APT44 is also known as Sandworm, FROZENBARENTS, Seashell, Quedagh, VOODOO BEAR, and TEMP.Noble, IRON VIKING, G0034, ELECTRUM, TeleBots, IRIDIUM, Blue Echidna, Sandworm Team, Sandworm, CTG-7263, ATK 14, BE2, UAC-0082, and UAC-0113. Research indicates that the group emerged in 2009. This group is attributed by many governments to Unit 74455 of the Main Centre for Special Technologies (GTsST) within the General Staff of the Armed Forces of the Russian Federation (GU). It is a Russian Federation-sponsored threat group commonly known as the Main Intelligence Directorate (GRU). While most Russian state-sponsored threat groups tend to specialize in a specific task, APT44 is a uniquely dynamic threat actor actively involved in the full spectrum of cyber espionage, attack, and influence operations. As such, APT44 (Sandworm) is a characteristic representation of the information conflict concept that underpins Russia’s cyber forces today.
The countries targeted by APT44 include Azerbaijan, Belarus, France, Georgia, Iran, Iran, Israel, Kazakhstan, Kyrgyzstan, Lithuania, Poland, and Ukraine. These countries’ geographical location and strategic importance were determined in line with the interests of the APT group. Target sectors include education, energy, finance, government, private industry, telecommunications and transport. APT44‘s regional interests and motivations include espionage, sabotage, and subversion.
The TTPs (Tactics, Techniques, and Procedures) used by APT44 include T1059 (Execution), T1053 (Persistence), and T1082 (Discovery). These TTPs demonstrate the organization’s cyber-attack method and the breadth and sophistication of its infiltration capabilities. Furthermore, tactics such as T1547 (System Initialisation Items) and T1027 (Detection Prevention) point to APT44’s ability to cover its tracks and maintain long-term access after infiltration.
APT44 uses malicious software and various technical tools for espionage and information theft. Infiltrating and persisting systems, they install backdoors using malicious software, often called ‘downloaders’. These backdoors give the attackers access to the system and then increase their ability to control it and steal information by installing malware such as an information thief or Remote Access Trojan (RAT).
APT44 is a group that is likely to perpetuate one of the most far-reaching and severe cyber threats globally. It has been one of the leading players in the threat landscape for over a decade and has been a pioneer in future cyber-attack activity. The group has been recognized for historical activity patterns, such as interfering in elections or retaliating against international sports organizations, suggesting that nationalist motives have no boundaries and may shape its future operations.
As long as Russia’s conflict with Ukraine continues, Ukraine is expected to remain the main focus of APT44‘s operations. However, experience shows the group is ready to conduct broader cyber operations towards global strategic targets. Therefore, changing Western political dynamics, upcoming elections, and issues in Russia’s neighborhood will continue to shape APT44’s operations in the coming period.
As ThreatMon, we continuously monitor APT44 and 1000+ known threat actors and APT groups and work to improve your defense mechanisms. Try ThreatMon’s Free Premium Access feature to avoid sophisticated attacks by the APT44 group and keep your systems secure!
