APT44 Intelligence Assessment

[+] Status: Published [+] Origin: Cyber Intelligence Course [+] Date: 2025.10
>> TECH_STACK:
[Threat Intelligence][MITRE ATT&CK][Malware Analysis][OSINT]

Advanced Persistent Threat 44 (APT44), also known as Sandworm, is a highly active and operationally mature Russian state-sponsored threat actor formally attributed to Unit 74455 of the GRU. It functions as a versatile instrument for the Kremlin, conducting a full spectrum of espionage, attack, and influence operations to support Russia's national interests, aid military efforts, and undermine democratic processes globally. While Ukraine has been the primary focus of its most destructive attacks over the past decade, APT44 maintains a global mandate targeting government, defense, and energy sectors worldwide.

CRITICAL THREAT

APT44 / Sandworm

GRU Unit 74455
Sponsor Russian Federation
Type State-Sponsored APT
Active Since 2014 - Present
Severity Critical

APT44 utilizes various front personas embedded within the pro-Russian Telegram ecosystem to amplify its influence operations and publicly claim disruptive acts for psychological impact:

👤
CARR Cyber Army of Russia Reborn High Confidence Attribution
👤
XakNet Team XakNet Team Moderate Confidence Attribution
👤
Solntsepek Solntsepek Moderate Confidence Attribution

APT44 maintains a broad, global targeting mandate. Ukraine remains the primary focus due to Russia's geopolitical goals, but operations extend to North America, Europe, the Middle East, Central Asia, and Latin America.

Government HIGH
UkraineNATOGlobal
Defense HIGH
UkraineEuropeUS
Energy/CIKR HIGH
UkraineEuropeUS
Telecommunications HIGH
UkraineGlobal
Media MEDIUM
Global
Civil Society MEDIUM
Global

APT44 has been responsible for some of the most destructive cyber attacks in history, particularly targeting critical infrastructure:

2015
Ukraine Power Grid Attack Target: Prykarpattyaoblenergo 230,000 without power
2016
Ukraine Power Grid Attack II Target: Ukrenergo Industroyer deployment
2017
NotPetya Target: Global $10B+ damages worldwide
2018
Olympic Destroyer Target: Pyeongchang Olympics IT systems disrupted
2022
Viasat Attack Target: KA-SAT AcidRain wiper, EU outages
2023
Kyivstar Attack Target: Ukraine Telecom 24M subscribers affected

APT44 follows a highly flexible playbook designed to bypass best-practice defenses, emphasizing scalability and minimizing forensic evidence. Their methodology adheres to five key phases:

1
Living on the Edge Initial Access
Edge Infrastructure ExploitationPhishing & Credential HarvestingSupply Chain CompromiseVulnerability Exploitation
2
Living off the Land Recon & Lateral Movement
LOTL TechniquesGPO AbuseScheduled TasksCredential Dumping
3
Going for the GPO Persistence & Privilege Escalation
Custom BackdoorsC2 FrameworksWeb ShellsTunnelers
4
Disrupt and Deny Attack & Sabotage
Wiper MalwareICS/OT DisruptionOperational CoordinationMobile Espionage
5
Telegraphing Success Influence Operations
Hack-and-LeakHMI Manipulation ClaimsNarrative AmplificationDDoS Campaigns

APT44 utilizes a diverse and adaptive arsenal emphasizing a "low-equity" approach, frequently prioritizing open-source or commodity tools over proprietary custom implants. For destructive operations, they deploy a wide range of wiper malware:

CADDYWIPER S0693
Wiper
INDUSTROYER S0604
ICS Framework
NotPetya S0368
Wiper/Pseudo-Ransomware
NEARMISS S0697
MBR Wiper
AcidRain S1125
Wiper
CYCLOPS BLINK S0649
Framework
BLACKENERGY S0089
Backdoor
Cobalt Strike S0154
Framework

APT44/Sandworm is a Russian GRU state-sponsored group conducting a full spectrum of cyber espionage, destructive attacks, and influence operations. Active for the past decade, APT44's primary focus is Ukraine, but it maintains a global mandate targeting government, defense, and critical infrastructure in North America and Europe.

The group is expected to continue operations to support the Kremlin's geopolitical objectives, provide tactical advantage for the Russian military, and undermine democratic processes worldwide. They typically gain access by exploiting edge infrastructure and using phishing, then move laterally using Living-off-the-Land techniques before deploying destructive wipers like CADDYWIPER and NotPetya.

Recommended Mitigations:
  • Patch edge infrastructure (routers, VPN appliances) immediately
  • Segment IT and OT networks with strict access controls
  • Deploy EDR solutions capable of detecting LOTL-based TTPs
  • Monitor for GPO abuse and scheduled task anomalies
  • Implement robust backup strategies isolated from production networks

The complete intelligence assessment report with detailed technical analysis, full malware catalog, and comprehensive source citations:

📄 APT44 Intelligence Assessment Report
Download PDF
1 / --
Loading PDF...

Unable to load PDF. Click here to download.