Voodoo Bear, Sandworm, and APT44
Summary
Voodoo Bear is another name for the Russian advanced persistent threat (APT) group known as Sandworm or APT44. This group is attributed to Military Unit 74455 of the General Staff Main Intelligence Directorate (GRU) of the Russian Federation. Voodoo Bear has been active since at least 2009 and is known for its involvement in cyber espionage, sabotage, and influence operations.
Their targets have ranged from government institutions and critical infrastructure to media organizations and private businesses, spanning a multitude of sectors and industries. With a track record of devastating attacks, including the 2015 Ukrainian power grid blackout and the devastating NotPetya malware outbreak in 2017, Voodoo Bear has earned a reputation as a formidable adversary in the digital realm.
The group's tactics are characterized by their technical prowess, adaptability, and willingness to utilize destructive malware and zero-day exploits. They often employ spear-phishing emails and watering hole attacks to gain initial access to target networks, after which they deploy custom malware implants to exfiltrate data, maintain persistence, and potentially cause disruption or destruction.
Historical Information
2009:
Emergence: Voodoo Bear (Sandworm) begins its cyber operations, though their early activities remain largely undetected. Their initial focus appears to be on cyber espionage, targeting government and military entities in Eastern Europe and the former Soviet Union.
2015:
Ukrainian Power Grid Attack: In December, a coordinated cyberattack hits three Ukrainian energy distribution companies, causing widespread blackouts affecting hundreds of thousands of people. This marks one of the first known instances of a cyberattack successfully disrupting a nation's critical infrastructure. Evidence later links the attack to Voodoo Bear, highlighting their growing capabilities and willingness to engage in destructive cyber operations.
2017:
NotPetya Ransomware Attack: In June, NotPetya, a highly virulent and destructive wiper malware disguised as ransomware, is unleashed on a global scale. While initially targeting Ukrainian organizations, the malware quickly spreads worldwide, causing billions of dollars in damages to businesses and critical infrastructure. Analysis of the malware and its distribution methods strongly suggests that Voodoo Bear was behind this devastating attack, demonstrating their ability to cause widespread disruption and economic harm.
2018:
Olympic Destroyer Attack: On the eve of the 2018 Winter Olympics in Pyeongchang, South Korea, a sophisticated malware attack disrupts IT systems and infrastructure supporting the games. While initially attributed to North Korea, further investigation reveals that Voodoo Bear was the likely perpetrator. The attack, dubbed Olympic Destroyer, temporarily disrupted the opening ceremony and caused widespread panic, highlighting the potential for cyberattacks to impact major international events.
Beyond 2018:
Voodoo Bear's activities have continued beyond 2018, with numerous reports of ongoing cyber espionage campaigns, disinformation operations, and attempts to disrupt elections in various countries. Their tactics continue to evolve, showcasing their adaptability and determination to achieve their objectives.
The timeline of Voodoo Bear's activities serves as a stark reminder of the growing threat posed by state-sponsored cyber actors. Their willingness to engage in destructive attacks and their ability to adapt to new challenges make them a persistent and dangerous threat to global security.
Techniques and Tactics
Voodoo Bear uses various techniques, including:
Spear Phishing: Targeting specific individuals with tailored emails to steal credentials.
Malware: Deploying malicious software like BlackEnergy, Industroyer, and Cyclops Blink to breach networks and cause disruption.
Zero-Day Exploits: Utilizing previously unknown vulnerabilities to gain access.
Disinformation: Spreading false information to influence public opinion and create discord
Notable Incidents
2015 Ukraine Power Grid Attack: Voodoo Bear disrupts the supply of electricity to about 230,000 Ukrainians.
2017 NotPetya Attack: The group releases the NotPetya ransomware, causing widespread damage.
2018 Winter Olympics Attack: Voodoo Bear targets the opening ceremony of the Winter Olympics, disrupting the event
Known Individuals
Andrei Vladimirovich Averyanov: A GRU officer associated with Voodoo Bear's operations
Implications
The 2015 attack on the Ukrainian power grid, a watershed moment in cyber warfare, exposed the vulnerability of critical infrastructure to sophisticated cyberattacks. This brazen act of sabotage not only plunged hundreds of thousands into darkness but also sent shockwaves through the international community. Western governments and cybersecurity experts condemned the attack as a reckless and destabilizing act, further straining relations between Russia and the West.
The NotPetya ransomware outbreak in 2017, also attributed to Voodoo Bear, amplified these concerns. While disguised as ransomware, NotPetya was a wiper malware designed to cause widespread destruction.
It wreaked havoc on global supply chains, crippling multinational corporations and causing billions of dollars in damages. The indiscriminate nature of the attack, which affected numerous countries and industries, led to international condemnation and further solidified Voodoo Bear's reputation as a dangerous and unpredictable actor.
The Olympic Destroyer attack in 2018, aimed at disrupting the Winter Olympics in South Korea, added a new dimension to Voodoo Bear's repertoire. The attack, while not physically destructive, caused significant disruption and embarrassment, highlighting the potential for cyberattacks to impact major international events and sow chaos. The incident further fueled tensions between Russia and the West, with accusations of election meddling and information warfare adding to the already fraught geopolitical landscape.
The fallout from these attacks has been significant. Western governments have responded with a combination of sanctions, diplomatic expulsions, and indictments against individuals associated with Voodoo Bear. These actions aim to deter future aggression and hold the Russian government accountable for the actions of its cyber proxies.
On the cybersecurity front, Voodoo Bear's activities have spurred a renewed focus on defending critical infrastructure and improving threat intelligence sharing among Western allies. The attacks have also highlighted the need for greater public awareness and education about cyber threats, as well as the importance of international cooperation to establish norms of behavior in cyberspace.
The ongoing activities of Voodoo Bear serve as a stark reminder that the digital battlefield is constantly evolving. The group's willingness to engage in destructive attacks and their ability to adapt to new challenges underscore the need for continued vigilance and investment in cybersecurity to protect critical infrastructure and maintain global stability.
References
Sandworm (hacker group): Sandworm
CrowdStrike: VOODOO BEAR | Threat Actor Profile
MITRE ATT&CK: Sandworm Team
