Seashell Blizzard Threat Actor Profile

Seashell Blizzard (also known as Sandworm) is a Russian state-sponsored threat actor group attributed to the Russian Main Directorate/Main Intelligence Directorate of the General Staff of the Armed Forces (GRU) Main Center for Special Technologies (GTsST), Unit 74455. The group has been operational since at least 2014. The unit associated with Seashell Blizzard consists of three subgroups, each with a focus on specific operations: Kamacite serves as an access and enablement group; Electrum conducts actions on objectives including disrupting Industrial Control Systems (ICS); and TeleBots conducts cyber sabotage against a broader range of targets. An overlap exists with respect to the subgroups as it pertains to the tools and tactics, techniques, and procedures (TTPs) used to conduct their activities. An indictment on 15th October 2020 by the US Department of Justice (DoJ) against six officers of Unit 74455 conclusively linked several key intrusions to the different Seashell Blizzard sub-groups.

The group has conducted spear phishing attacks, software supply chain attacks, information operations, and employed intrusions that masqueraded as ransomware. Their primary objectives have included disruptive cyber efforts, influence operations and espionage, likely on behalf of decision-makers in Russian military intelligence, or as a matter of national pride in cases of targeting relating to international sports. Seashell Blizzard has frequently employed tactics that make attribution difficult, such as attempting to plant false flags, obfuscate command and control (C2) infrastructure, or otherwise engaging in the Russian military tactic of “maskirovka” (concealment or obfuscation). The group has not only used a suite of custom tools like BlackEnergy3, Bad Rabbit, CHEMISTGAMES, OlympicDestroyer, Industroyer/Industroyer2, NotPetya, KillDisk, GreyEnergy, VPNFilter, Exaramel, Exim Mail Transfer Agent, P.A.S Webshell, Teledoor, Cyclops Blink, CaddyWiper, ArguePatch, and AcidRain, but also frequently employs open-source tools such as Mimikatz.