Menu
Browse

Cyber Threat Actor: APT44

Aliases: 2 aliases
Actor Type Location Known Incidents
 Icon
Nation State
Russia
8 incidents
Profile

APT44 is a threat actorpublicly tracked under the alias Sandworm and is attributed to the Russian state. Open‑source reporting identifies its operational base as Russia, linking the group to Moscow‑directed cyber activities. The actor’s affiliation is described in multiple advisories as state‑sponsored rather than financially motivated or criminal. No public sources indicate that APT44 operates as a independent criminal consortium or that it receives direction from non‑state entities.

The group’s known targeting concentrates on critical infrastructure sectors, specifically energy, water and heat suppliers located in Ukraine. The objective of the observed operations, as stated in the reporting, is to disrupt information systems in order to amplify the effects of concurrent physical attacks on the same infrastructure. No public attribution assigns financial gain or espionage motives to this activity, so the profile notes disruption as the explicit strategic goal. The geographic focus of the activity aligns with the regional conflict in which the targeted facilities reside.

In terms of tactics, APT44 employs a mixture of previously known malware families and newly developed tools; the March 2024 campaign utilized the QUEUESEED payload alongside Linux variants named BIASBOAT and LOADGRIP. Initial access was achieved through supply‑chain compromises, specifically by poisoning legitimate software updates and by abusing vendor maintenance channels to gain footholds inside target networks. The malware was used to infiltrate networks and disrupt operations at the affected facilities. The March 7 2024 operation, which impacted approximately twenty critical‑facility sites in Ukraine, serves as a representative illustration of the group’s current methodology and its focus on causing operational disruption. This campaign was reported by BleepingComputer and CERT‑UA, providing the primary open‑source evidence for the described behavior.

Incidents
Attributed incidents available to members
8 incidents
Sources
Sources available to members
62 sources