Keypoints
- APT44 (Sandworm/FROZENBARENTS) is a Russian military‑sponsored actor conducting integrated sabotage, espionage, and influence operations.
- The group has used disruptive wiper malware to target critical infrastructure, including historic attacks on Ukraine’s energy grid and the NotPetya campaign.
- Operational focus has shifted from wide disruption toward intelligence collection to support Russian conventional forces, including exfiltrating data from captured mobile devices for targeting.
- APT44 coordinates cyber effects with kinetic operations at times, aiming to achieve combined military objectives.
- The actor presents a global threat beyond Ukraine, including potential election interference and political signaling operations.
- Defensive measures and community protections include Safe Browsing domain takedowns, victim notifications, Chronicle detection rules, and a VirusTotal collection of IOCs.
MITRE Techniques
- [T1485] Data Destruction – Use of wiper malware to disrupt systems and infrastructure; [‘Through the use of disruptive cyber tools, such as wiper malware designed to disrupt systems, APT44 has sought to impact a wide range of critical infrastructure sectors.’]
- [T1486] Data Encrypted for Impact – Deployment of destructive/impactful malware in high‑profile campaigns (e.g., NotPetya) to cause widespread disruption; [‘the global NotPetya attack timed to coincide with Ukraine’s Constitution Day in 2017’]
- [T1041] Exfiltration Over C2 Channel – Exfiltration of communications and collected data from captured mobile devices to support battlefield targeting and processing; [‘one long-running APT44 campaign has assisted forward-deployed Russian ground forces to exfiltrate communications from captured mobile devices in order to collect and process relevant targeting data.’]
- [T1566] Phishing/Spearphishing – Influence and interference efforts that likely employ targeted social engineering to affect political processes and elections; [‘Sandworm’s history of attempting to interfere in democratic processes further elevates the severity of the threat the group may pose in the near-term.’]
- [T1583] Acquire Infrastructure – Use and management of websites and domains for operations and C2 infrastructure, prompting defenders to add identified domains to blocklists; [‘Upon discovery, all identified websites and domains are added to Safe Browsing to protect users from further exploitation.’]
Indicators of Compromise
- [Malware names] APT44 disruptive tooling – NotPetya, generic “wiper malware” referenced as used against infrastructure and for destructive campaigns.
- [Domains/websites] Operational infrastructure – article references “identified websites and domains” used by APT44 (no specific malicious domains listed in the post; defenders are instructed that these were added to Safe Browsing and included in the VirusTotal collection).
- [IOCs/Collections] Published indicator repositories – A VirusTotal Collection and Mandiant report containing IOCs and hunting rules are available (article does not publish raw hashes or IPs inline; see referenced collections for details).
APT44’s technical operations show two dominant patterns: (1) deliberate, high‑impact destructive activity using wiper/impact malware to deny operations across critical sectors, and (2) targeted intelligence collection that directly supports kinetic operations. The group has deployed destructive tooling in coordinated campaigns (NotPetya and multiple energy‑grid wipers), trading large-scale sabotage earlier in the conflict for more focused espionage that includes exfiltrating communications from captured mobile devices to provide timely targeting data to forward units.
From an operational-security and detection standpoint, defenders should prioritize detection and containment of destructive payloads (monitor for data‑destruction indicators and unusual mass file encryption/wipe activity), secure and monitor mobile device ingestion/exfiltration channels (including forensic extraction pathways and C2 telemetry), and hunt for infrastructure patterns tied to APT44 (malicious domains, C2 beacons). Google and Mandiant have published mitigations and detection content: affected domains are added to Safe Browsing, Chronicle rule packs and Applied Threat Intelligence entries were released for enterprise customers, a VirusTotal collection of APT44 indicators is available, and the Mandiant report includes a list of malware used since 2018 plus hunting rules and Security Validation actions to test defenses.
Read more: https://cloud.google.com/blog/topics/threat-intelligence/apt44-unearthing-sandworm/