Mandiant formally pins Sandworm cyber attacks on APT44 group

Why now?

Cyber security experts tend to be unanimous that attribution is a complex beast that requires intense research and evaluation of the evidence. This holds true even when a specific group’s activities are well known in the security community, and extensively documented in blog posts, research papers and in the media.

If there is even a slight degree of doubt over the evidence available, it can be extremely unhelpful, even unwise, to firmly attribute any cyber campaign to a known individual or group, even if well intentioned. To do so can cause problems for defenders who may mistakenly go chasing the wrong thing, and invites other, unintended consequences. It may even upset threat actors, who are notoriously self-obsessed and thin-skinned, and cause them to lash out in unforeseen ways.

As such, it has not really been possible to make confident statements on Sandworm’s precise nature up to now for a number of reasons – among them talk of operational overlap between APT44 and other groups such as APT28 (aka Fancy Bear) – which does indeed “sit across the corridor” under the auspices of the GTsST’s Unit 26165 (the two operations have likely worked together on a number of high-profile campaigns, according to Mandiant).

But by giving it a formal and confident designation, Mandiant said it will be easier for defenders globally to identify and track its activity, sharing intelligence more appropriately in the hope of thwarting the group’s goals.

Why should they need to do so? Because, said Mandiant, the threat posed by APT44 is far from limited to Ukraine. APT44 operations have been observed around the world, and given the group has a history of interfering in democratic processes, its threat potential is highly elevated in 2024 given the number of elections taking place that are likely to be targeted for Russian interference.

Indeed, Mandiant describes APT44 as a persistent and high-severity threat both to governments and operators of critical national infrastructure in states where Russia perceives it has a national interest, the UK included. APT44, with its advanced capabilities, high risk tolerance and mandate to support the Kremlin’s foreign policy goals, places such organisations at risk of falling into its clutches with little to no notice.

Added to this, Mandiant said APT44 represents a significant proliferation risk for new cyber attack tactics, techniques and procedures, lowering the barrier of entry for both state-backed and financially motivated threat actors to develop their own campaigns.

Looking ahead, the researchers said APT44 would “almost certainly” continue to represent one of the widest and highest cyber threats globally for the foreseeable future. Its history of involvement with some of the most widely known cyber attacks of the past decade suggests “no limit to the nationalist impulses” feeding its operations.

And just because it has been tied up in Ukraine does not mean it will not pivot to the UK and US if its paymasters feel doing so is warranted. The upcoming showdowns between Rishi Sunak and Keir Starmer and Joe Biden and Donald Trump may well draw its attention.

“The threat from APT44 does not end at Ukraine’s borders,” said Black. “Despite the ongoing war, we continue to see APT44 operations globally. We’ve seen the group experiment with using ransomware against transportation and logistics networks in Europe.

“And with a number of pivotal elections on the horizon, some of which will shape the trajectory of future Western military aid to Ukraine, APT44’s history of attempting to interfere in democratic processes means vigilance around this group is of utmost importance,” he said.

“What history tells us about APT44 is that its bias for action in service of the Kremlin’s whims means organisations around the world are at risk of falling into the group’s sights on short notice. This is a globally salient threat for which we all must be prepared.”