## APT44: Unearthing Sandworm # APT44 ----- ###### Authors Gabby Roncone, Dan Black, John Wolfram, Tyler McLellan, Nick Simonian, Ryan Hall, Anton Prokopenkov, Dan Perez, Lexie Aytes, Alden Wahlstrom Acknowledgements Collaboration with companies and governments to track and mitigate threats is critical to our collective efforts to defend our networks against adversaries. The efforts of Mandiant Consulting across many incident response engagements in Ukraine since 2022 enabled much of the analysis included in this report. We’d additionally like to thank Mandiant's FLARE team, former Mandiant employees, ESET, Microsoft, Google TAG, numerous global government organizations, and most importantly, all of our partners in Ukraine. Our work would not be possible without their contributions. ----- ### Executive Summary ###### With Russia's war in Ukraine in its third year, Sandworm remains a formidable threat to Ukraine. The group’s operations in support of Moscow’s war aims have proven tactically and operationally adaptable, and as of today, appear to be better integrated with the activities of Russia’s conventional forces than in any other previous phase of the conflict. To date, no other Russian government-backed cyber group has played a more central role in shaping and supporting Russia’s military campaign. Yet the threat posed by Sandworm is far from limited to Ukraine. Mandiant continues to see operations from the group that are global in scope in key political, military, and economic hotspots for Russia. Looking forward, a record number of people will participate in national elections in 2024, and Sandworm’s history of attempting to interfere in democratic processes further elevates the threat the group may pose in the near-term. Given the active and persistent threat to governments and critical infrastructure operators globally, Mandiant has decided to graduate the group into APT44. Key Judgments • Sponsored by Russian military intelligence, APT44 is a dynamic and operationally mature threat actor, actively engaged in the full spectrum of espionage, attack, and influence operations. • APT44 has aggressively pursued a multi-pronged effort to help the Russian military gain a wartime advantage and is responsible for nearly all of the disruptive and destructive operations against Ukraine over the past decade. • We assess with high confidence that APT44 is seen by the Kremlin as a flexible instrument of power capable of servicing Russia's wide ranging national interests and ambitions, including efforts to undermine democratic processes globally. • Due to the group’s history of aggressive use of network attack capabilities across political and military contexts, APT44 presents a persistent, high severity threat to governments and critical infrastructure operators globally where Russian national interests intersect. ----- ### Overview of APT44 ###### APT44 (commonly known as Sandworm, FROZENBARENTS, and Seashell Blizzard) is a Russian Federation backed threat group attributed by multiple governments to Unit 74455, the Main Centre for Special Technologies (GTsST) within the Main Directorate of the General Staff of the Armed Forces of the Russian Federation (GU), commonly known as the Main Intelligence Directorate (GRU). Mandiant has tracked APT44 operations for over a decade, with publicly available images of the unit’s anniversary insignia placing the group’s formation in 2009. While most Russian state-backed threat groups tend to specialize in a specific mission, APT44 is a uniquely dynamic threat actor that is actively engaged in the full spectrum of cyber espionage, attack, and influence operations. These respective components constitute the gamut of special activities typically carried out by the GRU’s Information Operation Troops (VIO), to which we assess APT44 is highly likely subordinated. We therefore view APT44 as a characteristic representation of the information confrontation (IPb) concept that underpins Russia’s present-day cyber forces. ###### Unit 26165 85th Main Special Services Center (GTsSS) APT28 ###### Unit 74455 Main Center for Special Technologies (GTsST) ----- ###### ESPIONAGE Cryptographic Reconnaissance of Information and Communication Systems (KRIKS) Криптографическая Разведка информационно-Коммуникационных Систем (КРИКС) #### FULL SPECTRUM OPERATIONS ###### ATTACK Information-Technical Influence / Effects (ITV) Информационно-Техническое Воздействие (ИТВ) Figure 2. APT44 Full Spectrum Cyber Operations ###### INFLUENCE Information-Psychological Influence / Effects (IPV) Информационно-Психологические Воздействие (ИПВ) ----- ###### A Global Targeting Mandate APT44 operations are global in scope and mirror Russia's wide ranging national interests and ambitions. In the post-Maidan Revolution era, this has led to cyber operations primarily centered on Ukraine, the epicenter of Russia’s revanchist geopolitical aims over the past decade. However, even with an ongoing war, we have observed the group sustain access and espionage operations across North America, Europe, the Middle East, Central Asia, and Latin America. Patterns of activity over time indicate that APT44 is tasked with a range of different strategic priorities and is highly likely seen by the Kremlin as a flexible instrument of power capable of serving both enduring and emerging intelligence requirements. • APT44 primarily targets government, defense, transportation, energy, media, and civil society organizations in Russia’s near abroad. Government bodies and other Critical Infrastructure and Key Resources (CIKR) operators in Poland, Kazakhstan, and within Russia have frequently been included in the group’s recent targeting. • APT44 has repeatedly targeted Western electoral systems and institutions, including those in current and prospective North Atlantic Treaty Organization (NATO) member countries. As part of this activity, APT44 has attempted to interfere with democratic processes in select countries by leaking politically sensitive information and deploying malware to access election systems and misreport election data. • In less discriminate operations, Mandiant continues to observe APT44 conduct widespread credential theft targeting public and private sector mail servers globally. This campaign, which dates back to at least 2019, has targeted various mail environments including Exim, Zimbra and Exchange servers across a wide-range of industry verticals. • APT44 also frequently targets journalists, civil society organizations, and non- governmental bodies involved in research or investigations into the Russian government. Examples include the 2018 operation targeting the Organization for the Prohibition of Chemical Weapons (OPCW) for its role in the Novichok poisoning investigations and a phishing campaign by an assessed APT44 initial access cluster between December 2023 and January 2024 which targeted Bellingcat and other investigative journalism entities . ----- ###### A Highly Adaptive Adversary APT44 is a persistent and operationally mature adversary that uses diverse initial access methods ranging from common vectors such as phishing, credential harvesting, and known vulnerability exploitation to targeted supply chain compromises. The group commonly leverages nonselective initial access vectors that provide wide-ranging access to targets of interest, later down-selecting victims of interest for the full spectrum of follow-on activity. • APT44 frequently achieves initial access through the exploitation of edge infrastructure such as routers and virtual private network (VPN) appliances. We have observed the group fulfill a variety of missions from footholds gained on network perimeters, including reconnaissance, information theft, downstream phishing, and the deployment of wiper malware. • Following in the footsteps of ETERNALPETYA (aka NotPetya), APT44 also continues to subvert software supply chains for initial access. In one recent case, access to a software developer resulted in the downstream compromise of critical infrastructure networks in Eastern Europe and Central Asia, followed by the deployment of wiper malware to a select victim organization. • APT44 is also known to employ unconventional methods to compromise targets of interest. As of February 2024, the group continues to leverage trojanized software installers distributed via torrents on Ukrainian- and Russian-language forums as a means of achieving opportunistic initial access to potential targets of interest. Once downloaded, victims of interest are manually flagged by APT44 operators with specifics such as the victim organizations or unit names, designating them for follow-on exploitation. We have seen these victims receive payloads such as DARKCRYSTALRAT (or DCRAT), commodity malware that APT44 has also used to target telecommunications entities in Ukraine. ----- ###### Once inside a network, APT44 commonly uses living-off-the-land (LOTL) techniques to further its access, establish persistence, and exfiltrate information. The group is also known for its “low-equity” approach to malware delivery that prioritizes open source or criminally sourced tools over using its own custom implants. • APT44 operates with a high degree of operational security and continuously adapts to circumvent best-practice defensive principles. To achieve this outcome, we have seen the group generally adhere to a playbook designed to help scale its operations, limit forensic evidence in victim environments, and make post-exploitation activity hard to detect (see Figure 3). • Once inside a network, APT44 is highly judicious about deploying its most advanced, and likely most costly to develop, tools. When custom malware is needed, APT44 typically deploys lightweight tools that are expendable and do not pose any significant attrition to the group’s overall capabilities when used or exposed. • APT44 almost certainly relies on a diverse set of Russian companies and criminal marketplaces to source and sustain its more frequently operated offensive capabilities. – Leaked documents from Russian company NTC Vulkan detailed project requirements for a framework used to enable cyber operations contracted by APT44’s parent military unit. – We also assess that at least one additional Russian cybersecurity company has provided direct operational support to APT44’s operations in Ukraine. – Since Russia’s re-invasion of Ukraine in early 2022, we have observed a relative increase in APT44’s use of tools and bulletproof hosting infrastructure acquired from criminal marketplaces. We assess that APT44 has likely long viewed criminally sourced tools and infrastructure as a latent pool of disposable capabilities that can be operationalized on short notice without immediate attributive links to its past operations. 1 2 3 4 5 ###### Going for the GPO Creating persistent, privileged access from which wipers can be deployed using a tried- and-true script ###### Disrupt and Deny Deploying “pure” wipers and disruptive tools to fit a variety of scenarios ITV | ИТВ Information-Technical Influence / Effects Информационно- Техническое Воздействие ###### Living on the Edge Leveraging compromised edge infrastructure to gain and regain entry into target networks ###### Living off the Land Using pre-existing tools for recon, lateral movement and information theft on target networks, aiming to evade detection KRIKS | КРИКС ###### Telegraphing “Success” Amplifying the narrative of successful disruption via hacktivist personas, regardless of the actual impact of the operation IPV | ИПВ Information- Psychological Influence / Effects Информационно- Психологические Воздействие ###### Cryptographic Reconnaissance of Information and Communication Systems Криптографическая Разведка информационно- Коммуникационных Систем Figure 3. Phases of Activity Commonly Observed in APT44 Operations ----- ###### Moscow’s Primary Cyber Sabotage Unit Over the past decade, APT44 has established itself as Russia’s preeminent cyber sabotage unit. As an arm of Russia’s military, it has been responsible for the majority of the GRU’s cyber- enabled sabotage in Ukraine stretching back to the initial invasion of the country in 2014. However, APT44’s attack operations are not limited to military objectives and also span Russia’s wider national interests, such as the Kremlin’s political signaling efforts, responses to crises, or intended non-escalatory responses to perceived slights to Moscow’s stature in the world. • Since Russia’s re-invasion of Ukraine in February 2022, APT44 has been responsible for almost all of the disruptive and destructive cyber attacks against Ukrainian CIKRs that Mandiant has responded to. We assess with high confidence it is the primary cyber attack unit both within the GRU and across all Russian state-sponsored cyber units. • Since at least 2015, APT44 has operated and advanced a set of attack capabilities intended to disrupt industrial control and safety systems with the potential to cause significant physical damage. Since Russia’s reinvasion, further advancements in APT44’s cyber-physical attack capabilities have been observed, including a new variant of Industroyer and Operational Technology (OT)-specific living-off-the-land attack capabilities abusing a native MicroSCADA binary. While operations to date have primarily targeted Ukraine’s energy grid, the underlying technologies exploited hold the potential to impact a wider range of sectors including railways, seaports, airports, and hospitals. • APT44 has also periodically engaged in cyber sabotage operations intended to signal bilateral displeasure, retaliate for political grievances, or otherwise signal the weight of the threat posed by Russia’s cyber program. For example: ###### – In June 2017, APT44 deployed ETERNALPETYA (aka NotPetya), a wiper disguised as ransomware, timed to coincide with Ukraine’s Constitution Day marking its sovereignty and independence from Russia. – In February 2018, APT44 used SOURGRAPES (aka OlympicDestroyer) destructive malware against IT systems during the opening ceremony of the Pyeongchang Olympic Games as likely retaliation for Russia’s doping suspension. According to the UK government, preparations were also carried out to disrupt the 2020 Summer Olympics in Tokyo before they were postponed. – In October 2022, a cluster believed to be APT44 with medium confidence deployed PRESSTEA (aka Prestige) ransomware against logistics entities in Poland and Ukraine, likely to signal its ability to threaten supply lines transiting lethal aid to Ukraine. Notably, this operation is a rare instance where APT44 has shown a willingness to use a disruptive capability intentionally against a NATO member country, and reflects the group’s penchant for risk taking. Due to its history of aggressive cyber attacks across political and military contexts, we judge APT44 to present a persistent, high severity threat to governments and critical infrastructure operators globally where Russian national interests intersect. The threat of future disruptive or destructive cyber operations likely extends to individuals or entities involved in war crimes investigations or other inquiries into the Russian Federation’s transgressions in Ukraine. We also judge APT44 to present a significant proliferation risk for new cyber attack concepts and methods. Continued advancements and in-the-wild use of the group’s information technology (IT) and OT cyber attack capabilities have also likely lowered the barrier of entry for other state and non-state actors to replicate and develop their own cyber attack programs. Russia itself is almost certainly alert to and concerned about this proliferation risk, as Mandiant has observed Russian cybersecurity entities exercise their ability to defend against categories of disruptive cyber capabilities originally used by APT44 against Ukraine. ----- ### APT44’s Wartime Cyber Operations ###### APT44 has aggressively pursued a multi-pronged effort to help the Russian military gain a wartime advantage with its cyber operations. Of the Russian government-backed cyber groups that we have tracked contributing to Russia’s military campaign in Ukraine, APT44 has and continues to play the most central role, seeking to advance Moscow’s war aims in multiple distinct ways. The group’s operational focus and methods have adapted significantly in the second year of the war to support Russia’s evolving theory of victory, with increasing emphasis placed on military-relevant targets and tactical intelligence collection. • Disruptive Operations: APT44 is responsible for an intensive campaign of cyber disruptions stretching from invasion day in February 2022 to present. The group has aggressively deployed wiper malware against a mix of civilian and military targets, and has attempted to make the effects of the war felt beyond the front lines in the day-to-day lives of Ukrainians. • Military Enablement: APT44 has also increasingly conducted espionage likely intended to enable Russian conventional military operations. These operations appear to focus on mobile networks, devices, applications and other technologies that could help to intercept communications and gain tactical and operational battlefield advantages. • Information Operations: APT44 has used front personas embedded in the pro- Russian Telegram ecosystem to attempt to shape the information environment and draw attention to the alleged “impact” of select cyber operations. APT44 Disruptive Tooling SOURGRAPES BLACKENERGY INDUSTROYER ETERNALPETYA VPNFILTER INDUSTROYER.V2 ###### NEARMISS ###### SDELETE PARTYTICKET ###### PRESSTEA ###### NEARTWIST Pure Disruptive Cyber Tool Multifunctional Disruptive Cyber Tool Disguised as Ransomware Modified Publicly or Commercially Available Tool Publicly or Commercially Available Tool ###### NIKOWIPER ###### JUNKMAIL ###### CADDYWIPER ROARBAT ###### NIKOWIPER.MBR Figure 4. Categories of Disruptive Malware Used by APT44 ----- ###### Disruptive Operations Against Ukrainian Critical Infrastructure Mandiant has tracked an intensive campaign of cyber attacks against Ukrainian entities by APT44 that reflect its primary mandate. These disruptive cyber operations have surpassed the scale, scope, and intensity of the group’s operations conducted in the war’s eight prior years, and have incorporated a wide arsenal of different disruptive or destructive malware families. • APT44’s disruptive activities have occurred in punctuated phases, mirroring the main stages of the war. Gaps between waves of disruptive activity have likely provided necessary windows to retool and replenish access to operationally relevant targets. • Targets of APT44’s disruptive activity have primarily been government networks and critical infrastructure operators, with an emphasis on Ukraine’s energy sector. We continue to see malware delivery operations seeking access to energy sector targets from a subcluster of APT44 activity tracked by CERT-UA as UAC-0099. • We assess with high confidence that, in specific operations, APT44 has coordinated the timing of these cyber attacks with conventional military activity, such as kinetic strikes or other forms of sabotage, in order to achieve joint military objectives in Ukraine. This repeated pattern of activity indicates either unity of command or operational coordination with other elements of Russia’s military. – For example, in October 2022, APT44 disrupted IT and OT systems at a power distribution entity in the midst of Russia’s winter campaign of military and drone strikes targeting Ukraine’s energy grid. Notably, this activity aligns with Microsoft’s independent analysis identifying a similar pattern of coordination between APT44 and other elements of the Russian military in the same timeframe. Mandiant has previously written about APT44’s shift to pure disruptive tools as a strategy to sustain its wartime tempo of operations. In furtherance of this arsenal management strategy, the second year of the war has seen the group progress from “low equity” to “no equity” tooling, abusing common utilities and publicly available tools like SDELETE, WinRAR, or native MicroSCADA binaries instead of custom-developed tools to achieve disruptive objectives. • As the war has progressed, Mandiant has also observed APT44 rely more heavily on open source tooling (e.g. webshells such as WEEVELY and REGEORG.NEO and tunnelers such as CHISEL) to gain and further access to networks preceding its disruptive activity. • The ready availability of these open source tools, variants of which can be created on-demand, has almost certainly provided the group an expendable reserve of new malware to cycle into its disruptive operations, helping to trivially replenish variants exhausted through prior use. ----- ###### Six Phases of APT44 Disruptive Operations during the 2022 War in Ukraine Cyber PHASE I Espionage and Pre-Positioning ###### PARTYTICKET NEARMISS ###### Initial Destructive Cyber Operations and Military Invasion Sustained Targeting and Attacks ###### NEARTWIST SDELETE ###### INDUSTROYER.V2, CADDYWIPER, SOLOSHRED, AWFULSHRED CADDYWIPER CADDYWIPER CADDYWIPER CADDYWIPER CADDYWIPER ###### PARTYTICKET CADDYWIPER JUNKMAIL ###### Maintaining Footholds for Strategic Advantage Renewed Campaign of Disruptive Attacks ###### PRESSTEA NIKOWIPER.MBR ###### CADDYWIPER, native MicroSCADA binary CADDYWIPER ###### Refocus on Cyber Espionage ###### NIKOWIPER ###### Target Industries Government Telecom Financial Media Energy Transportation Figure 5. APT44 Disruptive Operations Against Ukraine ----- ###### Espionage Operations for Military Enablement In the second year of Russia’s re-invasion, we have also seen a relative increase in APT44’s espionage activity to support battlefield reconnaissance and other tactical military needs. This activity has included an apparent focus on communication systems and mobile devices, and is part of a wider transition amongst Russian military-linked actors to attempt to collect tactically relevant information from networks, devices, and applications used by the Ukrainian military. • Extending back to at least April 2023, APT44 has provisioned infrastructure for use by likely forward-deployed Russian military forces to exfiltrate encrypted Telegram and Signal communications from mobile devices captured on the battlefield. – Related infrastructure contains step-by-step Russian language instructions on how to link the victim’s chat applications to actor-controlled infrastructure (See Figure 7). In order to follow these instructions, an operator would almost certainly require physical access to the devices being paired. – The infrastructure also contains a link to contact an APT44 developer on an actor-controlled Telegram account, indicating efforts to provide troubleshooting and support to non-technical operators, such as forward deployed Russian military units in Ukraine. Figure 6. Links and instructions for Signal and Telegram exploitation ###### – As noted by Google’s TAG, this operation’s infrastructure and tooling also contained derogatory language towards Ukrainians, providing a lens into the mindset of APT44’s operators as they support Russia’s military campaign. • With drones becoming increasingly crucial for battlefield success, APT44 has also conducted multiple phishing waves targeting organizations involved in drone manufacturing and logistics. Conforming with APT44’s tendency to use criminally-sourced malware, this activity exploited a known WinRAR vulnerability to deliver a SMOKELOADER dropper that subsequently loaded RADTHIEF (aka Rhadmanthys Stealer) in-memory. • We have also observed a surge in APT44 activity focused on gaining access to internet service providers and telecommunications entities providing mobile connectivity to Ukrainian civilians and military personnel. As highlighted by CERT-UA, these APT44 operations have periodically been used to enable disruptive activity as well. • In August 2023, multiple governments disclosed an additional espionage-focused capability, “Infamous Chisel,” operated by APT44 to collect information from Android devices, including system device information, commercial application information, as well as information from applications specific to the Ukrainian military. Figure 7. APT44 Provisioned Instructions for Linking Signal Accounts via QR Code ----- ###### Information Operations Amplifying Cyber Activity A particular feature of APT44’s approach to cyber operations over the years has been its emphasis on attempting to generate second-order psychological effects to augment its espionage and sabotage activities. These efforts have evolved since Russia’s re-invasion of Ukraine, with APT44 leveraging a series of front personas primarily on Telegram to publicly claim credit for data leaks and disruptive operations. Beyond a crude attempt to maximize its operational impact, we assess that these follow-on information operations are likely intended by APT44 to serve multiple wartime objectives. These aims include priming the information space with narratives favorable to Russia, generating perceptions of popular support for the war for domestic and foreign audiences, and making the GRU’s cyber capabilities appear more potent through exaggerated claims of impact. APT44 relies upon conventional information operations methods to achieve its wider objectives. The group’s efforts are primarily focused on hack-and-leak or attack-and-leak operations, where sensitive documents or other “proof” of preceding cyber operations are posted primarily to Telegram to draw attention to their alleged “impacts”. Consistent with the group’s pre-war activity leveraging personas such as Anonymous Poland and Guccifer 2.0, APT44 continues to cultivate hacktivist identities as assets for its follow-on information operations. It has cycled through at least three primary hacktivist-branded Telegram channels to claim responsibility for its wartime disruptive operations: XakNet Team, CyberArmyofRussia_Reborn[1], and Solntsepek. • We assess that APT44 continues to use these specific channels due to their established followings and their positions of influence in the wider pro-Russian Telegram ecosystem, and suspect that the GRU has played a role in cultivating their prominence over time. Although the channels are operated in parallel, they do not post the same content concurrently. • APT44’s exact relationship and control over each of these front personas likely varies. However, we have observed the closest operational relationship between APT44 and CyberArmyofRussia_Reborn (Russian: Народная CyberАрмия) and judge that the operators behind APT44 have the ability to direct and influence CyberArmyofRussia_ Reborn’s activity across multiple platforms. ###### – Google’s TAG observed CyberArmyofRussia_Reborn’s YouTube channel being created from infrastructure attributed to APT44. The YouTube channel received minimal engagement and was terminated upon identification. – Mandiant has observed known APT44 infrastructure used to exfiltrate data from victims later leaked in the CyberArmyofRussia_Reborn Telegram channel, as well as egress to Telegram in close temporal proximity to the persona’s posted claims. – In one case, a series of APT44 operator errors resulted in CyberArmyofRussia_Reborn’s claims on Telegram preceding the network attack they referenced. – These patterns of interaction align with TAG’s assessment that CyberArmyofRussia_Reborn is created and controlled by APT44. – Prior to rebranding as a “hacker group” in 2023 and claiming responsibility for APT44 disruptive cyber operations, Solntsepek (Russian: Солнцепек) conducted a long-term campaign of leaking personally identifiable information from Ukrainian military and security personnel, indicating the persona’s likely established relationship with the GRU. – Mandiant assesses that, since its rebranding, Solntsepek has likely been used as a primary vehicle to claim responsibility for and leak stolen information from APT44 disruptive cyber attacks. – Solntsepek’s posts have mirrored APT44’s operational focus in the second year of the war, claiming cyber attacks on military-relevant targets more often than previous APT44 front personas. Efforts at follow-on amplification of APT44 associated Telegram posts appear to be largely constrained to cross-posting within established pro-Russian Telegram communities. For example, JokerDNR played a significant role in amplifying Solntsepek when the Telegram channel first launched and then again as it rebranded into a hacker group. While we have observed limited attempts to break into other communities through defacements, we suspect the group primarily relies upon organic media coverage for reach and credibility rather than investing resources to spread its messaging on other platforms. Mandiant does not currently attribute the JokerDNR persona to a specific threat group or sponsor. 1 Mandiant had previously attributed XakNet and CyberArmyofRussia Reborn activity to APT28 based on a case of cohabitation where APT28 and APT44 were both operating in the same ----- ###### XAKNET Cyber Army of Russia Reborn (CARR) Solntsepek Figure 8. Hacktivist Telegram Personas Associated with APT44 ###### CyberArmyofRussia_Reborn Video Content Claims Manipulation of of US and European Critical Infrastructure OT Assets A majority of the attack-and-leak activity that Mandiant has tracked from GRU linked Telegram personas has centered on Ukrainian entities. However, CyberArmyofRussia_Reborn’s claimed intrusion activity has not been so limited. • Between 17 and 18 January 2024, the group’s Telegram channel posted videos taking credit for the manipulation of human machine interfaces (HMI) controlling operational technology (OT) assets at Polish and U.S. water utilities. • On 02 March 2024, the group posted an additional video claiming to disrupt electricity generation at a French hydroelectric facility by manipulating water levels. • Each of the videos posted by CyberArmyofRussia_Reborn appear to show an actor haphazardly interacting with interfaces controlling the respective water or hydroelectric facilities’ OT assets. Mandiant cannot independently verify the above claimed intrusion activity or its links to APT44 at this time. However, we note that officials from the affected U.S. utilities later publicly acknowledged incidents at entities advertised as victims in the CyberArmyofRussia_Reborn video. • Approximately two weeks after the Telegram post taking credit for the U.S. targeting, a local official publicly confirmed a “system malfunction” that led to a tank overflowing at one of the claimed victim facilities. This activity was reportedly part of a series of cyber incidents impacting multiple local U.S. water infrastructure systems that stemmed from “vendor software they use that keeps their water Figure 9. CyberArmyofRussia_Reborn video screenshot showing manual manipulation of well control inputs ----- ### Takeaways ###### APT44 continues to present one of the widest and high severity cyber threats globally. It has been at the forefront of the threat landscape for over a decade and is responsible for a long list of firsts that have set precedents for future cyber attack activity. The combination of APT44's high capability, risk tolerance, and far-reaching mandate to support Russia’s foreign policy interests places governments, civil society, and CIKR operators around the world at risk of falling into the group's sights on short notice. Patterns of historical activity, such as efforts to influence elections or retaliate against international sporting bodies, suggests there is no limit to the nationalist impulses that may fuel the group’s operations in the future. Despite its bias for action and emphasis on psychological effect, APT44 has shown itself to be patient, resourceful, and able to remain undetected for long periods of time in victim environments. The group’s playbook is almost certainly tailored to carry out intrusions undetected, and its use of both open source and criminally-sourced malware can often result in activity being disregarded as a commodity threat. Organizations at high risk of being targeted by APT44 should prioritize detections of LOTL techniques and carefully investigate instances of commercially available malware as potential APT44 activity. Responses to APT44 should also consider the group’s sensitivity to counterintelligence risk. This is an actor that is highly aware of incident response and detection efforts, and, in certain cases, mitigation efforts may drive an intrusion toward disruptive activity. As Russia’s war continues, we anticipate Ukraine will remain the principal focus of APT44 operations. However, as history indicates, the group’s readiness to conduct cyber operations in furtherance of the Kremlin’s wider strategic objectives globally is ingrained in its mandate. We assess that changing Western political dynamics, future elections, and emerging issues in Russia’s near abroad will continue to shape APT44’s operations for the foreseeable future. Protecting The Community As part of our efforts to combat serious threat actors, TAG uses the results of our research to improve the safety and security of Google’s products. Upon discovery, all identified websites and domains are added to Safe Browsing to protect users from further exploitation. TAG also sends all targeted Gmail and Workspace users government-backed attacker alerts notifying them of the activity and encourages potential targets to enable Enhanced Safe Browsing for Chrome and ensure that all devices are updated. Where possible, Mandiant sends victim notifications via the Victim Notification Program. To protect high risk user accounts, we offer the Advanced Protection Program (APP), which is our highest form of account security and has a strong track record protecting users. If you are a Google Chronicle Enterprise+ customer, Chronicle rules were released to your Emerging Threats rule pack, and IOCs listed in this report are available for prioritization with Applied Threat Intelligence. We are committed to sharing our findings with the security community to raise awareness, and with companies and individuals that might have been targeted by these activities. We hope that improved understanding of tactics and techniques will enhance threat hunting capabilities and lead to stronger user protections across the industry. ----- ### Technical Annex ###### APT44 Indicators of Compromise For IOCs, please see our VT Collection. Malware This section includes malware Mandiant observed APT44 using since 2018, with the exception of ETERNALPETYA (aka NotPetya), which was deployed by APT44 in 2017. We have split this section into three: custom malware unique to APT44, malware that is publicly or commercially available but modified and customized by APT44, and publicly or commercially available malware used by APT44. Custom Malware Role Description ARGUEPATCH is a malicious launcher that decrypts a file on disk using a trivial XOR algorithm and executes a second stage ARGUEPATCH Launcher payload in memory. AXETERROR is a backdoor written in Go. Upon startup, the malware creates persistence as either a cron job or a system AXETERROR Backdoor startup script. AXETERROR communicates over HTTPS and supports the following commands: update or delete itself, download or upload files to C2, execute shell commands, set proxy configuration, update C2, and update beacon interval. BACKORDER is a downloader written in Go which targets Windows machines. It downloads and executes a second stage BACKORDER Downloader payload from a remote server. BACKORDER is usually delivered within trojanized installer files and is hard coded to execute the original setup executable. BACKORDER.v2 is a downloader written in Go that targets the Windows environment. It downloads and executes a second stage payload from a remote server. The malware can set the %TEMP% directory as an excluded folder from Windows BACKORDER.V2 Downloader Defender before downloading a zip file to that folder from its C2 server. The malware unzips the downloaded zip file and executes the file inside. BRUSHPASS is a Webshell written in C# which provides a threat actor with the means to execute commands, alter victim firewall configurations, upload files to the victim device, perform directory listing, file deletion and file collection. Additional BRUSHPASS Webshell capabilities in some BRUSHPASS samples include the collection of the current page URL as an absolute path, both uploading and downloading of files, and opening ports on the victim machine. CADDYWIPER is a disruptive file wiper written in C which enumerates the file system physical drives and overwrites both file CADDYWIPER Wiper content and partitions with null bytes. CADDYWIPER has both executable and shellcode variants. COLDWELL is a dropper written in C that contains an encrypted and embedded payload. Upon execution COLDWELL COLDWELL Dropper generates a random filename to write an embedded payload, configures persistence, and blends the next-stage timestamp with a legitimate file on disk. EARLYBLOOM is a backdoor written in C++ that communicates over HTTPS. Supported backdoor commands include shell EARLYBLOOM Backdoor command execution, file transfer, file execution, and uninstall. EXARAMEL is a backdoor that is capable of encrypting and exfiltrating files from a configured directory as well as receiving and executing commands from C2. EXARAMEL stores its configuration, structured as XML, in the registry. The configuration EXARAMEL Backdoor defines its C2, exfiltration directory, proxy, and beacon interval. EXARAMEL is capable of executing the following tasks: launch a process, create a file, upload a file, execute a shell command, and execute a VB Script. FACEFISH is a dropper, which releases a rootkit, and its main function is determined by the rootkit module, which works at the Ring3 layer and is loaded using the LD_PRELOAD feature to steal user login credentials by hooking ssh/sshd program related FACEFISH Dropper functions. FACEFISH also supports some backdoor functions and supports pretty flexible configuration, uses Diffie-Hellman exchange keys, Blowfish encrypted network communication, and targets Linux x64 systems. The main functions of FACEFISH are: upload device information, stealing user credentials, bounce Shell and execute arbitrary commands. FAIRROOT is a VBScript macro used to deliver an encoded payload usually decoded using a fixed string as a key. FAIRROOT FAIRROOT Dropper is capable of determining if the system is running in a sandbox. FELIXROOT is a memory-only DLL backdoor that is capable of system reconnaissance, data exfiltration, and remote code FELIXROOT Backdoor execution. All communications, including exfiltrated data, are AES-encrypted with one of two hard-coded public keys, and sent back to the C2 server via HTTP or HTTPS. FIZZLESHELL is a PHP webshell that employs well written cryptographic code to obfuscate three supported commands. FIZZLESHELL Webshell These commands are invoked by setting a cookie to a specific value. FIZZLESHELL sends its HTTP(S) POST data with the content of a MIME message to a hardcoded C2 server. FREETOW is an in-memory dropper for a shellcode payload. FREETOW has been identified as a payload patched into Memory Only legitimate Microsoft applications FREETOW contains an anti emulation technique where it requires the first character of the ----- GOGETTER is a tunneler written in Go that proxies communications for its C2 server using the open-source library Yamux GOGETTER Tunneler over TLS. ICYWELL is a backdoor written in C++ that gives a threat actor a reverse shell, executes arbitrary commands, can write and ICYWELL Backdoor read files, and in some instances updates itself on host. ILLICITORDER is a dropper written in C++ which contains an XOR and Base64-encoded second stage payload. Upon ILLICITORDER Dropper execution, ILLICITORDER drops the second stage payload to disk and executes it alongside a legitimate installer. ILLICITORDER is usually embedded into trojanized software installation media. Disruptive INDUSTROYER Malware Framework INDUSTROYER is a modular malware framework that is designed to survey and manipulate power grid control systems. Included in the framework are four modules that issue commands to open (and close) circuit breakers, a wiper module designed to search for and overwrite several control system specific files, and a SIPROTEC DoS module. ITCHYSPARK is a lateral movement tool used to deploy the NEARMISS wiper. ITCHYSPARK enumerates the local network via ITCHYSPARK Utility various APIs, attempts an SMB connection, and is capable of port scanning. ITCHYSPARK.SMB Utility ITCHYSPARK.SMB is a lateral movement tool used to copy an executable to a remote SMB server, and to execute the file. ITCHYSPARK.WMI is a lateral movement tool used to copy an executable to a remote path, and execute the file as a Windows ITCHYSPARK.SMB Utility service or a standard process via WMI/COM. JUNKMAIL is a .NET wiper which uses an unknown obfuscator and junk code to obfuscate control flow. JUNKMAIL JUNKMAIL Wiper enumerates each domain controller under the domain as well as drives, their respective directories, and files. It wipes files by overwriting them with null bytes. LUCKYPIE is a launcher that loads and executes a DLL from its resource section. The malware is embedded into the zlib LUCKYPIE Launcher library code and exports many zlib functions. NEARMISS is a master boot record (MBR) wiper that disables the Shadow Volume Copy and CrashDumps before wiping the NEARMISS Wiper MBR. After successful execution, the wiper will initiate a system shutdown, rendering the targeted device inoperable. NEARTWIST is a disruptive file wiper written in C which enumerates the device’s physical drives and attempts to wipe them NEARTWIST Wiper either directly or through overwriting the content of each file using data obtained from a pseudorandom number generator. Memory-Only NEWRETURN Dropper NEWRETURN is an in-memory .Net dropper which contains an embedded binary that is decompressed and executed as the main functionality of this malware family. Some identified samples are padded with a huge number of null bytes, likely to make this sample infeasible for submission to automated analysis tools. NIKOWIPER is a disruptive tool written in C that contains an embedded SysInternal's SDelete executable that is used to NIKOWIPER Wiper delete files on disk. NIKOWIPER.MBR is a disruptive tool written in C that contains an embedded SysInternal's SDelete executable that is used to NIKOWIPER.MBR Wiper delete files on disk. NIKOWIPER.MBR contains additional functionality that wipes the Master Boot Record on victim devices. PARTYTICKET is a disruptive file wiper written in Go that enumerates the file system and selects files to wipe based on the PARTYTICKET Wiper file extension. PARTYTICKET will then encrypt the content of the files with AES. PENNYBAG is a malicious macro dropper used to decode and write a payload to disk. Encoded payloads are stored as a PENNYBAG Dropper series of byte arrays. PENNYBAG has historically been used to distribute BLACKENERGY.V2 and V3 and STRAYKEY in targeted attacks. PRESSTEA is ransomware written in C++ that encrypts local files. Observed extensions for encrypted files include “.enc”. PRESSTEA Ransomware PRESSTEA uses wbadmin to delete the backup catalog on a computer then wipes the volume shadow copies. QUICKTOW is a lightweight backdoor written in Go that communicates via HTTP. Its supported backdoor commands include QUICKTOW Backdoor command execution, opening a new session, and disconnecting. QUICKTOW can also connect to other instances of the backdoor to forward commands. ROARBAT Wiper ROARBAT is a batch disruptive wiper responsible for enumerating drives and directories and using WinRAR to delete data. Disruptive SOURGRAPES is a disruptive malware which is responsible for destroying files on network shares and disabling all services SOURGRAPES Malware on a victim system. SHARPCOFFEE is a downloader written in JavaScript which retrieves payloads via HTTP. Downloaded payloads are executed SHARPCOFFEE Downloader from memory using a PowerShell sub-process, and console output is uploaded to a remote server via HTTP. SHARPCOFFEE has been observed being delivered via SHARPIVORY, and subsequently downloading SHARPENTRY. SHARPCOFFEE. SHARPCOFFEE.VBS is a Windows downloader written in Visual Basic used to download other malware and upload data via Downloader VBS Powershell. SHARPENTRY is a downloader written in C that retrieves payloads via TCP. Details of the remote server are provided as SHARPENTRY Downloader command-line arguments. Payloads are decoded and mapped into memory, with the entry-point being determined at run-time. SHARPENTRY has been observed being deployed via SHARPCOFFEE and subsequently deploying METERPRETER. SHARPIVORY is a dropper written in .NET that writes an embedded payload to disk and establishes persistence via scheduled SHARPIVORY Dropper tasks. The dropper also drops and opens a decoy Microsoft Office Word document. SHARPIVORY has been observed dropping SHARPCOFFEE. SPAREPART is a lightweight backdoor written in C that uses the device's UUID as a unique identifier for communications with SPAREPART Backdoor the C2. Upon successful connection to a C2, SPAREPART will download the tasking and execute it through a newly created process. SWEETTREAT is a utility service which provides cryptographic functionality upon request via a named pipe or RPC. SWEETTREAT Utility SWEETTREAT appears to represent a class of functionality that is uncommon. ----- ###### Modified Publicly or Commercially Available Malware Role Description Early BLACKENERGY malware variants were used to create distributed denial-of-service (DDoS)-focused botnets and have since evolved over time. Variants of BLACKENERGY, BLACKENERGY.V2 and BLACKENERGY.V3, are modular backdoors which have the ability to download additional conditional modules to targeted machines. BLACKENERGY.V2 and BLACKENERGY Backdoor BLACKENERGY.V3 samples used by Sandworm only utilized modules to conduct espionage. Often configured to communicate with two C2 servers, these BLACKENERGY variants contain basic capabilities such as victim profiling, updating its configuration block, downloading and executing files, downloading and loading plugins, unloading and deleting plugins, and uninstalling the backdoor. HEXCHAMBER is a custom implementation of open-source project, Malicious Macro Generator (MMG). The variation of this HEXCHAMBER Builder macro breaks encoded strings into binary and hex-based counterparts and concatenates them into an encoded command string later decoded with a constant. HEXCHAMBER has been used to distribute PowerShell Empire. Petya is ransomware family that is atypical in that the malware does not encrypt individual files on victims' systems, but instead overwrites the master boot record (MBR) and encrypts the master file table (MFT), which renders the system inoperable until the ransom has been paid. The malware contains a dropper, custom boot loader, and a small Windows kernel ETERNALPETYA Wiper that executes additional encryption routines. The ETERNALPETYA variant of PETYA is a disruption tool capable of encrypting files, encrypting the MBR, installing a bootkit, extracting credentials, performing lateral movement, and remote exploitation via known vulnerabilities. POWERDISCO is a Windows PowerShell script that has the capability to enumerate Group Policies Objects (GPO) using the Active Directory Service Interface (ADSI). It may only be able to find policies linked to the Root domain. POWERDISCO may POWERDISCO Utility have been sourced from a blog post by Medium user @pentesttas called “Discover Hidden GPO(s) on Active Directory using PS>ADSI” and then modified by the attacker. TANKTRAP is a utility written in PowerShell that utilizes Windows group policy to spread and launch a wiper. TANKTRAP has TANKTRAP Utility been observed being used with NEARMISS, SDELETE, PARTYTICKET, and CADDYWIPER. TANKTRAP is likely inspired by [public projects like SharpGPOAbuse and PowerGPOAbuse.](https://github.com/FSecureLABS/SharpGPOAbuse) WILDDIME is a PowerShell backdoor capable of downloading, uploading and executing files. WILDDIME has been identified WILDDIME Backdoor deployed via a LNK file and is responsible for opening a decoy document. WILDDIME is a modified variant of the public tool HTTP-Shell, a tool developed by the developer JoelGMSec. ###### Publicly or Commercially Available ----- PIVOTNACCI Tunneler PIVOTNACCI is an open-source tunneler tool which allows pivot into the internal network by deploying HTTP agents. PIVOTNACCI allows the creation of a SOCKS server which communicates with HTTP agents. This tool was inspired by another open-source tunneler REGEORG. However, it includes some improvement, including support for balanced servers, customizable polling intervals, auto-dropping connections closed by a server or password-protected agents. WSO is a PHP-based webshell that functions as a backdoor. Supported backdoor commands include shell command WSO Webshell execution, reverse shell, file transfer, arbitrary PHP code execution, SQL database management, and file management. WSO requires a password to operate. ----- ###### APT44 Related Hunting Rules ----- ----- ----- ----- ----- ----- ----- ----- ----- ----- ----- ----- ----- ----- ----- ----- ###### Mandiant Security Validation Actions Organizations can validate their security controls using the following actions with Mandiant Security Validation. VID Name A101-165 Application Vulnerability - APT44, CVE-2019-10149, Remote Code Execution, Benign Payload A101-166 Application Vulnerability - APT44, CVE-2019-10149, Remote Code Execution, Malicious Payload A102-517 Command and Control - APT44, AXETERROR, Beacon, Variant #1 A107-038 Command and Control - APT44, BLACKENERGY, Beacon, Variant #1 A106-188 Command and Control - APT44, BRUSHPASS, DNS Query, Variant #1 A107-010 Command and Control - APT44, DARKCRYSTALRAT, C2 Communication, Variant #2 A105-312 Command and Control - APT44, DARKCRYSTALRAT, DNS Query, Variant #1 A105-407 Command and Control - APT44, DNS Query, Variant #1 A105-408 Command and Control - APT44, DNS Query, Variant #2 A107-026 Command and Control - APT44, FELIXROOT, Beacon, Variant #1 A106-106 Command and Control - APT44, GOGETTER, DNS Query, Variant #1 A107-024 Command and Control - APT44, PASWEB, Download File A107-027 Command and Control - APT44, PASWEB, Establish Connection A107-033 Command and Control - APT44, PASWEB, Execute phpinfo() Command A107-013 Command and Control - APT44, PASWEB, Execute Version Command A107-016 Command and Control - APT44, PASWEB, File Search A107-031 Command and Control - APT44, PASWEB, Upload File A106-103 Command and Control - APT44, QUICKTOW, C2 Communication, HTTP Post, Variant #1 A106-102 Command and Control - APT44, QUICKTOW, DNS Query, Variant #1 A106-008 Command and Control - APT44, SPAREPART, Beaconing, Variant #1 A107-001 Command and Control - APT44, TRICKSHOW, Beacon, Variant #1 A106-994 Command and Control - APT44, TRICKSHOW, Beacon, Variant #2 A106-996 Command and Control - UNC1908, STRAYKEY, Check-in A106-998 Command and Control - UNC1908, STRAYKEY, Command Response A106-999 Command and Control - UNC1908, STRAYKEY, Startup Communication A104-850 Host CLI - APT44, Add New Local User mysql_db, Linux A106-193 Host CLI - APT44, BRUSHPASS, Modifying Firewall Rules A106-439 Host CLI - APT44, CADDYWIPER, Scheduled Task, Variant #1 ----- ----- A102-993 Malicious File Transfer - APT44, INDUSTROYER, Download, Variant #2 A107-012 Malicious File Transfer - APT44, ITCHYSPARK.SMB, Download, Variant #1 A107-011 Malicious File Transfer - APT44, ITCHYSPARK.WMI, Download, Variant #1 A101-887 Malicious File Transfer - APT44, Malicious Bash Script, Download, Variant #2 A101-390 Malicious File Transfer - APT44, METERPRETER, Download A102-573 Malicious File Transfer - APT44, NEARMISS, Download, Variant #1 A102-574 Malicious File Transfer - APT44, NEARMISS, Download, Variant #2 A102-662 Malicious File Transfer - APT44, NEARTWIST, Download, Variant #1 A106-995 Malicious File Transfer - APT44, NEWRETURN Dropper, Download, Variant #1 A105-426 Malicious File Transfer - APT44, OWA Credential Harvesting Page, Download, Variant #1 A105-427 Malicious File Transfer - APT44, OWA Credential Harvesting Page, Download, Variant #2 A105-428 Malicious File Transfer - APT44, OWA Credential Harvesting Page, Download, Variant #3 A105-429 Malicious File Transfer - APT44, OWA Credential Harvesting Page, Download, Variant #4 A102-663 Malicious File Transfer - APT44, PARTYTICKET, Download, Variant #1 A103-614 Malicious File Transfer - APT44, POWERDISCO, Download, Variant #1 A107-023 Malicious File Transfer - APT44, REGEORG.NEO, Download, Variant #1 A107-019 Malicious File Transfer - APT44, REGEORG.NEO, Upload, Variant #1 A106-009 Malicious File Transfer - APT44, SPAREPART, Download, Variant #1 A106-546 Malicious File Transfer - APT44, STOWAWAY, Download, Variant #1 A106-547 Malicious File Transfer - APT44, STOWAWAY, Download, Variant #2 A107-030 Malicious File Transfer - APT44, TANKTRAP, Download, Variant #1 A102-579 Malicious File Transfer - APT44, VPNFILTER, Download, Variant #1 A102-580 Malicious File Transfer - APT44, VPNFILTER, Download, Variant #2 A102-581 Malicious File Transfer - APT44, VPNFILTER, Download, Variant #3 A101-287 Malicious File Transfer - CVE-2019-10149, APT44, Malicious Bash Script, Download A106-997 Malicious File Transfer - UNC4209, SWEETJADE, Download, Variant #1 A106-988 Malicious File Transfer - WSO, Upload, Variant #1 A107-035 Phishing Email - APT44, Malicious Attachment, FAIRROOT, Variant #1 A107-034 Phishing Email - APT44, Malicious Attachment, FELIXROOT, Variant #1 A107-039 Phishing Email - APT44, Malicious Attachment, HEXCHAMBER, EMPIRE, Variant #1 A107-022 Phishing Email - APT44, Malicious Attachment, HEXCHAMBER, Variant #1 A107-032 Phishing Email - APT44, Malicious Attachment, HEXCHAMBER, Variant #2 A107-044 Phishing Email - APT44, Malicious Attachment, PENNYBAG, BLACKENERGY, Variant #1 A107-014 Phishing Email - APT44, Malicious Attachment, PENNYBAG, BLACKENERGY, Variant #2 A107-042 Phishing Email - APT44, Malicious Attachment, PENNYBAG, BLACKENERGY, Variant #3 A107-036 Phishing Email - APT44, Malicious Attachment, PENNYBAG, BLACKENERGY, Variant #4 A101-158 Phishing Email - Malicious Attachment, APT44, Doc Lure A103-626 Phishing Email - Malicious Attachment, APT44, EARLYBLOOM, HTML Downloader A107-041 Phishing Email - Malicious Attachment, APT44, TRICKSHOW Dropper, Variant #1 A107-007 Protected Theater - APT44, ILLICITORDER, Execution, Variant #1 A107-020 Protected Theater - APT44, BLACKENERGY, Execution, Variant #1 A105-030 Protected Theater - APT44, CADDYWIPER, Execution, Variant #1 A106-437 Protected Theater - APT44, CADDYWIPER, Execution, Variant #2 A107-002 Protected Theater - APT44, COLIBRI Dropper, Mount ISO, Variant #1 A106-989 Protected Theater - APT44, COLIBRI, Execution, Variant #1 A107-004 Protected Theater - APT44, COLIBRI, Execution, Variant #2 A106-107 Protected Theater - APT44, Create GOGETTER Scheduled Task A107-005 Protected Theater - APT44, DARKCRYSTALRAT, Execution, Variant #1 A105-346 Protected Theater - APT44, EARLYBLOOM, CVE-2022-30190, HTML Downloader, Execution ----- A106-372 Web Server Activity - APT44, BRUSHPASS, Webshell File Upload Activity ###### For more information visit cloud.google.com 332694141 -----