APT44

Executive Summary

Intelligence Cut-off Date: 12-May-2026

APT44 (Sandworm) is the Russian GRU’s destructive cyber sabotage unit, attributed to Unit 74455 within the Main Centre for Special Technologies (GTsST) [Source: Mandiant “Unearthing APT44” report, Rating: B2]. It is the most operationally destructive nation-state actor in public reporting — responsible for the 2015 and 2016 Ukraine power grid attacks, the 2017 NotPetya supply-chain attack (assessed at $10B+ global damage), the 2018 PyeongChang Olympic Destroyer attack, and the February 2022 Viasat KA-SAT wiper attack timed to Russia’s invasion of Ukraine [Source: CISA Advisory AA22-110A, Rating: A1]. As of late 2025 the group has pivoted from N-day software exploitation toward misconfigured network edge devices as the primary initial access vector, and has begun integrating LLM-generated code into its destructive tooling [Source: Amazon Threat Intelligence (Jan 2026), Rating: B2; Barracuda Networks blog (Mar 2026), Rating: C2].

Overall Assessment: [Confidence: HIGH]

Identity and Attribution

The canonical Mandiant designation is APT44, adopted in April 2024 to consolidate previously fragmented activity clusters that had been tracked under “Sandworm Team,” “FROZENBARENTS,” and several adjacent labels [Source: Mandiant report (Apr 2024), Rating: B2]. The group operates across vendor naming conventions as Sandworm (open-source/Dragos), Voodoo Bear (CrowdStrike), Iron Viking (SecureWorks), Telebots (ESET), ELECTRUM (Dragos, ICS-focused subset), BE2 APT (early BlackEnergy era), IRIDIUM and Seashell Blizzard (Microsoft), and FROZENBARENTS (Mandiant pre-consolidation) [Source: MITRE ATT&CK G0034, Rating: A2].

Attribution is to Russian GRU Unit 74455, the Main Centre for Special Technologies (GTsST), based at 22 Kirova Street, Khimki, Moscow Oblast. Six GRU officers from Unit 74455 were indicted by the US Department of Justice in October 2020 in connection with NotPetya, the 2017 French election interference, the 2018 PyeongChang Olympics attack, and the 2015–16 Ukraine power grid attacks [Source: US DoJ indictment (Oct 2020), Rating: A1]. The group is assessed as a sister unit to APT28 (Fancy Bear / GRU Unit 26165), with APT44 specializing in disruptive and destructive operations while APT28 emphasizes traditional espionage [Confidence: HIGH].

Motive and Objective

APT44’s defining motive is sabotage and disruption in support of Russian state interests, distinguishing it from espionage-focused peers. Concrete objectives observed in the last five years: (1) degrade Ukrainian wartime capacity and morale through attacks on power, telecom, and financial systems; (2) punish Western states materially supporting Ukraine through attacks on European and US critical infrastructure; (3) erode public trust in critical services in target nations; (4) conduct influence operations and information warfare, including via hacktivist front personas (XakNet, CyberArmyofRussia_Reborn, Solntsepek); (5) pre-position destructive access on Western critical infrastructure for use at strategic inflection points [Source: Mandiant “Unearthing APT44,” Rating: B2; CISA Advisory AA22-110A, Rating: A1].

The group has also conducted espionage in support of these sabotage missions — credential theft, IT system mapping, and ICS reconnaissance — but the operational endpoint is consistently loss of availability, not data exfiltration [Confidence: HIGH].

Victimology

Targeted sectors are dominated by critical infrastructure: energy and power grid operators, telecommunications and satellite providers, government and defense ministries, transportation and logistics, water utilities, financial services, media organizations, and election infrastructure. Geographic focus prioritizes Ukraine above all others, with second-tier focus on Poland, the Baltic states, NATO members broadly, the United States, the United Kingdom, Georgia, and South Korea. Notably, APT44 targets no CIS or Russia-aligned nations — a targeting exclusion consistent with Russian nation-state attribution [Source: MITRE ATT&CK G0034, Rating: A2].

Technology stack targeting has shifted markedly. Through 2022, the group emphasized Microsoft Windows endpoint malware, Microsoft Exchange exploitation, and SOHO router compromise (VPNFilter, Cyclops Blink). From 2023 onward the focus has moved to network edge devices — enterprise routers, VPN concentrators, firewalls, remote access gateways — and to ICS/OT infrastructure including RTUs, HMIs, and serial gateways [Source: Field Effect (2026), Rating: C2; Microsoft / Amazon joint reporting (Jan 2026), Rating: B2].

Named victims, where publicly disclosed: Ukrainian electric utilities Prykarpattyaoblenergo and Kyivoblenergo (2015), Ukrenergo (2016); Maersk, FedEx, Merck, Mondelez, Reckitt Benckiser (2017 NotPetya collateral); PyeongChang Olympics organizing committee (2018); Viasat KA-SAT (2022); and multiple Polish wind and solar farms plus a Polish power plant (December 2025) [Source: CISA Advisory AA22-110A, Rating: A1; Barracuda Networks (Mar 2026), Rating: C2 — Single-source for Poland Dec 2025 attribution].

Sector Proximity Assessment:

• Global telecommunications: Direct — APT44 routinely compromises telco infrastructure as both intelligence collection and destructive pre-positioning; the Viasat KA-SAT attack remains the defining example of telecom-sector targeting timed to military operations.
• Defense technology / high-tech startups: Direct — Western defense suppliers and dual-use technology vendors are explicit GRU collection targets supporting the Russian war effort and broader military modernization objectives.
• Government / think tanks: Direct — NATO foreign ministries, policy institutions, and election infrastructure have been targeted for influence operations across more than a decade.
• Higher education / research institutions: Adjacent — engineering and policy research with national-security ties (energy, telecom, defense) are collateral collection targets, particularly where Ukraine-related work is conducted.
• Venture capital / investment: Low — no direct targeting pattern observed; exposure exists only through portfolio companies operating in critical infrastructure sectors.

Capability Assessment

Rating: High [Confidence: HIGH]

APT44 demonstrates the indicators of a top-tier nation-state actor across every measurable dimension. Custom malware breadth is unrivaled in the destructive category — at least 14 distinct named families spanning ICS-specific tooling (BlackEnergy, Industroyer, Industroyer2), Windows wipers (KillDisk, HermeticWiper, CaddyWiper, ZeroLot, DynoWiper, LazyWiper), Linux/firmware wipers (AcidRain, AcidPour), supply-chain payloads (NotPetya, Olympic Destroyer), router implants (VPNFilter, Cyclops Blink), and bootkits [Source: MITRE ATT&CK G0034, Rating: A2]. Zero-day exploitation is confirmed across multiple campaigns, including the 2014 CVE-2014-4114 zero-day used to deliver BlackEnergy and ongoing exploitation of edge-device flaws [Source: CISA Advisory AA22-110A, Rating: A1].

Dwell time routinely exceeds six months, with multi-year persistence demonstrated on satellite ground systems and ICS environments. Operational security is moderate — the group’s reliance on hacktivist front personas provides plausible deniability but the underlying tradecraft is well-fingerprinted, which is why community attribution has been consistent across vendors. The group is assessed to have dedicated infrastructure, dedicated developer resources, and access to GRU SIGINT and HUMINT support pipelines [Confidence: HIGH].

A notable 2025 capability inflection: researchers assess that LazyWiper, deployed in the December 2025 Poland attack, was likely generated using an LLM. The wiper overwrites files in an inefficient pattern characteristic of generated code, and its co-deployment with the more sophisticated DynoWiper suggests deliberate use of AI to mass-produce wiper variants and increase incident-response burden [Source: Barracuda Networks (Mar 2026), Rating: C2; Single-source].

Modus Operandi

Key Campaigns

• 2015–2016 Ukraine power grid attacks — BlackEnergy followed by Industroyer caused cascading outages affecting ~225,000 customers; first publicly confirmed cyberattack to cause physical power disruption.
• 2017 NotPetya — Supply-chain compromise of Ukrainian accounting software M.E.Doc seeded a wormable destructive payload masquerading as ransomware; global collateral damage assessed at $10B+ [Source: White House attribution statement (Feb 2018), Rating: A1].
• 2018 PyeongChang Olympic Destroyer — Sophisticated wiper attack against the Olympics opening ceremony, with deliberate false-flag indicators pointing to North Korean Lazarus Group [Source: US DoJ indictment, Rating: A1].
• 2022 Viasat KA-SAT (AcidRain) — Wiper deployed to satellite modems immediately before the Russian invasion of Ukraine, disrupting Ukrainian military comms and tens of thousands of European customers [Source: CISA Advisory AA22-110A, Rating: A1].
• 2022–2023 HermeticWiper / CaddyWiper / AcidPour — Multiple wiper waves against Ukrainian government and ISP targets paralleling kinetic operations.
• 2023–present trojanized KMS activator campaign — Espionage operation targeting Ukrainian Windows users via pirated Microsoft KMS activation tools and fake Windows updates [Source: EclecticIQ blog (2026), Rating: C2].
• December 2025 Poland power infrastructure attack — On 2025-12-29, wiper samples detected at multiple Polish wind and solar farms and a power plant; attackers uploaded corrupt firmware to RTUs and deployed DynoWiper on HMIs alongside LLM-generated LazyWiper, severing communication between generation facilities and operators [Source: Barracuda Networks (Mar 2026), Rating: C2; Single-source pending corroboration].

MITRE ATT&CK TTPs

Phase	Technique ID	Technique Name	Notes
Initial Access	T1190	Exploit Public-Facing Application	Edge devices, Exchange, M.E.Doc
Initial Access	T1133	External Remote Services	VPN, RDP gateways
Initial Access	T1566.001	Spearphishing Attachment	Maldoc, ISO/LNK delivery
Initial Access	T1195.002	Supply Chain Compromise: Software	M.E.Doc (NotPetya)
Initial Access	T1078	Valid Accounts	Stolen creds from edge devices
Execution	T1059.001	Command and Scripting Interpreter: PowerShell	Encrypted scripts, in-memory
Execution	T1059.003	Command and Scripting Interpreter: Windows Command Shell	Batch scripting for wiper staging
Persistence	T1547.001	Registry Run Keys / Startup Folder	Standard tradecraft
Persistence	T1053.005	Scheduled Task/Job: Scheduled Task	Wiper triggering
Persistence	T1542.003	Pre-OS Boot: Bootkit	NotPetya MBR overwrite
Privilege Escalation	T1068	Exploitation for Privilege Escalation	Kernel exploits
Defense Evasion	T1027	Obfuscated Files or Information	Packed wipers
Defense Evasion	T1070.001	Indicator Removal: Clear Windows Event Logs	Post-impact
Credential Access	T1003.001	OS Credential Dumping: LSASS Memory	Mimikatz variants
Credential Access	T1110	Brute Force	Edge device login portals
Discovery	T1018	Remote System Discovery	SMB, AD enumeration
Discovery	T1046	Network Service Discovery	ICS protocol scanning
Lateral Movement	T1021.002	Remote Services: SMB/Windows Admin Shares	NotPetya propagation
Lateral Movement	T1021.001	Remote Services: Remote Desktop Protocol	Hands-on intrusion
Command and Control	T1071.001	Application Layer Protocol: Web Protocols	HTTPS C2
Command and Control	T1572	Protocol Tunneling	Tor, ORB chains
Impact	T1485	Data Destruction	Core mission
Impact	T1561.001	Disk Wipe: Disk Content Wipe	AcidRain, LazyWiper
Impact	T1561.002	Disk Wipe: Disk Structure Wipe	HermeticWiper, NotPetya
Impact	T1495	Firmware Corruption	RTU firmware (Poland 2025)
Impact	T0827	Loss of Control	Industroyer, Poland 2025
Impact	T0826	Loss of Availability	Defining operational impact
Impact	T1490	Inhibit System Recovery	Volume shadow deletion

Tools and Malware

Named families in operational use or recent history: BlackEnergy (modular Windows backdoor with ICS plugins, 2014–16 era); Industroyer and Industroyer2 (the only known malware purpose-built to attack electric grid protective relays); NotPetya (worm-propagated MBR/disk wiper masquerading as ransomware); Olympic Destroyer (worm wiper with false-flag artifacts); VPNFilter and Cyclops Blink (SOHO router and firewall implants, both subject to FBI disruption operations); KillDisk (Windows wiper paired with BlackEnergy); HermeticWiper, CaddyWiper, AcidRain, AcidPour (Ukraine-war wiper families spanning Windows, Linux, and embedded firmware); ZeroLot (purpose-built destructive tooling against Ukrainian energy companies, 2024–25); DynoWiper and LazyWiper (Poland 2025 attack — DynoWiper targets HMIs, LazyWiper assessed LLM-generated). Open-source tooling includes Cobalt Strike, Mimikatz, Impacket, and standard living-off-the-land binaries [Source: MITRE ATT&CK G0034, Rating: A2].

Infrastructure Patterns

APT44 operates a mix of dedicated and obfuscated infrastructure. C2 traffic frequently transits Tor, operational relay box (ORB) chains built from compromised consumer and SOHO devices, and bulletproof hosting providers. The group’s pivot to compromising customer edge devices — enterprise routers, VPN concentrators, remote-access gateways — serves dual purposes: initial access into victim networks, and reuse of victim infrastructure as proxy hops for follow-on operations [Source: Amazon Threat Intelligence (Jan 2026), Rating: B2]. Hacktivist front personas (XakNet, CyberArmyofRussia_Reborn, Solntsepek) are used to publicize operations, claim victims, and provide a narrative cutout layer separating GRU action from Russian state acknowledgment [Confidence: HIGH].

Activity Timeline

Date	Event	Source	Rating
2026-01	Microsoft + Amazon report sustained APT44 targeting of Western CI via misconfigured edge devices	Amazon Threat Intel blog	B2
2025-12-29	Poland wind/solar farms and power plant hit with DynoWiper (HMIs) and LazyWiper (LLM-generated); RTU firmware corrupted	Barracuda Networks (Mar 2026)	C2
2025-H2	ZeroLot wiper deployed against Ukrainian energy companies	Field Effect / Mandiant reporting	C2
2024-04	Mandiant formally consolidates Sandworm activity as APT44	Mandiant “Unearthing APT44”	B2
2024-03	AcidPour wiper observed against Ukrainian ISPs	SentinelOne / vendor reporting	C2
2023+	Ongoing trojanized KMS activator espionage campaign against Ukrainian Windows users	EclecticIQ	C2
2022-02-24	AcidRain wiper hits Viasat KA-SAT modems coincident with Russian invasion of Ukraine	CISA Advisory AA22-110A	A1
2022-Q1	HermeticWiper, CaddyWiper, IsaacWiper waves against Ukrainian government	CISA / Mandiant	A1
2020-10-15	US DoJ indicts six GRU Unit 74455 officers	US DoJ indictment	A1
2018-02	Olympic Destroyer attack on PyeongChang Winter Olympics	US DoJ indictment	A1
2017-06-27	NotPetya supply-chain wiper attack via M.E.Doc, $10B+ damage	White House attribution (2018)	A1
2016-12	Industroyer attack on Ukrenergo causes Kyiv power outage	Dragos / ESET	B2
2015-12-23	First Ukraine power grid attack: BlackEnergy + KillDisk affects ~225,000 customers	E-ISAC / SANS ICS report	A2
~2014	First-generation BlackEnergy operations attributed to Unit 74455	MITRE ATT&CK G0034	A2

Forecast, Implications, and Recommendations

What Next (Forecast)

Continued targeting of European power and telecom infrastructure through 2026, with destructive payloads timed to political or military inflection points [Confidence: HIGH — based on a decade of consistent operational pattern]. Further tactical migration from N-day software exploitation toward edge-device misconfiguration and stolen credentials as the dominant initial access vector [Confidence: HIGH — corroborated by Microsoft, Amazon, and Mandiant reporting in Q1 2026]. Expanded use of LLM-generated wiper variants to mass-produce destructive tooling and overwhelm incident response queues; expect commoditization of “good enough” wiper code [Confidence: MODERATE — single-source attribution for LazyWiper LLM origin, but pattern is technically plausible and economically rational]. Elevated probability of pre-positioned destructive access in US critical infrastructure activated at strategic inflection points if Western support for Ukraine intensifies materially [Confidence: MODERATE — pre-positioning behavior observed; activation triggers are inference].

So What (Implications)

APT44 is the destructive nation-state actor most likely to translate geopolitical escalation into operational impact rather than intelligence loss. Unlike espionage-focused peers, the operational endpoint is availability loss — which inverts the usual defensive priority stack. Backup integrity, recovery time objectives, OT segmentation, and incident communications matter more than DLP, exfiltration detection, or data classification. Sandworm operations also carry geopolitical messaging payload: a victim is not only a target but a signal to a broader policy audience, which means executive leadership and public affairs functions are part of the response surface, not just IT and OT.

For organizations in the directly-proximate sectors (telecommunications, defense technology, government), the realistic planning scenario is not “will we be targeted” but “are we already pre-positioned in.” The 2024–25 pivot to edge-device misconfiguration makes that pre-positioning cheap and high-yield for the adversary, and harder to detect than software exploitation.

Now What (Recommendations)

1. Audit and harden internet-facing edge devices — Inventory every internet-facing router, VPN concentrator, firewall, and remote-access gateway. Confirm firmware is current, default credentials are removed, management planes are off the public internet, and MFA is enforced on all administrative access. This is the dominant 2025–26 APT44 initial access vector.
2. Hunt for destructive precursors — Stand up detection logic for MITRE T1485 (Data Destruction), T1561 (Disk Wipe), T1495 (Firmware Corruption), unusual MBR or bootloader writes, anomalous volume shadow deletion, and large-scale LSASS access events. Treat detection of any of these in an OT-adjacent network as a Sev-1 hunt trigger.
3. Validate offline backups and OT segmentation under realistic conditions — Test the actual restoration of critical IT and OT systems from offline media against stated RTOs. Verify that the IT-to-OT network boundary is enforced by configuration, not just by policy or vendor assertion. Run a tabletop modeled on the Poland December 2025 attack pattern: simultaneous RTU firmware corruption plus HMI wiper deployment.
4. Stand up an incident communications playbook for narrative warfare — Pre-stage exec, legal, and public-affairs language for a scenario where an outage is publicly claimed by a hacktivist front persona (XakNet, CyberArmyofRussia_Reborn, Solntsepek class) used as an APT44 cutout. The narrative response window is shorter than the technical response window.
5. Track edge-device threat intelligence as a first-class feed — Build or subscribe to a feed covering exploited and abused enterprise edge-device CVEs, default-credential lists, and misconfiguration patterns. Treat this feed with the same operational tempo as endpoint malware signatures, not the slower quarterly cadence typical for network gear.

Technical Evidence

Type	Value	First Seen	Last Seen	Confidence
Malware family	BlackEnergy	2014	2016	HIGH
Malware family	Industroyer / Industroyer2	2016-12	2022-04	HIGH
Malware family	NotPetya	2017-06-27	2017-06-27	HIGH
Malware family	Olympic Destroyer	2018-02	2018-02	HIGH
Malware family	VPNFilter	2018	2019	HIGH
Malware family	Cyclops Blink	2019	2022-04	HIGH
Malware family	AcidRain	2022-02-24	2022-02-24	HIGH
Malware family	HermeticWiper	2022-02-23	2022-Q1	HIGH
Malware family	CaddyWiper	2022-03	2023	HIGH
Malware family	AcidPour	2024-03	2024-Q2	HIGH
Malware family	ZeroLot	2024-2025	2025-Q4	MODERATE
Malware family	DynoWiper	2025-12-29	2025-12-29	MODERATE
Malware family	LazyWiper (LLM-generated assessed)	2025-12-29	2025-12-29	MODERATE
CVE	CVE-2014-4114	2014-10	2016	HIGH
Indictment	6 GRU Unit 74455 officers	2020-10-15	n/a	HIGH

[Data Gap: No high-confidence network IOCs (domains, IPs) published within the last 90 days that have not already been sinkholed or burned. Edge-device IOCs are deliberately not enumerated here because they are environment-specific and stale within days — see Recommendation 5 for the appropriate sourcing pattern.]

References

1. CISA Advisory AA22-110A — Russian State-Sponsored and Criminal Cyber Threats to Critical Infrastructure (2022). https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-110a. Rating: A1
2. US Department of Justice — Indictment of Six Russian GRU Officers (Oct 2020). https://www.justice.gov/opa/pr/six-russian-gru-officers-charged-connection-worldwide-deployment-destructive-malware-and. Rating: A1
3. White House Statement — Attribution of NotPetya to Russia (Feb 2018). https://trumpwhitehouse.archives.gov/briefings-statements/statement-press-secretary-25/. Rating: A1
4. MITRE ATT&CK Group G0034 — Sandworm Team. https://attack.mitre.org/groups/G0034/. Rating: A2
5. Mandiant — “Unearthing APT44: Russia’s Notorious Cyber Sabotage Unit Sandworm” (Apr 2024). https://cloud.google.com/blog/topics/threat-intelligence/apt44-unearthing-sandworm. Rating: B2
6. Amazon Web Services — “Amazon Threat Intelligence identifies Russian cyber threat group targeting Western critical infrastructure” (Jan 2026). https://aws.amazon.com/blogs/security/amazon-threat-intelligence-identifies-russian-cyber-threat-group-targeting-western-critical-infrastructure/. Rating: B2
7. Field Effect — “APT44 shifts tactics, exploits edge devices across critical infrastructure.” https://fieldeffect.com/blog/apt44-shifts-tactics-exploits-edge-devices-critical-infra. Rating: C2
8. Barracuda Networks — “Sandworm: Russia’s global infrastructure wrecking crew” (Mar 2026). https://blog.barracuda.com/2026/03/16/sandworm—russia-s-global-infrastructure-wrecking-crew. Rating: C2
9. EclecticIQ — “Sandworm APT Targets Ukrainian Users with Trojanized Microsoft KMS Activation Tools.” https://blog.eclecticiq.com/sandworm-apt-targets-ukrainian-users-with-trojanized-microsoft-kms-activation-tools-in-cyber-espionage-campaigns. Rating: C2
10. NJCCIC — Russia: APT44 threat profile. https://www.cyber.nj.gov/threat-landscape/nation-state-threat-analysis-reports/russia-cyber-threat-operations/russia-apt44. Rating: C2