APT44, a Russian state-sponsored hacking group, has conducted numerous high-profile cyberattacks targeting critical infrastructure and government entities globally, such as the Ukrainian power grid and the NotPetya malware attack. Their recent ‘BadPilot’ campaign demonstrates a continued effort to breach various sectors, highlighting an ongoing threat to cybersecurity. Affected: Critical infrastructure, government entities, energy sector, oil and gas, telecommunications, shipping, arms manufacturing
Keypoints :
- APT44, also known as ‘Sandworm’ or ‘Seashell Blizzard,’ is a state-sponsored hacking group from Russia.
- The group has been linked to the GRU and has conducted numerous cyberattacks since the early 2010s.
- Notable attacks include the Ukrainian Power Grid attacks (2015-2016) and the NotPetya malware attack (2017).
- The ‘BadPilot’ campaign, uncovered in 2025, has targeted critical organizations and governments since at least 2021.
- APT44 employs advanced TTPs to infiltrate systems and establish persistence.
- The group poses a significant threat to global cybersecurity across various sectors.
MITRE Techniques :
- Execution (T1059): Utilizing scripting languages and command-line interfaces for executing malicious code.
- Persistence (T1053): Establishing scheduled tasks or services for continued access post-reboots.
- Discovery (T1082): Conducting system and network reconnaissance to identify critical assets.
- System Initialization Items (T1547): Manipulating system boot or logon autostart execution for persistent access.
- Detection Prevention (T1027): Employing obfuscation techniques to evade security defenses.
Indicator of Compromise :
- [Malware] NotPetya
- [Threat Group] APT44
- [Threat Group Name] Sandworm
- [Code Name] BadPilot
- [Exploitation] Cyberattacks on critical infrastructure