Seashell Blizzard

Threat Actor Profile Updated 2 months ago
Download STIX
Preview STIX
Seashell Blizzard, also known as Iridium, Sandworm, Voodoo Bear, and APT44, is a state-sponsored threat actor group affiliated with the Russian military intelligence service (GRU). Microsoft has identified this group as distinct from other Advanced Persistent Threat (APT) groups operating under the GRU, such as Forest Blizzard (also known as Strontium, APT28, and Fancy Bear). Seashell Blizzard has been linked to several high-profile cyber-attacks, including exploiting perimeter server systems like Exchange and Tomcat servers, while leveraging pirated Microsoft Office software harboring the DarkCrystalRAT backdoor for initial access. The group is believed to be run by Military Unit 74455, a notorious cyber warfare unit of the GRU. Seashell Blizzard has exhibited a pattern of short-term collaborations with hacktivist groups such as Solntsepek, InfoCentr, and Cyber Army of Russia. These relationships are marked by temporary spikes in alleged cyber capability coinciding with Seashell Blizzard attacks. Microsoft has noted that these hacktivist-led attacks often preface multiple waves of more destructive assaults by Seashell Blizzard, supporting broader military objectives, especially in the context of conflicts like the one in Ukraine. The group has also been associated with the development of disruptive malware strains, such as NotPetya and a novel "ransomware" strain known as Prestige. The latter was discussed at CYBERWARCON 2022 and was found to impact organizations in Ukraine and Poland. In addition, Seashell Blizzard has been linked to the FakePenny ransomware, given the close overlap between the ransom notes used by both. Periodically, Seashell Blizzard launches destructive attacks, which are then publicly claimed by Telegram hacktivist groups, adding a layer of plausible deniability for the sponsoring organization.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Voodoo Bear
3
VOODOO BEAR, also known as Sandworm, Seashell Blizzard, and other names such as Iridium, Iron Viking, Telebots, and APT44, is a highly advanced threat actor with a suspected nexus to the Russian Federation. First identified in January 2018, this group has been active since 2000 and operates under th
Sandworm
3
Sandworm, a threat actor linked to Russia, is known for its malicious cyber activities. These actions have been characterized by significant breaches and disruptions, primarily targeting Ukrainian entities. This group has demonstrated advanced capabilities, including the use of fileless attacks as d
Telebots
2
TeleBots, a notorious threat actor group also known as Sandworm, BlackEnergy, Iron Viking, Voodoo Bear, and Seashell Blizzard, has been identified as operating under the control of Unit 74455 of the Russian GRU's Main Center for Special Technologies (GTsST). Active since 2000, the group is recognize
Apt44
1
APT44, previously known as Sandworm, is a Russian military intelligence hacking team newly designated by Mandiant. The group has been active in conducting campaigns leveraging Sandworm malware since the start of 2023, primarily targeting Ukraine, Eastern Europe, and investigative journalists. APT44'
Solntsepek
1
Solntsepek is a notorious malware associated with the Russian state-sponsored threat actor, Seashell Blizzard, which is affiliated with the GRU. The group has been identified by Microsoft as one of the three hacktivist groups that regularly interact with Seashell Blizzard, alongside InfoCentr and th
IRON VIKING
1
Iron Viking, a threat actor group also known as Sandworm, Telebots, Voodoo Bear, and other names, has been active since 2000. This group operates under the control of Unit 74455 of the Russian GRU’s Main Center for Special Technologies (GTsST). Iron Viking is notorious for its destructive cyber-espi
ELECTRUM
1
Electrum, a threat actor identified in cyberattacks against Ukraine on February 1, 2022, is known for its Bitcoin-themed attacks. These attacks often involve the use of PDF delivery documents referencing Electrum Bitcoin wallets, similar to those seen in subsequent attacks in April. The initial load
Hades
1
Hades is a notable threat actor, known for its distinctive tactics and infrastructure in executing cyber attacks. The cybersecurity industry first observed Hades' operations in June 2021, with its activities marked by the use of advanced tools such as Advanced Port Scanner, MegaSync, Rclone, and Mal
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Ukraine
Blizzard
Malware
Ransomware
Apt
Wiper
Russia
Microsoft
State Sponso...
Ukrainian
Telegram
Backdoor
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
NotPetyaUnspecified
2
NotPetya is a notorious malware that was unleashed in 2017, primarily targeting Ukraine but eventually impacting systems worldwide. This malicious software, which initially appeared to be ransomware, was later revealed to be data destructive malware, causing widespread disruption rather than seeking
WhisperGateUnspecified
1
WhisperGate is a type of malware, specifically a wiper, that was used extensively in cyberattacks against Ukrainian organizations throughout 2022. It was one of several malicious software tools deployed by Russian Advanced Persistent Threat (APT) actors, alongside others such as AwfulShred, CaddyWip
PrestigeUnspecified
1
Prestige is a type of malware attributed to the Russia-linked Advanced Persistent Threat (APT) group, Sandworm. This malicious software was used in ransomware attacks against Ukrainian and Polish logistics companies in October 2022. The deployment of Prestige coincided with reported instances of ran
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
Cadet BlizzardUnspecified
2
Cadet Blizzard, a threat actor group associated with Russia's GRU military intelligence unit, has been identified by Microsoft as the perpetrator of destructive cyber attacks in Ukraine using wiper malware. The group has been active since at least 2020 and has recently gained some success, according
APT28Unspecified
1
APT28, also known as Fancy Bear, is a threat actor believed to be linked to the Main Directorate of the General Staff of the Armed Forces of the Russian Federation (GRU). This group has been implicated in several high-profile cyber-espionage activities. Notably, they were behind a large-scale malwar
Forest BlizzardUnspecified
1
Forest Blizzard, also known as APT28, Fancy Bear, and Strontium, is a threat actor linked to the Russian General Staff Main Intelligence Directorate (GRU) and the 85th Main Special Service Center (GTsSS). The group has been involved in persistent espionage campaigns against European countries, which
Cyber Army of RussiaUnspecified
1
The Cyber Army of Russia is a threat actor that has been particularly active in launching Distributed Denial of Service (DDoS) attacks against Ukraine. They are part of an array of pro-Russia hacktivist groups, including Turla, XakNet, KillNet, NoName057(16), and Anonymous Russia, that remain operat
Seashell Blizzard IridiumUnspecified
1
Seashell Blizzard Iridium, also known as Sandworm, is a threat actor reportedly comprised of Russian military intelligence officers. This group has been identified as distinct from other Advanced Persistent Threat (APT) groups associated with the Russian military intelligence GRU, such as Forest Bli
Volt TyphoonUnspecified
1
Volt Typhoon is a China-linked Advanced Persistent Threat (APT) group that has been operating with significant stealth and operational security. The group has been linked to the KV-Botnet, a malicious network used for various cybercrime activities. This threat actor has demonstrated sophisticated te
Mint SandstormUnspecified
1
Mint Sandstorm, an Iranian nation-state threat actor also known as APT35 and Charming Kitten, has been identified by Microsoft as a significant cybersecurity concern. The group is linked to Iran's Islamic Revolutionary Guard Corps and is known for its sophisticated cyber campaigns targeting high-val
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the Seashell Blizzard Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
Securityaffairs
a month ago
Over 600,000 SOHO routers were destroyed by Chalubo malware in 72 hours 
InfoSecurity-magazine
2 months ago
New North Korean Hacking Group Identified by Microsoft
InfoSecurity-magazine
3 months ago
Russia’s Sandworm Upgraded to APT44 by Google's Mandiant
BankInfoSecurity
3 months ago
Likely Sandworm Hackers Using Novel Backdoor 'Kapeka'
DARKReading
5 months ago
Microsoft Threat Report: How Russia’s War on Ukraine Is Impacting the Global Cybersecurity Community
CERT-EU
a year ago
Hacker Group Names Are Now Absurdly Out of Control - Slashdot
CERT-EU
8 months ago
Microsoft shares threat intelligence at CYBERWARCON 2023 | Microsoft Security Blog
CERT-EU
8 months ago
Denmark Hit With Largest Cyberattack on Record
BankInfoSecurity
8 months ago
Denmark Hit With Largest Cyberattack on Record
CERT-EU
8 months ago
Russian Sandworm Hackers Caused Power Outage in October 2022
BankInfoSecurity
9 months ago
Ukrainian Telcos Targeted by Suspected Sandworm Hackers
CERT-EU
a year ago
Hacker Group Names Are Now Absurdly Out of Control | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #hacker – National Cyber Security Consulting
DARKReading
a year ago
Insights Into Nation-State Tactics: Lessons From Russia's Hybrid War In Ukraine
CERT-EU
10 months ago
Ukraine Cyber Defenders Prepare for Winter
BankInfoSecurity
10 months ago
Ukraine Cyber Defenders Prepare for Winter
Securityaffairs
a year ago
Microsoft links Cadet Blizzard APT to Russia military intel GRU
CERT-EU
a year ago
CERT-UA Warns of SmokeLoader and RoarBAT Malware Attacks Against Ukraine
DARKReading
a year ago
Russian APT 'Cadet Blizzard' Behind Ukraine Wiper Attacks
CERT-EU
a year ago
New Russia’s GRU-affiliated APT group linked to destructive wiper attacks on Ukraine
CERT-EU
a year ago
Russia sent its reserve team to wipe Ukrainian hard drives