)

Domain Accounts (T1078.002)

Web Service: Bidirectional Communication (T1102.002)

Windows Management Instrumentation (T1047)

ICS

Block Command Message (T0803)

Block Reporting Message (T0804)

Block Serial COM (T0805)

Command-Line Interface (T0807)

Commonly Used Port (T0885)

Connection Proxy (T0884)

Denial of Control (T0813)

Denial of Service (T0814)

Device Restart/Shutdown (T0816)

Exploit Public-Facing Application (T0819)

External Remote Services (T0822)

Graphical User Interface (T0823)

Lateral Tool Transfer (T0867)

Loss of Availability (T0826)

Loss of Control (T0827)

Loss of Productivity and Revenue (T0828)

Manipulation of Control (T0831)

Masquerading (T0849)

Remote Services (T0886)

Remote System Discovery (T0846)

Scripting (T0853)

System Firmware (T0857)

Unauthorized Command Message (T0855)

Valid Accounts (T0859)

Significant Attacks

• The 2015 and 2016 attacks against Ukrainian electrical companies and government organizations.
• The 2017 worldwide NotPetya attack, targeted the 2017 French presidential campaign.
• The 2018 Olympic Destroyer attack against the Winter Olympic Games.
• The 2018 operation against the Organisation for the Prohibition of Chemical Weapons, and attacks
  against the country of Georgia in 2018 and 2019.

References

• APT44: Unearthing Sandworm
• Sandworm Team