{
	"id": "38d2602b-42bc-4d9f-b1e4-f0378122354d",
	"created_at": "2026-04-06T00:09:11.039136Z",
	"updated_at": "2026-04-10T03:37:09.123361Z",
	"deleted_at": null,
	"sha1_hash": "df08269faae211afd9dbbc9287425c662fe3f9bf",
	"title": "Unearthing APT44: Russia’s Notorious Cyber Sabotage Unit Sandworm",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 681588,
	"plain_text": "Unearthing APT44: Russia’s Notorious Cyber Sabotage Unit\r\nSandworm\r\nBy Mandiant\r\nPublished: 2024-04-17 · Archived: 2026-04-05 14:19:40 UTC\r\nWritten by: Gabby Roncone, Dan Black, John Wolfram, Tyler McLellan, Nick Simonian, Ryan Hall, Anton\r\nProkopenkov, Luke Jenkins, Dan Perez, Lexie Aytes, Alden Wahlstrom\r\nWith Russia's full-scale invasion in its third year, Sandworm (aka FROZENBARENTS) remains a formidable\r\nthreat to Ukraine. The group’s operations in support of Moscow’s war aims have proven tactically and\r\noperationally adaptable, and as of today, appear to be better integrated with the activities of Russia’s conventional\r\nforces than in any other previous phase of the conflict. To date, no other Russian government-backed cyber group\r\nhas played a more central role in shaping and supporting Russia’s military campaign. \r\nYet the threat posed by Sandworm is far from limited to Ukraine. Mandiant continues to see operations from the\r\ngroup that are global in scope in key political, military, and economic hotspots for Russia. Additionally, with a\r\nrecord number of people participating in national elections in 2024, Sandworm’s history of attempting to interfere\r\nin democratic processes further elevates the severity of the threat the group may pose in the near-term. \r\nGiven the active and diffuse nature of the threat posed by Sandworm globally, Mandiant has decided to graduate\r\nthe group into a named Advanced Persistent Threat: APT44. As part of this process, we are releasing a report,\r\n“APT44: Unearthing Sandworm”, that provides additional insights into the group’s new operations, retrospective\r\ninsights, and context on how the group is adjusting to support Moscow’s war aims.\r\nKey Findings \r\nSponsored by Russian military intelligence, APT44 is a dynamic and operationally mature threat actor that\r\nis actively engaged in the full spectrum of espionage, attack, and influence operations. While most state-backed threat groups tend to specialize in a specific mission such as collecting intelligence, sabotaging networks,\r\nor conducting information operations, APT44 stands apart in how it has honed each of these capabilities and\r\nsought to integrate them into a unified playbook over time. Each of these respective components, and APT44’s\r\nefforts to blend them for combined effect, are foundational to Russia’s guiding “information confrontation”\r\nconcept for cyber warfare.\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/apt44-unearthing-sandworm?linkId=9627235\r\nPage 1 of 5\n\nFigure 1: APT44’s spectrum of operations\r\nAPT44 has aggressively pursued a multi-pronged effort to help the Russian military gain a wartime\r\nadvantage and is responsible for nearly all of the disruptive and destructive operations against Ukraine\r\nover the past decade. Throughout Russia’s war, APT44 has waged a high intensity campaign of cyber sabotage\r\ninside of Ukraine. Through the use of disruptive cyber tools, such as wiper malware designed to disrupt systems,\r\nAPT44 has sought to impact a wide range of critical infrastructure sectors. At times, these operations have been\r\ncoordinated with conventional military activity, such as kinetic strikes or other forms of sabotage, in an attempt to\r\nachieve joint military objectives. \r\nHowever, as the war has endured, APT44’s relative focus has transitioned away from disruption to intelligence\r\ncollection. The group’s targets and methods have shifted significantly in the second year of the war, with\r\nincreasing emphasis placed on espionage activity intended to provide battlefield advantage to Russia’s\r\nconventional forces. For example, one long-running APT44 campaign has assisted forward-deployed Russian\r\nground forces to exfiltrate communications from captured mobile devices in order to collect and process relevant\r\ntargeting data. APT44’s approach to supporting Russia’s military campaign has evolved considerably over the past\r\ntwo years.\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/apt44-unearthing-sandworm?linkId=9627235\r\nPage 2 of 5\n\nFigure 2: APT44’s wartime disruptive activity\r\nWe assess with high confidence that APT44 is seen by the Kremlin as a flexible instrument of power capable\r\nof servicing Russia's wide ranging national interests and ambitions, including efforts to undermine\r\ndemocratic processes globally.  \r\nDespite being an arm of Russia’s military, the group’s sabotage activity is not limited to military objectives and\r\nalso spans Russia’s wider national interests, such as driving the Kremlin’s political signaling efforts, responses to\r\ncrises, or intended non-escalatory responses to perceived slights to Moscow’s stature in the world.  \r\nAPT44’s support of the Kremlin’s political objectives has resulted in some of the largest and most consequential\r\ncyber attacks in history. These operations include first-of-their-kind disruptions of Ukraine's energy grid in the\r\nwinters of 2015 and 2016, the global NotPetya attack timed to coincide with Ukraine’s Constitution Day in 2017,\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/apt44-unearthing-sandworm?linkId=9627235\r\nPage 3 of 5\n\nand the disruption of the opening ceremony of the 2018 Pyeongchang Olympics in response to Russia's doping\r\nban from the games, to name a few. \r\nFigure 3: Timeline of consequential pre-war APT44 operations\r\nDue to its history of aggressive use of network attack capabilities across political and military contexts,\r\nAPT44 presents a persistent, high severity threat to governments and critical infrastructure operators\r\nglobally where Russian national interests intersect. The combination of APT44's high capability, risk tolerance,\r\nand far-reaching mandate to support Russia’s foreign policy interests places governments, civil society, and\r\ncritical infrastructure operators around the world at risk of falling into the group's sights on short notice. \r\nWe also judge APT44 to present a significant proliferation risk for new cyber attack concepts and methods.\r\nContinued advancements and in-the-wild use of the group’s disruptive and destructive capabilities has likely\r\nlowered the barrier of entry for other state and non-state actors to replicate and develop their own cyber attack\r\nprograms. Russia itself is almost certainly alert to and concerned about this proliferation risk, as Mandiant has\r\nobserved Russian cybersecurity entities exercise their ability to defend against categories of disruptive cyber\r\ncapabilities originally used by APT44 against Ukraine.  \r\nLooking Ahead\r\nAPT44 will almost certainly continue to present one of the widest and highest severity cyber threats globally. It\r\nhas been at the forefront of the threat landscape for over a decade and is responsible for a long list of firsts that\r\nhave set precedents for future cyber attack activity. Patterns of historical activity, such as efforts to influence\r\nelections or retaliate against international sporting bodies, suggest there is no limit to the nationalist impulses that\r\nmay fuel the group’s operations in the future.\r\nAs Russia’s war continues, we anticipate Ukraine will remain the principal focus of APT44 operations. However,\r\nas history indicates, the group’s readiness to conduct cyber operations in furtherance of the Kremlin’s wider\r\nstrategic objectives globally is ingrained in its mandate. We therefore assess that changing Western political\r\ndynamics, upcoming elections, and emerging issues in Russia’s near abroad will also continue to shape APT44’s\r\noperations for the foreseeable future.\r\nProtecting the Community\r\nAs part of our research, we take various steps to protect customers and the community:\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/apt44-unearthing-sandworm?linkId=9627235\r\nPage 4 of 5\n\nGoogle's Threat Analysis Group (TAG) uses the results of our research to improve the safety and security\r\nof Google’s products.\r\nUpon discovery, all identified websites and domains are added to Safe Browsing to protect users\r\nfrom further exploitation.\r\nAll targeted Gmail and Workspace users are sent government-backed attacker alerts, notifying them\r\nof the activity, encouraging potential targets to enable Enhanced Safe Browsing for Chrome, and\r\nensuring them that all devices are updated.\r\nWhere possible, Mandiant sends victim notifications via the Victim Notification Program.\r\nIf you are a Google Chronicle Enterprise+ customer, Chronicle rules were released to your Emerging\r\nThreats rule pack, and IOCs are available for prioritization with Applied Threat Intelligence.\r\nA VirusTotal Collection featuring APT44-related indicators of compromise is now available for registered\r\nusers.\r\nWe are committed to sharing our findings with the security community to raise awareness, and with companies\r\nand individuals that might have been targeted by these activities. \r\nRead the APT44 report for our full analysis of this group, a detailed list of malware used by APT44 since 2018,\r\nhunting rules for detecting the malware, and a list of Mandiant Security Validation actions organizations can use to\r\nvalidate their security controls.\r\nPosted in\r\nThreat Intelligence\r\nSource: https://cloud.google.com/blog/topics/threat-intelligence/apt44-unearthing-sandworm?linkId=9627235\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/apt44-unearthing-sandworm?linkId=9627235\r\nPage 5 of 5\n\nAPT44’s support cyber attacks of the Kremlin’s in history. These operations political objectives include first-of-their-kind has resulted in some of the largest disruptions of and most Ukraine's energy consequential grid in the\nwinters of 2015 and 2016, the global NotPetya attack timed to coincide with Ukraine’s Constitution Day in 2017,\n   Page 3 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MISPGALAXY",
		"Malpedia"
	],
	"references": [
		"https://cloud.google.com/blog/topics/threat-intelligence/apt44-unearthing-sandworm?linkId=9627235"
	],
	"report_names": [
		"apt44-unearthing-sandworm?linkId=9627235"
	],
	"threat_actors": [
		{
			"id": "8941e146-3e7f-4b4e-9b66-c2da052ee6df",
			"created_at": "2023-01-06T13:46:38.402513Z",
			"updated_at": "2026-04-10T02:00:02.959797Z",
			"deleted_at": null,
			"main_name": "Sandworm",
			"aliases": [
				"IRIDIUM",
				"Blue Echidna",
				"VOODOO BEAR",
				"FROZENBARENTS",
				"UAC-0113",
				"Seashell Blizzard",
				"UAC-0082",
				"APT44",
				"Quedagh",
				"TEMP.Noble",
				"IRON VIKING",
				"G0034",
				"ELECTRUM",
				"TeleBots"
			],
			"source_name": "MISPGALAXY:Sandworm",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "7bd810cb-d674-4763-86eb-2cc182d24ea0",
			"created_at": "2022-10-25T16:07:24.1537Z",
			"updated_at": "2026-04-10T02:00:04.883793Z",
			"deleted_at": null,
			"main_name": "Sandworm Team",
			"aliases": [
				"APT 44",
				"ATK 14",
				"BE2",
				"Blue Echidna",
				"CTG-7263",
				"FROZENBARENTS",
				"G0034",
				"Grey Tornado",
				"IRIDIUM",
				"Iron Viking",
				"Quedagh",
				"Razing Ursa",
				"Sandworm",
				"Sandworm Team",
				"Seashell Blizzard",
				"TEMP.Noble",
				"UAC-0082",
				"UAC-0113",
				"UAC-0125",
				"UAC-0133",
				"Voodoo Bear"
			],
			"source_name": "ETDA:Sandworm Team",
			"tools": [
				"AWFULSHRED",
				"ArguePatch",
				"BIASBOAT",
				"Black Energy",
				"BlackEnergy",
				"CaddyWiper",
				"Colibri Loader",
				"Cyclops Blink",
				"CyclopsBlink",
				"DCRat",
				"DarkCrystal RAT",
				"Fobushell",
				"GOSSIPFLOW",
				"Gcat",
				"IcyWell",
				"Industroyer2",
				"JaguarBlade",
				"JuicyPotato",
				"Kapeka",
				"KillDisk.NCX",
				"LOADGRIP",
				"LOLBAS",
				"LOLBins",
				"Living off the Land",
				"ORCSHRED",
				"P.A.S.",
				"PassKillDisk",
				"Pitvotnacci",
				"PsList",
				"QUEUESEED",
				"RansomBoggs",
				"RottenPotato",
				"SOLOSHRED",
				"SwiftSlicer",
				"VPNFilter",
				"Warzone",
				"Warzone RAT",
				"Weevly"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "a66438a8-ebf6-4397-9ad5-ed07f93330aa",
			"created_at": "2022-10-25T16:47:55.919702Z",
			"updated_at": "2026-04-10T02:00:03.618194Z",
			"deleted_at": null,
			"main_name": "IRON VIKING",
			"aliases": [
				"APT44 ",
				"ATK14 ",
				"BlackEnergy Group",
				"Blue Echidna ",
				"CTG-7263 ",
				"ELECTRUM ",
				"FROZENBARENTS ",
				"Hades/OlympicDestroyer ",
				"IRIDIUM ",
				"Qudedagh ",
				"Sandworm Team ",
				"Seashell Blizzard ",
				"TEMP.Noble ",
				"Telebots ",
				"Voodoo Bear "
			],
			"source_name": "Secureworks:IRON VIKING",
			"tools": [
				"BadRabbit",
				"BlackEnergy",
				"GCat",
				"NotPetya",
				"PSCrypt",
				"TeleBot",
				"TeleDoor",
				"xData"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "b3e954e8-8bbb-46f3-84de-d6f12dc7e1a6",
			"created_at": "2022-10-25T15:50:23.339976Z",
			"updated_at": "2026-04-10T02:00:05.27483Z",
			"deleted_at": null,
			"main_name": "Sandworm Team",
			"aliases": [
				"Sandworm Team",
				"ELECTRUM",
				"Telebots",
				"IRON VIKING",
				"BlackEnergy (Group)",
				"Quedagh",
				"Voodoo Bear",
				"IRIDIUM",
				"Seashell Blizzard",
				"FROZENBARENTS",
				"APT44"
			],
			"source_name": "MITRE:Sandworm Team",
			"tools": [
				"Bad Rabbit",
				"Mimikatz",
				"Exaramel for Linux",
				"Exaramel for Windows",
				"GreyEnergy",
				"PsExec",
				"Prestige",
				"P.A.S. Webshell",
				"AcidPour",
				"VPNFilter",
				"Neo-reGeorg",
				"Cyclops Blink",
				"SDelete",
				"Kapeka",
				"AcidRain",
				"Industroyer",
				"Industroyer2",
				"BlackEnergy",
				"Cobalt Strike",
				"NotPetya",
				"KillDisk",
				"PoshC2",
				"Impacket",
				"Invoke-PSImage",
				"Olympic Destroyer"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775434151,
	"ts_updated_at": 1775792229,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/df08269faae211afd9dbbc9287425c662fe3f9bf.pdf",
		"text": "https://archive.orkl.eu/df08269faae211afd9dbbc9287425c662fe3f9bf.txt",
		"img": "https://archive.orkl.eu/df08269faae211afd9dbbc9287425c662fe3f9bf.jpg"
	}
}