Seashell Blizzard

Threat Actor updated 6 months ago (2024-05-29T11:17:41.512Z)

Download STIX

Preview STIX

Seashell Blizzard, also known as Iridium, Sandworm, Voodoo Bear, and APT44, is a state-sponsored threat actor group affiliated with the Russian military intelligence service (GRU). Microsoft has identified this group as distinct from other Advanced Persistent Threat (APT) groups operating under the GRU, such as Forest Blizzard (also known as Strontium, APT28, and Fancy Bear). Seashell Blizzard has been linked to several high-profile cyber-attacks, including exploiting perimeter server systems like Exchange and Tomcat servers, while leveraging pirated Microsoft Office software harboring the DarkCrystalRAT backdoor for initial access. The group is believed to be run by Military Unit 74455, a notorious cyber warfare unit of the GRU. Seashell Blizzard has exhibited a pattern of short-term collaborations with hacktivist groups such as Solntsepek, InfoCentr, and Cyber Army of Russia. These relationships are marked by temporary spikes in alleged cyber capability coinciding with Seashell Blizzard attacks. Microsoft has noted that these hacktivist-led attacks often preface multiple waves of more destructive assaults by Seashell Blizzard, supporting broader military objectives, especially in the context of conflicts like the one in Ukraine. The group has also been associated with the development of disruptive malware strains, such as NotPetya and a novel "ransomware" strain known as Prestige. The latter was discussed at CYBERWARCON 2022 and was found to impact organizations in Ukraine and Poland. In addition, Seashell Blizzard has been linked to the FakePenny ransomware, given the close overlap between the ransom notes used by both. Periodically, Seashell Blizzard launches destructive attacks, which are then publicly claimed by Telegram hacktivist groups, adding a layer of plausible deniability for the sponsoring organization.

Description last updated: 2024-05-29T11:15:56.440Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.

Alias Description	Votes
Voodoo Bear is a possible alias for Seashell Blizzard. VOODOO BEAR, also known as Sandworm, Seashell Blizzard, and other names such as Iridium, Iron Viking, Telebots, and APT44, is a highly advanced threat actor with a suspected nexus to the Russian Federation. First identified in January 2018, this group has been active since 2000 and operates under th	3
Sandworm is a possible alias for Seashell Blizzard. Sandworm, a threat actor linked to Russia, has been identified as the primary cyber attack unit supporting Russian military activities in Ukraine. This group is notorious for its sophisticated and disruptive cyber attacks, including the compromise of 11 Ukrainian telecommunications providers which c	3
Telebots is a possible alias for Seashell Blizzard. TeleBots, a notorious threat actor group also known as Sandworm, BlackEnergy, Iron Viking, Voodoo Bear, and Seashell Blizzard, has been identified as operating under the control of Unit 74455 of the Russian GRU's Main Center for Special Technologies (GTsST). Active since 2000, the group is recognize	2

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Ukraine

Malware

Blizzard

Apt

Wiper

Ransomware

Russia

State Sponso...

Microsoft

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Malware

To see the evidence that has resulted in these malware associations, create a free account

Alias Description	Association Type	Votes
The NotPetya Malware is associated with Seashell Blizzard. NotPetya, a destructive malware posing as ransomware, was unleashed in 2017, causing widespread global damage while primarily targeting Ukraine's infrastructure. The cyberattack, commonly attributed to Russia, was so devastating that it led many to consider it an act of cyberwar, despite no official	Unspecified	2

Associated Threat Actors

To see the evidence that has resulted in these threatActor associations, create a free account

Alias Description	Association Type	Votes
The Cadet Blizzard Threat Actor is associated with Seashell Blizzard. Cadet Blizzard, a Russian threat actor, has emerged as a significant cybersecurity concern. Identified by the Microsoft Threat Intelligence Center in June 2023, Cadet Blizzard is linked to Russia's GRU military intelligence unit and has been operational since at least 2020. The group has demonstrate	Unspecified	2

Source Document References

Information about the Seashell Blizzard Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
Securityaffairs	6 months ago	Over 600,000 SOHO routers were destroyed by Chalubo malware in 72 hours
InfoSecurity-magazine	6 months ago	New North Korean Hacking Group Identified by Microsoft
InfoSecurity-magazine	7 months ago	Russia’s Sandworm Upgraded to APT44 by Google's Mandiant
BankInfoSecurity	7 months ago	Likely Sandworm Hackers Using Novel Backdoor 'Kapeka'
DARKReading	10 months ago	Microsoft Threat Report: How Russia’s War on Ukraine Is Impacting the Global Cybersecurity Community
CERT-EU	2 years ago	Hacker Group Names Are Now Absurdly Out of Control - Slashdot
CERT-EU	a year ago	Microsoft shares threat intelligence at CYBERWARCON 2023 \| Microsoft Security Blog
CERT-EU	a year ago	Denmark Hit With Largest Cyberattack on Record
BankInfoSecurity	a year ago	Denmark Hit With Largest Cyberattack on Record
CERT-EU	a year ago	Russian Sandworm Hackers Caused Power Outage in October 2022
BankInfoSecurity	a year ago	Ukrainian Telcos Targeted by Suspected Sandworm Hackers
CERT-EU	2 years ago	Hacker Group Names Are Now Absurdly Out of Control \| #hacking \| #cybersecurity \| #infosec \| #comptia \| #pentest \| #hacker – National Cyber Security Consulting
DARKReading	a year ago	Insights Into Nation-State Tactics: Lessons From Russia's Hybrid War In Ukraine
CERT-EU	a year ago	Ukraine Cyber Defenders Prepare for Winter
BankInfoSecurity	a year ago	Ukraine Cyber Defenders Prepare for Winter
Securityaffairs	a year ago	Microsoft links Cadet Blizzard APT to Russia military intel GRU
CERT-EU	2 years ago	CERT-UA Warns of SmokeLoader and RoarBAT Malware Attacks Against Ukraine
DARKReading	a year ago	Russian APT 'Cadet Blizzard' Behind Ukraine Wiper Attacks
CERT-EU	a year ago	New Russia’s GRU-affiliated APT group linked to destructive wiper attacks on Ukraine
CERT-EU	a year ago	Russia sent its reserve team to wipe Ukrainian hard drives