{ "id": "f442dcea-649a-43e6-a68c-90f26cd83d27", "created_at": "2026-04-06T00:14:41.148594Z", "updated_at": "2026-04-10T03:37:09.203316Z", "deleted_at": null, "sha1_hash": "e67cd23f1708d2cafdcbe66cceb161e03ca39049", "title": "The GRU's Disruptive Playbook | Mandiant", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2266127, "plain_text": "The GRU's Disruptive Playbook | Mandiant\r\nBy Mandiant\r\nPublished: 2023-07-12 · Archived: 2026-04-05 15:58:45 UTC\r\nWritten by: Dan Black, Gabby Roncone\r\nUPDATE (April 2024): We have merged UNC3810 into APT44. The UNC3810-related activity described in this\r\npost is now attributed to APT44 (aka Sandworm Team).\r\nKey Judgments\r\nSince last February's invasion, Mandiant has tracked Russian military intelligence (GRU) disruptive\r\noperations against Ukraine adhering to a standard five-phase playbook.\r\nMandiant assesses with moderate confidence that this standard concept of operations represents a\r\ndeliberate effort to increase the speed, scale, and intensity at which the GRU can conduct offensive cyber\r\noperations, while minimizing the odds of detection.\r\nThe tactical and strategic benefits the playbook affords are likely tailored for a fast-paced and highly\r\ncontested operating environment. We judge this operational approach may be mirrored in future crises and\r\nconflict scenarios where requirements to support high volumes of disruptive cyber operations are present.\r\nSummary\r\nOn February 24, 2022, Russia invaded Ukraine with troops massed on the border of the two countries that had\r\nbeen building since the previous fall. As Mandiant has detailed previously in reports such as M-Trends 2023 and\r\nother resources available in our Ukraine Crisis Resource Center, we have tracked Russian cyber operations against\r\nUkraine both leading up to and following the invasion. We categorize these operations stretching back before the\r\nstart of the war on February 24, 2022, into six phases, spanning access operations, cyber espionage, waves of\r\ndisruptive attacks, and information operations.\r\nhttps://www.mandiant.com/resources/blog/gru-disruptive-playbook\r\nPage 1 of 13\n\nFigure 1: Phases of Russian Cyber Operations during the war in Ukraine\r\nAlthough there has been a significant focus on the sheer volume of wiper activity and the perception of “success”\r\nof these disruptive operations, there is more to the story of Russian military intelligence (GRU) disruptive\r\noperations than just wipers. We have observed the same five components being executed across the disruptive\r\noperations in Ukraine, combining the GRU’s cyber and information operations into a unified wartime capability.\r\nTo equip defenders with knowledge of this standard operational approach, we have outlined the GRU’s disruptive\r\nplaybook, which expands on the patterns of tactical and strategic behavior Mandiant has observed. To demonstrate\r\nthe playbook in action, we examine a UNC3810 operation targeting a Ukrainian government entity with\r\nCADDYWIPER that took place in the fifth phase of the war, a renewed campaign of disruptive attacks at the end\r\nof 2022.\r\nOverview: The GRU’s Disruptive Playbook\r\nSince Russia’s invasion of Ukraine, Mandiant Intelligence has observed the GRU operate a standard, repeatable\r\nplaybook to pursue its information confrontation objectives. The persistent use of this playbook through the six\r\nphases of Russia’s war has indicated its high adaptability across a range of different operational contexts, targets,\r\nand over 15 different destructive malware variants. The playbook has also proved highly survivable and resilient\r\nto detection and technical countermeasures, allowing the GRU to adhere to a common set of tactics, techniques\r\nand procedures (TTPs) despite an extended period of aggressive, high tempo operational use. Mandiant has\r\nhttps://www.mandiant.com/resources/blog/gru-disruptive-playbook\r\nPage 2 of 13\n\nobserved the playbook in use by multiple distinct Russian threat clusters throughout the war, indicating its central\r\nrole in standardizing operations across multiple subteams in an attempt to deliver more repeatable, consistent\r\neffects.\r\nFigure 2: The GRU’s Disruptive Playbook\r\nAcross the incidents Mandiant has responded to, we have seen suspected GRU threat clusters generally adhere to\r\nthe following five operational phases:\r\n1. Living on the Edge: Leveraging hard-to-detect compromised edge infrastructure such as routers, VPNs,\r\nfirewalls, and mail servers to gain and regain initial access into targets.\r\n2. Living off the Land: Using built-in tools such as operating system components or pre-installed software\r\nfor reconnaissance, lateral movement and information theft on target networks, likely aiming to limit their\r\nmalware footprint and evade detection.\r\n3. Going for the GPO: Creating persistent, privileged access from which wipers can be deployed via group\r\npolicy objects (GPO) using a tried-and-true PowerShell script.\r\n4. Disrupt and Deny: Deploying “pure” wipers and other low-equity disruptive tools such as ransomware to\r\nfit a variety of contexts and scenarios.\r\n5. Telegraphing “Success”: Amplifying the narrative of successful disruption via a series of hacktivist\r\npersonas on Telegram, regardless of the actual impact of the operation.\r\nhttps://www.mandiant.com/resources/blog/gru-disruptive-playbook\r\nPage 3 of 13\n\nFigure 3: Overlay of Phases of GRU’s Disruptive Playbook with Mandiant Attack Lifecycle\r\nMandiant assesses with moderate confidence that this standard concept of operations highly likely represents a\r\ndeliberate effort to increase the speed, scale, and intensity at which the GRU could conduct offensive cyber\r\noperations while minimizing the odds of detection. The benefits the playbook affords are notably suited for a fast-paced and highly contested operating environment, indicating that Russia’s wartime goals have likely guided the\r\nGRU’s chosen tactical courses of action. While other options have existed at each stage of the playbook, the GRU\r\nhas opted for the same tradecraft repeatedly. We anticipate that similar operational approaches, or “playbooks”,\r\nmay be mirrored in future crises and conflict scenarios where requirements to support high volumes of disruptive\r\ncyber operations are present.\r\nPhase Assessed Tactical Benefits Assessed Strategic Benefits\r\nLiving on the\r\nEdge\r\nChallenging to defend \u0026\r\ndifficult to detect\r\nFoothold for lateral movement\r\nScalable across different targets\r\nMaintain access after disruption\r\nGeneralize tactics for common\r\nenterprise technologies\r\nLiving off the\r\nLand\r\nAvoid detection\r\nDoes not expose sensitive tooling\r\nDoes not require resources to build\r\ncustom tools or utilities\r\nGeneralize toolset for common\r\nenterprise operating systems\r\nGoing for the\r\nGPO\r\nPrivileged lateral movement and\r\nexecution\r\nCan be used to impair defenses\r\nMaximizes disruptive effect across a\r\ndomain\r\nLimit spillover potential\r\nhttps://www.mandiant.com/resources/blog/gru-disruptive-playbook\r\nPage 4 of 13\n\nDisrupt and\r\nDeny\r\nSeamlessly integrate new\r\ndisruptive tools when required\r\nSometimes erases attacker\r\npresence\r\nGenerate immediate disruptive effect to\r\nkey information resources\r\nCreate perceptions of insecurity\r\nFeigned extortion for additional\r\npsychological effect\r\nTelegraph\r\n“Success”\r\nGenerate second-order\r\npsychological effects\r\nPrime the information space\r\nGenerate perception of success\r\nReinforce perception of popular support\r\nfor war via “hacktivist” personas\r\nTable 1: Outline of Tactical \u0026 Strategic Benefits in Phases of the Playbook\r\nThe GRU’s disruptive playbook has sought to integrate the full spectrum of information confrontation\r\n(Информационное противоборство) capabilities that Russia conceptually defines as cryptographic\r\nreconnaissance of information and communication systems (KRIKS), information-technical effects (ITV), and\r\ninformation-influence effects (IPV). While these concepts generally map to what the threat intelligence\r\ncommunity commonly refers to as access operations and their follow-on espionage, attack, and influence\r\nmissions, it is important to understand how Russia defines these concepts and seeks to incorporate the different\r\ncomponents of its cyber program in its own terms. A particular feature of the playbook, and more generally of the\r\nGRU's information confrontation over the years, has been its emphasis on the information-psychological effects\r\nfrom its cyber operations, which we judge has driven its overarching focus of its disruptive operations on\r\nUkrainian government and civilian critical infrastructure.\r\nFigure 4: Information confrontation doctrine components driving the GRU’s Disruptive Playbook\r\nThe Playbook in Practice: UNC3810’s Information Confrontation\r\nhttps://www.mandiant.com/resources/blog/gru-disruptive-playbook\r\nPage 5 of 13\n\nUNC3810 is one of the primary threat groups that Mandiant has observed executing the GRU’s disruptive\r\nplaybook in practice. UNC3810 has conducted espionage and disruptive operations against Ukrainian entities\r\nsince the onset of Russia’s invasion, as well as credential theft operations against a wide variety of global public\r\nand private industry organizations. Though UNC3810 has balanced competing priorities of espionage and\r\ndisruption over the course of the war, this case focuses on the group’s disruptive operations.\r\nLiving on the Edge\r\nRussian wartime cyber campaigns in Ukraine have depended on the GRU’s ability to balance priorities for\r\nespionage and disruption, thus heavily relying on “living on the edge” of target networks via edge infrastructure.\r\nEdge infrastructure is any infrastructure facing the public internet, including firewalls, mail servers, and routers\r\nthat can be used flexibly for a variety of operational objectives. Edge infrastructure compromise has generally\r\noccurred in the early stages of the attack lifecycle, but also takes place later, such as in the case of compromise of\r\ninternal routers.\r\nIn our case study operation, UNC3810 first gained initial access to the target environment in late July 2022, likely\r\nvia a VPN compromise. After gaining initial access from the edge, UNC3810 accessed several Linux servers and\r\ndropped webshell backdoors to establish redundant points of access and further their access to the victim’s\r\nnetwork.\r\nLiving off the Land\r\nTo move off the edge and deeper into target networks, GRU operations have relied upon living off the land tactics,\r\nexploiting tools already available in the victim environment such as operating system components and installed\r\nsoftware. Commonly used UNC3810 post-compromise utilities include PowerShell, wmiexec, PortProxy,\r\nImpacket, and Chisel.\r\nIn this specific case, upon establishing a foothold on the Linux servers with an unknown webshell, the operators\r\nthen attempted to execute GOGETTER, a custom TCP tunneling tool written in Go. UNC3810 timestomped the\r\nbinary to match modification dates of similarly named binaries in the same directory, an attempt to masquerade as\r\nlegitimate software. UNC3810 then executed GOGETTER as a scheduled service with a systemd service script.\r\n/usr/bin/system-sockets\r\nGOGETTER\r\nExecuted by systemd service\r\nAdditionally, UNC3810 likely attempted to modify packet filtering rules, as seen by the attempt at executing\r\niptables-restore. However, the actors misspelled the command as “iptables-restor” several times. The combination\r\nof these tools gave the actors persistent access and opportunity for lateral movement across the network\r\nenvironment over a three month period.\r\nGoing for the GPO\r\nGRU operators manage to persist, escalate privileges, and deploy wipers through TANKTRAP, a script used to\r\ncreate Group Policy Objects (GPOs) to deploy a disruptive payload. GPOs define the settings for the Active\r\nhttps://www.mandiant.com/resources/blog/gru-disruptive-playbook\r\nPage 6 of 13\n\nDirectory environment, which makes GPO abuse particularly powerful. Though GPO addition and/or modification\r\nof default GPOs often requires the actor to have the highest level of permissions, it may allow an actor to\r\ndownload additional files and create services and scheduled tasks which will be executed across all Active\r\nDirectory domain-linked systems.\r\nIn the case of UNC3810’s October intrusion, the actor changed default GPOs to deploy CADDYWIPER on all\r\nsystems joined to the Active Directory domains of the target network. To do so, UNC3810 likely leveraged\r\nTANKTRAP, a modified PowerShell utility found on Github called PowerGPOAbuse. TANKTRAP is a staple in\r\nthe GRU’s disruptive playbook, and has been used by UNC3810 to deliver and execute a variety of different\r\ndisruptive tools across its operations via GPO.\r\nFigure 5: PowerGPOAbuse PowerShell Script on GitHub\r\nUpon execution, TANKTRAP creates two group policy preference files:\r\nFiles.xml\r\nRetrieves CADDYWIPER from the domain controller\r\nhttps://www.mandiant.com/resources/blog/gru-disruptive-playbook\r\nPage 7 of 13\n\nScheduledtasks.xml\r\nCreates a scheduled task to execute CADDYWIPER\r\nUNC3810 modified GPOs to launch a scheduled task across the domain which would execute CADDYWIPER for\r\na disruptive effect.\r\nDisrupt and Deny\r\nGRU operations on a targeted host machine frequently end with the deployment of wipers or other disruptive\r\ntooling. These disruptive operations hold the potential to cause immediate impact to targeted organizations and\r\nsometimes erase evidence of attacker presence.\r\nCADDYWIPER is a wiper that Mandiant first identified and reported on in March 2022, and has become the\r\nGRU’s most frequently deployed disruptive tool in Ukraine that we have observed. The malware enumerates the\r\nfile system's physical drives and overwrites both file content and partitions with null bytes. CADDYWIPER has\r\nalso notably been deployed alongside other disruptive tools, such as INDUSTROYER.V2, indicating the wiper’s\r\nperceived versatility to its operators.\r\nMandiant and others, including Microsoft, ESET, and CERT UA, have identified multiple variants of\r\nCADDYWIPER over time, including x64, x86, and shellcode variants. The GRU has continuously refined\r\nCADDYWIPER since its first use in March 2022, iteratively making the wiper more lightweight and flexible,\r\nthough we continue to see operator error in the malware's deployment. Though these changes may have been\r\nnecessary tactical evolutions to avoid detection and containment by antivirus products, it is possible they reflect\r\nnon-tactical considerations as well, such as resource and personnel shortfalls, more direct access to\r\nCADDYWIPER's codebase (as evidenced by compile times close to operational use), or top-down pressures to\r\nspeed up operations.\r\nOn 3 October 2022 at 07:34 UTC, UNC3810 staged the initial CADDYWIPER sample.\r\nCaclcly.exe\r\nCADDYWIPER x64 variant\r\nCompile time: 2022/09/18 10:17:23\r\nA local antivirus client blocked the initial execution of CADDYWIPER during this operation, after which\r\nUNC3810 re-compiled and dropped a x32 CADDYWIPER variant to the target network, but did not configure\r\nany GPO to execute the variant via scheduled task. The attacker additionally attempted to exclude the file from\r\nantivirus scans. Mandiant assesses the x32 variant was likely successfully executed.\r\nCaclclx.exe\r\nCADDYWIPER x32 variant\r\nCompile time: 2022/10/03 10:01:48\r\nDue to incompatible GPO configuration settings with the target system’s OS versions and the fact that the initial\r\nCADDYWIPER variant was only compiled to run on x64 operating systems, the impact of this disruptive\r\noperation was extremely limited. An obvious lack of preparation and reconnaissance on the target systems\r\nhttps://www.mandiant.com/resources/blog/gru-disruptive-playbook\r\nPage 8 of 13\n\ncombined with proactive choices made by network defenders prevented UNC3810 from creating a significant\r\ndisruptive impact in this operation.\r\nTelegraphing “Success”\r\nDisruptive operations rarely make headlines by themselves because their effects are not visible to the public,\r\nunless victim organizations choose to publicize the attack. To overcome this dilemma, the GRU has used a series\r\nof Telegram channels assuming hacktivist identities to claim responsibility for cyber attacks and leak stolen\r\ndocuments or other proofs from their victims. We assess this tactic is almost certainly an attempt to prime the\r\ninformation space with narratives of popular support for Russia’s war and to generate second-order psychological\r\neffects from the GRU’s network attacks. Follow-on influence efforts tend to exaggerate the success of the\r\npreceding cyber components and are carried out irrespective of the cyber operation's actual impact. Telegram has\r\nbeen the primary platform for these efforts, as channels on the social media platform have become the go-to\r\nsource for unfiltered footage and updates from the war.\r\nIn the final stage of the playbook, data from the victim of UNC3810’s wiper attack was staged and advertised on\r\nTelegram by “CyberArmyofRussia_Reborn”, a self-proclaimed hacktivist persona that claimed responsibility for\r\nthe wiper attack. However, technical artifacts from the UNC3810’s intrusion indicate that the\r\n“CyberArmyofRussia_Reborn” persona severely exaggerated the success of the wiper attack. Due to a series of\r\noperator errors, UNC3810 was unable to complete the wiper attack before the Telegram post boasting of the\r\ndisrupted network. Instead, the Telegram post preceded CADDYWIPER’s execution by 35 minutes, undermining\r\nCyberArmyofRussia_Reborn’s repeated claims of independence from the GRU. Based on the close sequencing\r\nbetween the wiper deployment and Telegram posts, Mandiant assesses with high confidence that UNC3810 and\r\nCyber Army of Russia engaged in forward operational planning to orchestrate the cyber and information\r\noperations components of the operation.\r\nFigure 6: Timeline of UNC3810’s CADDYWIPER and CyberArmyofRussia_Reborn’s Telegram activity\r\nRepeat Offenders: Past is Prologue for Russia’s Disruptive Playbook\r\nThe individual components of the GRU’s wartime playbook have clear roots in its historical patterns of\r\ninformation confrontation. The component TTPs, such as the targeting of edge infrastructure, limiting the overall\r\nfootprint on victim networks and hosts through living off the land techniques, disruptive tools disguised as\r\nransomware, and the increasing use of intermediary or disposable tooling, have become fundamental components\r\nhttps://www.mandiant.com/resources/blog/gru-disruptive-playbook\r\nPage 9 of 13\n\nof GRU cyber operations over the years. What is different is the full-scale integration of these capabilities into a\r\nunified, repeatable playbook that has likely been tailored for use in Russia’s invasion of Ukraine.\r\nA Shift to “Pure” Disruptive Tools\r\nFollowing in the footsteps of its historical destructive campaigns, Russia has continued to operate a range of\r\ndisruptive malware variants to include wipers, ransomware, and industrial control system (ICS) specific\r\ncapabilities. While the general intent behind these tools — to irreversibly destroy data and disrupt the ability of\r\ntarget systems to function as intended — is similar, the design of the disruptive malware the GRU has chosen to\r\nuse during the war is substantively different.\r\nFigure 7: Pure vs. multifunctional disruptive tooling\r\nSince Russia’s invasion, the GRU has overwhelmingly opted to deploy what we call “pure” disruptive tools. This\r\ncategory of disruptive tooling is lightweight in design and primed for immediate use, containing only the\r\ncapabilities required to disrupt or deny access to the target system. The generic design has made them disposable\r\nand functionally interchangeable, allowing the GRU to integrate new or modified tools into the wider playbook in\r\na plug-and-play fashion to be deployed via GPOs. As an added operational benefit, disruptive tooling of this\r\nnature is freestanding, allowing operators to maintain minimal presence in the victim network and conceal the\r\nchosen malware variant until moments before its use.\r\nThis preference contrasts significantly with the GRU’s historical preference for “multifunctional'' disruptive tools\r\nthat have been more complex, multi-stage or modular in design, and have contained added capabilities to carry out\r\nfurther objectives such as system reconnaissance, information theft, propagation to additional systems, or remote\r\ncommand and control. This category of disruptive tool is almost certainly more time and resource intensive to\r\ntailor and preposition, and at higher risk of detection, likely limiting the overall speed and scale at which they\r\ncould have been used to achieve operational objectives.\r\nWithin this approach, the GRU has also continued to use disruptive tooling disguised as ransomware, including\r\ncommercially sourced ransomware variants. Using ransomware highly likely serves the dual purpose of\r\ntemporarily misdirecting attribution efforts and amplifying the psychological aspect of the operation, either\r\nhttps://www.mandiant.com/resources/blog/gru-disruptive-playbook\r\nPage 10 of 13\n\nthrough the ransom notes itself or via dark web forums or leak sites where feigned extortion attempts are often\r\ncarried out. By incorporating commercially available ransomware and wipers derived from common software and\r\nutilities, we believe that the GRU has likely been able to more rapidly replenish its arsenal with new, undetected\r\ndisruptive tools than it could have by developing them in-house.\r\nFigure 8: Known instances of GRU destructive cyber tool use categorized\r\nIntegrating Hacktivist Identities Into Disruptive Operations\r\nThe GRU’s past tendency to exploit the identities and symbols of noteworthy political actors and hacktivist\r\nidentities has taken a central role in its disruptive playbook. Extending back to at least 2014 and its original\r\ninvasion of Ukraine, Mandiant has tracked what we assess as personas linked to GRU intrusion sets falsely\r\nassuming the identities of anonymous political and hacktivist groups in order to misdirect attribution and generate\r\nsecond-order psychological effects from their cyber operations.\r\nCyberBerkut: Between 2014 and 2018, the GRU assumed the identity of Ukraine’s dissolved special\r\npolice force \"Berkut\" (Беркут) to conduct targeted leaks, website defacements, and distributed denial of\r\nservice (DDoS) attacks against Ukrainian and NATO government and military organizations. Notably, the\r\ngroup attempted to crowdsource support for DDoS attacks by calling for supporters to voluntarily install\r\nmalware on their machines that would aid CyberBerkut's DDoS activity.\r\nCyberCaliphate: In 2015, the GRU used the CyberCaliphate persona (mirroring the pre-existing online\r\npersona used by the terrorist group ISIS) as a false front to claim responsibility for the network disruption\r\nof TV5Monde and a series of social media account compromises, website defacements, and leaks targeting\r\nWestern media and military organizations.\r\nYemeni Cyber Army: In 2015, the GRU likely co-opted the identity of a pre-existing anonymous\r\nhacktivist group “Yemen Cyber Army'' (the GRU fork being distinct in its use of “Yemeni”). The persona\r\nclaimed to be a grassroots youth group responsible for stealing a cache of stolen documents allegedly given\r\nto WikiLeaks in response to Saudi Arabia’s role in Yemen’s civil war.\r\nGuccifer 2.0: In 2016, the GRU referenced the identity of the jailed Romanian hacker “Guccifer” to leak\r\nstolen and forged documents from the Democratic National Committee (DNC) as part of efforts to\r\ninfluence the 2016 U.S. presidential election.\r\nhttps://www.mandiant.com/resources/blog/gru-disruptive-playbook\r\nPage 11 of 13\n\nAnPoland: In 2016, the GRU leaked stolen documents and conducted website defacements and DDoS\r\nattacks against the World Anti-Doping Agency (WADA) and the Court of Arbitration for Sport (CAS)\r\nunder the false auspices of the hacktivist group Anonymous Poland, mimicking the real hacktivist group\r\nAnonymous.\r\nFancy Bears’ Hack Team: Between 2016 and 2018, the GRU used a false hacktivist persona to conduct a\r\nsustained influence campaign against organizations associated with the Olympic Games and other sporting\r\nbodies, including WADA again.\r\nSince the 2022 Ukraine invasion, Russia has further extended this approach, integrating similarly themed self-proclaimed hacktivist groups into its disruptive playbook. Overlaps in tactics include the continued appropriation\r\nof noteworthy hacktivist identities, crowdsourcing of operational support, and soliciting coverage that could\r\namplify awareness of operations and their perceived impact through exaggerated claims of impact. What is newer\r\nis the central role of Telegram, which has emerged as a critical source of sensemaking, war-related information\r\noperations, and a key recruitment platform for volunteer cyber “armies” in the conflict. Notably, Mandiant has\r\nobserved each of the GRU’s four wartime personas leak data from victims who were also affected by wiper\r\nattacks. In multiple incidents, the use of disruptive tools and data leaks have occurred within a short window of\r\ntime, indicating advanced planning for the inclusion of the IO components in these disruptive campaigns.\r\nCyberArmyofRussia_Reborn: Beginning in March 2022, the Cyber Army of Russia persona, claiming to\r\nbe a grassroots “People’s CyberArmy”, has been used to solicit coverage of destructive malware operations\r\nwhere CADDYWIPER was deployed, distribute tools and crowdsource DDoS attacks, leak stolen data, and\r\nto amplify accounts spreading propaganda regarding Russia’s battlefield progress.\r\nXakNet Team: XakNet’s Telegram channel was also created in March 2022, claiming direct lineage to a\r\ngroup by the same name that targeted Georgian entities during the Russia-Georgia War of 2008. The group\r\ncarries out a spectrum of similar activities to Cyber Army of Russia, including soliciting coverage of\r\nnetwork attacks, crowdsourced DDoS attacks, leaks of stolen data, and amplification of other pro-Russian\r\nTelegram accounts.\r\nInfoccentr: Again in March 2022, a Telegram channel “Infoccentr” was created that has engaged in the\r\nsame spectrum of activities to include crowdsourced DDoS attacks, leaks of stolen data, and drawing\r\nattention to victims of CADDYWIPER operations.\r\nFree Civilian: Starting in February 2022, a self proclaimed pro-Russian hacktivist persona “Free Civilian”\r\nclaimed responsibility for a series of government website defacements and advertised stolen documents for\r\nsale, using identical defacement images from the January PAYWIPE and SHADYLOOK wiper campaign.\r\nThe persona resurfaced on Telegram on the anniversary of the invasion to claim additional defacements\r\nand leak alleged stolen documents.\r\nhttps://www.mandiant.com/resources/blog/gru-disruptive-playbook\r\nPage 12 of 13\n\nFigure 9: Select hacktivist personas co-opted by the GRU since 2014\r\nConclusions\r\nThe GRU’s disruptive operations in Ukraine have revealed a series of tactical choices Russia’s military has made\r\nto achieve its wartime information confrontation objectives. These adaptations have assisted the GRU to balance\r\ndifferent strategic priorities for espionage and attack and to integrate its cyber and information operation\r\ncapabilities into a unified, repeatable playbook that could be used across multiple distinct Russian threat clusters.\r\nMany of the components of the GRU’s disruptive playbook are not new. They have been historically used in\r\ndifferent ways. But in Ukraine, they have been uniquely combined and tailored to meet the requirements of\r\noperating at scale in a fast-paced and highly contested wartime environment while avoiding detection. As this\r\nplaybook has almost certainly been purpose-built for Russia’s invasion, we judge that these specific tactical\r\nadaptations may be mirrored in future crises and conflict scenarios where requirements to support high volumes of\r\ndisruptive cyber operations are also present. \r\nIt is important to note that this playbook is not wholly unique to Russia’s war in Ukraine. Financially-motivated\r\nransomware operations also follow a similar playbook, abusing vulnerabilities in edge infrastructure for initial\r\naccess, living off the land, and modifying GPOs to spread and execute their malware. We believe that the\r\nconvergent use of these tactics is likely driven by a common desire to reduce the breakout time from initial access\r\nto malware delivery and to maximize the disruptive effect in a target environment. Consequently, preparations to\r\nmonitor, detect, and respond to the TTPs used in Russia’s wartime cyber playbook will have transferable benefits\r\nfor defending against tradecraft commonly used by ransomware groups as well.\r\nPosted in\r\nThreat Intelligence\r\nSource: https://www.mandiant.com/resources/blog/gru-disruptive-playbook\r\nhttps://www.mandiant.com/resources/blog/gru-disruptive-playbook\r\nPage 13 of 13", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "MISPGALAXY" ], "references": [ "https://www.mandiant.com/resources/blog/gru-disruptive-playbook" ], "report_names": [ "gru-disruptive-playbook" ], "threat_actors": [ { "id": "ea4f255b-346d-4907-a801-1f797a99d4b0", "created_at": "2023-01-06T13:46:38.693529Z", "updated_at": "2026-04-10T02:00:03.070408Z", "deleted_at": null, "main_name": "Cyber Caliphate Army", "aliases": [ "UUC", "CyberCaliphate", "Islamic State Hacking Division", "CCA", "United Cyber Caliphate" ], "source_name": "MISPGALAXY:Cyber Caliphate Army", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "0bce7575-ba34-4742-afb7-a4d3ade12dbe", "created_at": "2023-11-14T02:00:07.091122Z", "updated_at": "2026-04-10T02:00:03.448867Z", "deleted_at": null, "main_name": "XakNet", "aliases": [ "UAC-0100", "UAC-0106" ], "source_name": "MISPGALAXY:XakNet", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "8941e146-3e7f-4b4e-9b66-c2da052ee6df", "created_at": "2023-01-06T13:46:38.402513Z", "updated_at": "2026-04-10T02:00:02.959797Z", "deleted_at": null, "main_name": "Sandworm", "aliases": [ "IRIDIUM", "Blue Echidna", "VOODOO BEAR", "FROZENBARENTS", "UAC-0113", "Seashell Blizzard", "UAC-0082", "APT44", "Quedagh", "TEMP.Noble", "IRON VIKING", "G0034", "ELECTRUM", "TeleBots" ], "source_name": "MISPGALAXY:Sandworm", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "7bd810cb-d674-4763-86eb-2cc182d24ea0", "created_at": "2022-10-25T16:07:24.1537Z", "updated_at": "2026-04-10T02:00:04.883793Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "APT 44", "ATK 14", "BE2", "Blue Echidna", "CTG-7263", "FROZENBARENTS", "G0034", "Grey Tornado", "IRIDIUM", "Iron Viking", "Quedagh", "Razing Ursa", "Sandworm", "Sandworm Team", "Seashell Blizzard", "TEMP.Noble", "UAC-0082", "UAC-0113", "UAC-0125", "UAC-0133", "Voodoo Bear" ], "source_name": "ETDA:Sandworm Team", "tools": [ "AWFULSHRED", "ArguePatch", "BIASBOAT", "Black Energy", "BlackEnergy", "CaddyWiper", "Colibri Loader", "Cyclops Blink", "CyclopsBlink", "DCRat", "DarkCrystal RAT", "Fobushell", "GOSSIPFLOW", "Gcat", "IcyWell", "Industroyer2", "JaguarBlade", "JuicyPotato", "Kapeka", "KillDisk.NCX", "LOADGRIP", "LOLBAS", "LOLBins", "Living off the Land", "ORCSHRED", "P.A.S.", "PassKillDisk", "Pitvotnacci", "PsList", "QUEUESEED", "RansomBoggs", "RottenPotato", "SOLOSHRED", "SwiftSlicer", "VPNFilter", "Warzone", "Warzone RAT", "Weevly" ], "source_id": "ETDA", "reports": null }, { "id": "a66438a8-ebf6-4397-9ad5-ed07f93330aa", "created_at": "2022-10-25T16:47:55.919702Z", "updated_at": "2026-04-10T02:00:03.618194Z", "deleted_at": null, "main_name": "IRON VIKING", "aliases": [ "APT44 ", "ATK14 ", "BlackEnergy Group", "Blue Echidna ", "CTG-7263 ", "ELECTRUM ", "FROZENBARENTS ", "Hades/OlympicDestroyer ", "IRIDIUM ", "Qudedagh ", "Sandworm Team ", "Seashell Blizzard ", "TEMP.Noble ", "Telebots ", "Voodoo Bear " ], "source_name": "Secureworks:IRON VIKING", "tools": [ "BadRabbit", "BlackEnergy", "GCat", "NotPetya", "PSCrypt", "TeleBot", "TeleDoor", "xData" ], "source_id": "Secureworks", "reports": null }, { "id": "b3e954e8-8bbb-46f3-84de-d6f12dc7e1a6", "created_at": "2022-10-25T15:50:23.339976Z", "updated_at": "2026-04-10T02:00:05.27483Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "Sandworm Team", "ELECTRUM", "Telebots", "IRON VIKING", "BlackEnergy (Group)", "Quedagh", "Voodoo Bear", "IRIDIUM", "Seashell Blizzard", "FROZENBARENTS", "APT44" ], "source_name": "MITRE:Sandworm Team", "tools": [ "Bad Rabbit", "Mimikatz", "Exaramel for Linux", "Exaramel for Windows", "GreyEnergy", "PsExec", "Prestige", "P.A.S. Webshell", "AcidPour", "VPNFilter", "Neo-reGeorg", "Cyclops Blink", "SDelete", "Kapeka", "AcidRain", "Industroyer", "Industroyer2", "BlackEnergy", "Cobalt Strike", "NotPetya", "KillDisk", "PoshC2", "Impacket", "Invoke-PSImage", "Olympic Destroyer" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434481, "ts_updated_at": 1775792229, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/e67cd23f1708d2cafdcbe66cceb161e03ca39049.pdf", "text": "https://archive.orkl.eu/e67cd23f1708d2cafdcbe66cceb161e03ca39049.txt", "img": "https://archive.orkl.eu/e67cd23f1708d2cafdcbe66cceb161e03ca39049.jpg" } }