Critical Nation-State APT TLP:CLEAR

APT44 / Sandworm

Threat Hunting Guide • 4-6 hours

Russian GRU Unit 74455 - one of the most dangerous cyber threat actors globally. Responsible for NotPetya ($10B+ damages), Ukraine power grid attacks, and Olympic Destroyer. Specializes in ICS/SCADA targeting and destructive wiper operations.

🎯

Hunt Modules

⏱️

Duration

4-6 hrs

⚔️

MITRE Techniques

80+

🏛️

Attribution

GRU

📅

Active Since

2009

📄

Download Full Hunting Guide

Complete guide with 10 hunt modules, ICS/SCADA detection queries, wiper malware indicators, and IOCs.

Download PDF - Free

10 Hunt Modules

Initial Access - Spearphishing Detection

30 min • High

PowerShell Abuse & LOTL Techniques

30 min • Critical

Credential Dumping (Mimikatz/LSASS)

30 min • Critical

Lateral Movement via SMB/Admin Shares

30 min • High

Group Policy Object Abuse

30 min • Critical

Scheduled Task Persistence

30 min • High

Wiper Malware Indicators

45 min • Critical

ICS/SCADA Environment Monitoring

45 min • Critical

Defense Evasion & Log Clearing

30 min • High

C2 Communication Patterns

30 min • High

Detection Rules

Copy these queries to detect APT44/Sandworm activity in your environment.

Office Document Spawning Suspicious Process

index=windows sourcetype=WinEventLog:Security EventCode=4688
| where (ParentImage="*\\WINWORD.EXE" OR ParentImage="*\\EXCEL.EXE")
| where (Image="*\\cmd.exe" OR Image="*\\powershell.exe" OR Image="*\\wscript.exe")
| stats count by ParentImage, Image, CommandLine, ComputerName

Windows Event Log Clearing

index=windows (EventCode=1102 OR EventCode=104)
| stats count by ComputerName, User, EventCode
| where count > 0

Wiper Pre-Encryption Commands

index=windows sourcetype=WinEventLog CommandLine=*
| where (CommandLine="*vssadmin*delete*" OR CommandLine="*bcdedit*" OR CommandLine="*wbadmin*delete*")
| stats count by ComputerName, User, CommandLine

GPO Script Modification

DeviceFileEvents
| where FolderPath has "\\SYSVOL\\" and FolderPath has "\\Scripts\\"
| where FileName endswith ".ps1" or FileName endswith ".bat" or FileName endswith ".vbs"
| where ActionType in ("FileCreated", "FileModified")
| project Timestamp, DeviceName, FileName, FolderPath, InitiatingProcessAccountName

LSASS Memory Access Detection

DeviceEvents
| where ActionType == "ProcessAccess"
| where TargetProcessName == "lsass.exe"
| where InitiatingProcessFileName !in ("csrss.exe", "services.exe", "svchost.exe")
| project Timestamp, DeviceName, InitiatingProcessFileName, InitiatingProcessCommandLine

Scheduled Task Creation via schtasks

DeviceProcessEvents
| where FileName =~ "schtasks.exe"
| where ProcessCommandLine has "/create"
| project Timestamp, DeviceName, ProcessCommandLine, AccountName

APT44 Wiper Indicators

title: APT44 Wiper Malware Indicators
id: INT-APT44-001
status: experimental
description: Detects wiper families associated with APT44
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        CommandLine|contains:
            - 'CaddyWiper'
            - 'AcidRain'
            - 'HermeticWiper'
            - 'WhisperGate'
    condition: selection
level: critical

Disk Structure Manipulation

title: Direct Disk Access for Wiper Operation
id: INT-APT44-002
status: experimental
description: Detects direct disk access typical of wiper malware
logsource:
    category: file_access
    product: windows
detection:
    selection:
        TargetFilename|startswith:
            - '\\\\.\\PhysicalDrive'
            - '\\\\.\\C:'
    condition: selection
level: critical

Need More Detection Rules?

The full guide includes 25+ additional detection signatures for ICS/SCADA and wiper malware.

Download Full Guide

Disclaimer: These detection rules are provided for defensive security purposes. Always test rules in a non-production environment before deployment. Rules may require tuning for your specific environment. Sources: Mandiant APT44 Report, CISA Ukraine Cyber Advisory.

Notable Operations

NotPetya (2017)

Disguised as ransomware but designed for destruction. $10B+ global damages via supply chain compromise of M.E.Doc software.

Ukraine Power Grid (2015/2016/2022)

First confirmed cyber attacks causing power outages. Industroyer/CrashOverride ICS malware development.

Olympic Destroyer (2018)

PyeongChang Winter Olympics disruption. False flags planted to frame North Korea and China.

Wiper Arsenal

CaddyWiper, AcidRain, AcidPour, ORCSHRED, SOLOSHRED, AWFULSHRED, HermeticWiper

← Back to Threat Hunting Guides

🛡️

Protect Critical Infrastructure

BRACE monitors for APT44 indicators including wiper malware signatures, ICS/SCADA targeting patterns, and destructive attack precursors.

Learn About BRACE Talk to an Expert