Russia's Sandworm Upgraded to APT44 by Google's Mandiant
Mandiant has confirmed that Sandworm is responsible for many cyber-attacks against Ukraine has close ties with a Russian hacktivist group
Coverage of incidents attributed to Sandworm, with analysis of infrastructure, disruption, and defensive guidance for organizations.
Search across headline titles and summaries.
Background for this topic.
Sandworm is a name used for an intrusion set associated in public reporting and government assessments with Russia’s GRU, although such attribution remains subject to evidence and revision. Reporting has linked the group to disruptive operations including attacks affecting Ukrainian power distribution and the 2017 NotPetya outbreak, which spread through a compromised software-update channel and caused extensive operational damage. The activity tracked under this name has included destructive malware, denial-of-service attacks, and exploitation of vulnerable systems.
For defenders, the key risk is that an intrusion can progress from access to disruption rather than simple data theft. Priorities include rapidly patching internet-facing and edge systems, enforcing multifactor authentication and least privilege, segmenting critical networks, and maintaining offline, tested backups with restoration procedures. Threat intelligence on reported Sandworm infrastructure and malware can support detection and scoping, but indicators should complement—rather than replace—behavioral monitoring and sound vulnerability-management and incident-response practices.
Mandiant has confirmed that Sandworm is responsible for many cyber-attacks against Ukraine has close ties with a Russian hacktivist group
Water tank overflowed during one system malfunction, says Mandiant The Russian military's notorious Sandworm crew was likely behind cyberattacks on US and European water plants that, in at least one case, caused a tank to overflow.…
The Sandworm hacking group associated with Russian military intelligence has been hiding attacks and operations behind multiple online personas posing as hacktivist groups. [...]
A previously undocumented "flexible" backdoor called Kapeka has been "sporadically" observed in cyber attacks targeting Eastern Europe, including Estonia and Ukraine, since at least mid-2022
Russian Cyber Sabotage Unit Sandworm Adopting Advanced Techniques, Mandiant WarnsRussia's preeminent cyber sabotage unit presents "one of the widest and high severity cyber threats globally," warned Mandiant in a Wednesday report. Mandiant newly designated Sandworm as APT44 to differentiate it from another hacking unit it will still track as APT28.
But even with that focus, the sophisticated threat group has continued operations against targets globally, including the US, says Google's Mandiant.
Kapeka Shows Similarities to Russian GRU Hacking Group's GreyEnergy MalwareLikely Russian military intelligence hackers known as Sandworm since at least mid-2022 have deployed a new and highly flexible back door against Eastern European targets, warn security researchers. Security firm WithSecure dubs the backdoor "Kapeka."
WithSecure researchers said it is likely Russian state group Sandworm has added a novel backdoor dubbed ‘Kapeka’ to its arsenal