Russian Sandworm Hacking Team Expands Reach

Russian Cyber Sabotage Unit Sandworm Adopting Advanced Techniques

Mandiant newly designated the Russian military intelligence hacking team known as Sandworm as APT44. Russia’s preeminent cyber sabotage unit presents “one of the widest and high severity cyber threats globally” due to its advanced capabilities and successes in disrupting global critical infrastructure sectors, a new report warns.

Sandworm is the cyberwarfare division of Russia’s military intelligence service. It’s a “flexible instrument of power capable of servicing Russia’s wide-ranging national interests and ambitions.” said Mandiant. The Google-owned threat intelligence firm recently published findings warning that the group’s operations run the gamut from traditional phishing to Trojanized software installers. (Why is it always phishing?)

Sandworm primarily targets organizations with multi-pronged attacks. It’s responsible for nearly all of the destructive cyberattacks in Ukraine for the past decade. Despite its heavyweight status, the group has been judicious about deploying its most advanced — and likely most costly — tools, preferring lightweight and expendable tools, including a variety directed at lower-level targets.

Like its Chinese counterparts, Sandworm likely relies on an ecosystem of private sector contractors and talent culled from the criminal underground — and that reliance extends to using criminal bulletproof hosting infrastructure and tools.

The group’s ambitions have long been global: Past attacks include a 2016 hack against the Democratic National Committee, the 2017 NotPetya wave of encrypting software and the 2018 unleashing of malware known as Olympic Destroyer that disrupted the Winter Olympics being held in South Korea.

The group has recently turned to mobile devices and networks.

Sandworm frequently gains an initial foothold into systems by exploiting edge infrastructure such as routers and virtual private network appliances, and it has continued to use Trojanized software installers to achieve opportunistic access to potential targets of interest.

“Despite its bias for action and emphasis on psychological effect, APT44 has shown itself to be patient, resourceful, and remain undetected for long periods of time in victim environments,” the researchers said.

If you have questions about the evolving IT threat landscape and how to ensure your organization is prepared, call ITPAC today.