Seashell Blizzard

Threat Actor updated a month ago (2024-11-29T14:48:34.328Z)
Download STIX
Preview STIX
Seashell Blizzard, also known as Iridium, Sandworm, Voodoo Bear, and APT44, is a state-sponsored threat actor group affiliated with the Russian military intelligence service (GRU). Microsoft has identified this group as distinct from other Advanced Persistent Threat (APT) groups operating under the GRU, such as Forest Blizzard (also known as Strontium, APT28, and Fancy Bear). Seashell Blizzard has been linked to several high-profile cyber-attacks, including exploiting perimeter server systems like Exchange and Tomcat servers, while leveraging pirated Microsoft Office software harboring the DarkCrystalRAT backdoor for initial access. The group is believed to be run by Military Unit 74455, a notorious cyber warfare unit of the GRU. Seashell Blizzard has exhibited a pattern of short-term collaborations with hacktivist groups such as Solntsepek, InfoCentr, and Cyber Army of Russia. These relationships are marked by temporary spikes in alleged cyber capability coinciding with Seashell Blizzard attacks. Microsoft has noted that these hacktivist-led attacks often preface multiple waves of more destructive assaults by Seashell Blizzard, supporting broader military objectives, especially in the context of conflicts like the one in Ukraine. The group has also been associated with the development of disruptive malware strains, such as NotPetya and a novel "ransomware" strain known as Prestige. The latter was discussed at CYBERWARCON 2022 and was found to impact organizations in Ukraine and Poland. In addition, Seashell Blizzard has been linked to the FakePenny ransomware, given the close overlap between the ransom notes used by both. Periodically, Seashell Blizzard launches destructive attacks, which are then publicly claimed by Telegram hacktivist groups, adding a layer of plausible deniability for the sponsoring organization.
Description last updated: 2024-05-29T11:15:56.440Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.
Alias DescriptionVotes
Voodoo Bear is a possible alias for Seashell Blizzard. VOODOO BEAR, also known as Sandworm, Seashell Blizzard, and other names such as Iridium, Iron Viking, Telebots, and APT44, is a highly advanced threat actor with a suspected nexus to the Russian Federation. First identified in January 2018, this group has been active since 2000 and operates under th
3
Sandworm is a possible alias for Seashell Blizzard. Sandworm, a threat actor linked to Russia, has been identified as the primary cyber attack unit supporting Russian military activities in Ukraine. This group is notorious for its sophisticated and disruptive cyber attacks, including the compromise of 11 Ukrainian telecommunications providers which c
3
Telebots is a possible alias for Seashell Blizzard. TeleBots, a notorious threat actor group also known as Sandworm, BlackEnergy, Iron Viking, Voodoo Bear, and Seashell Blizzard, has been identified as operating under the control of Unit 74455 of the Russian GRU's Main Center for Special Technologies (GTsST). Active since 2000, the group is recognize
2
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Ukraine
Malware
Blizzard
Apt
Wiper
Ransomware
Russia
State Sponso...
Microsoft
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Malware
To see the evidence that has resulted in these malware associations, create a free account
Alias DescriptionAssociation TypeVotes
The NotPetya Malware is associated with Seashell Blizzard. NotPetya is a destructive malware that posed as ransomware, causing significant global damage in 2017. Despite its appearance as ransomware, NotPetya was not designed to extort money but rather to destroy data and disrupt operations, particularly targeting Ukraine's infrastructure. NotPetya was attrUnspecified
2
Associated Threat Actors
To see the evidence that has resulted in these threatActor associations, create a free account
Alias DescriptionAssociation TypeVotes
The Cadet Blizzard Threat Actor is associated with Seashell Blizzard. Cadet Blizzard, a Russian threat actor, has emerged as a significant cybersecurity concern. Identified by the Microsoft Threat Intelligence Center in June 2023, Cadet Blizzard is linked to Russia's GRU military intelligence unit and has been operational since at least 2020. The group has demonstrateUnspecified
2
Source Document References
Information about the Seashell Blizzard Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
PreviewSource LinkCreatedAtTitle
Securityaffairs
7 months ago
InfoSecurity-magazine
7 months ago
InfoSecurity-magazine
8 months ago
BankInfoSecurity
8 months ago
DARKReading
a year ago
CERT-EU
2 years ago
CERT-EU
a year ago
CERT-EU
a year ago
BankInfoSecurity
a year ago
CERT-EU
a year ago
BankInfoSecurity
a year ago
CERT-EU
2 years ago
DARKReading
2 years ago
CERT-EU
a year ago
BankInfoSecurity
a year ago
Securityaffairs
2 years ago
CERT-EU
2 years ago
DARKReading
2 years ago
CERT-EU
2 years ago
CERT-EU
2 years ago