Threat Intelligence
Due to its history of aggressive use of network attack capabilities across political and military contexts, APT44 presents a persistent, high severity threat to governments and critical infrastructure operators globally where Russian national interests intersect. The combination of APT44's high capability, risk tolerance, and far-reaching mandate to support Russia’s foreign policy interests places governments, civil society, and critical infrastructure operators around the world at risk of falling into the group's sights on short notice.
We also judge APT44 to present a significant proliferation risk for new cyber attack concepts and methods. Continued advancements and in-the-wild use of the group’s disruptive and destructive capabilities has likely lowered the barrier of entry for other state and non-state actors to replicate and develop their own cyber attack programs. Russia itself is almost certainly alert to and concerned about this proliferation risk, as Mandiant has observed Russian cybersecurity entities exercise their ability to defend against categories of disruptive cyber capabilities originally used by APT44 against Ukraine.
Looking Ahead
APT44 will almost certainly continue to present one of the widest and highest severity cyber threats globally. It has been at the forefront of the threat landscape for over a decade and is responsible for a long list of firsts that have set precedents for future cyber attack activity. Patterns of historical activity, such as efforts to influence elections or retaliate against international sporting bodies, suggest there is no limit to the nationalist impulses that may fuel the group’s operations in the future.
As Russia’s war continues, we anticipate Ukraine will remain the principal focus of APT44 operations. However, as history indicates, the group’s readiness to conduct cyber operations in furtherance of the Kremlin’s wider strategic objectives globally is ingrained in its mandate. We therefore assess that changing Western political dynamics, upcoming elections, and emerging issues in Russia’s near abroad will also continue to shape APT44’s operations for the foreseeable future.
Protecting the Community
As part of our research, we take various steps to protect customers and the community:
- Google's Threat Analysis Group (TAG) uses the results of our research to improve the safety and security of Google’s products.
- Upon discovery, all identified websites and domains are added to Safe Browsing to protect users from further exploitation.
- All targeted Gmail and Workspace users are sent government-backed attacker alerts, notifying them of the activity, encouraging potential targets to enable Enhanced Safe Browsing for Chrome, and ensuring them that all devices are updated.
- Where possible, Mandiant sends victim notifications via the Victim Notification Program.
- If you are a Google Chronicle Enterprise+ customer, Chronicle rules were released to your Emerging Threats rule pack, and IOCs are available for prioritization with Applied Threat Intelligence.
- A VirusTotal Collection featuring APT44-related indicators of compromise is now available for registered users.
We are committed to sharing our findings with the security community to raise awareness, and with companies and individuals that might have been targeted by these activities.
Read the APT44 report for our full analysis of this group, a detailed list of malware used by APT44 since 2018, hunting rules for detecting the malware, and a list of Mandiant Security Validation actions organizations can use to validate their security controls.
Published: 2024-04-17T10:00:00
