Mandiant Attributes Majority of Cyber Operations Against Ukraine to APT44

Mandiant Attributes Majority of Cyber Operations Against Ukraine to APT44


In a recent report published by Mandiant, the Sandworm group (also known as FROZENBARENTS) has been identified as the Advanced Persistent Threat (APT) 44. This group has been involved in a series of cyber operations targeting Ukraine over the past decade. Below are the key findings and tactics used by APT44.

Key Findings

  1. Tactical Shifts: Since the onset of the war in Ukraine in 2022, APT44 has adjusted its tactics and operational priorities. They increasingly focus on edge devices during the conflict and support Russia's kinetic military operations with cyber attacks.
  2. Targeted Attacks: APT44 has conducted targeted attacks against military objectives in Ukraine. For instance, in October 2022, they disrupted IT and OT systems at an energy distribution entity amid Russia's winter campaign of military and drone attacks on Ukraine's energy grid.
  3. Human-Machine Interface (HMI) Manipulation: The group also claims responsibility for manipulating human-machine interfaces (HMIs) controlling OT assets in Polish and American water supply companies. While independent verification of intrusion activity at this water supply company is lacking, APT44 is known for executing such cyber attacks.


APT44 poses a significant cyber threat and has played a central role in Ukraine-related operations over the past decade. It's crucial for cybersecurity organizations to remain vigilant and take measures to defend against this group.