Home / Threat Actors / Seashell Blizzard Threat Actor Profile

Seashell Blizzard Overview

Seashell Blizzard (also known as Sandworm) is a Russian state-sponsored threat actor group attributed to the Russian Main Directorate/Main Intelligence Directorate of the General Staff of the Armed Forces (GRU) Main Center for Special Technologies (GTsST), Unit 74455. The group has been operational since at least 2014. The unit associated with Seashell Blizzard consists of three subgroups, each with a focus on specific operations: Kamacite serves as an access and enablement group; Electrum conducts actions on objectives including disrupting Industrial Control Systems (ICS); and TeleBots conducts cyber sabotage against a broader range of targets. An overlap exists with respect to the subgroups as it pertains to the tools and tactics, techniques, and procedures (TTPs) used to conduct their activities. An indictment on 15th October 2020 by the US Department of Justice (DoJ) against six officers of Unit 74455 conclusively linked several key intrusions to the different Seashell Blizzard sub-groups.

The group has conducted spear phishing attacks, software supply chain attacks, information operations, and employed intrusions that masqueraded as ransomware. Their primary objectives have included disruptive cyber efforts, influence operations and espionage, likely on behalf of decision-makers in Russian military intelligence, or as a matter of national pride in cases of targeting relating to international sports. Seashell Blizzard has frequently employed tactics that make attribution difficult, such as attempting to plant false flags, obfuscate command and control (C2) infrastructure, or otherwise engaging in the Russian military tactic of “maskirovka” (concealment or obfuscation). The group has not only used a suite of custom tools like BlackEnergy3, Bad Rabbit, CHEMISTGAMES, OlympicDestroyer, Industroyer/Industroyer2, NotPetya, KillDisk, GreyEnergy, VPNFilter, Exaramel, Exim Mail Transfer Agent, P.A.S Webshell, Teledoor, Cyclops Blink, CaddyWiper, ArguePatch, and AcidRain, but also frequently employs open-source tools such as Mimikatz.

Targeted Sectors

Seashell Blizzard frequently targets Ukrainian organisations, North Atlantic Treaty Organisation (NATO) and NATO-partner organisations and institutions, likely because of this military alliance’s interests and activities at Russia’s western border as well as to support Russian military intelligence objectives. The threat actor group has also been detected to have targeted organisations in the education, energy, government and telecommunications sectors.

Threat Actor Motivations

The motives of Seashell Blizzard can be evaluated by observing the strategies they apply within the context of their campaigns. The group is known for its interest in secret geopolitical data that would be advantageous to the Russian State.

Seashell Blizzard operates within the context of the GRU or GU (General Staff of the Armed Forces of the Russian Federation), a military foreign intelligence agency., which has advanced and disruptive capabilities to conduct global disinformation, propaganda, espionage, and cyber operations. The GRU has capabilities focused on improving both technical and psychological capabilities. As such, Seashell Blizzard acts with the motivations of espionage and sabotage purposes.

Russia’s security agencies are in competition with each other and often carry out similar operations on a similar set of targets. It therefore becomes difficult to apply specific attribution and motivational assessments. However, in some cases, attacks can also be carried out in a collaborated effort. As an example, some of the Seashell Blizzard attacks were carried out with the help of GRU Unit 26165, the Russian GRU cyber military unit that is part of Fancy Bear (APT28).

The Quorum Cyber Threat Intelligence team provides threat actor profiles so that you can better understand cybercriminals’ tactics, techniques, and procedures (TTPs).

Download your Seashell Blizzard report to read more details today.