Russia's military intelligence unit known as Sandworm has, for the past decade, served as the Kremlin’s most aggressive cyberattack force, triggering blackouts in Ukraine and releasing self-spreading, destructive code in incidents that remain some of the most disruptive hacking events in history. In recent months, however, one group of hackers linked to Sandworm has attempted a kind of digital mayhem that, in some respects, goes beyond even its predecessor: They've claimed responsibility for directly targeting the digital systems of water utilities in the United States and Poland as well as a water mill in France, flipping switches and changing software settings in an apparent effort to sabotage those countries’ critical infrastructure.
Since the beginning of this year, a hacktivist group known as the Cyber Army of Russia, or sometimes Cyber Army of Russia Reborn, has taken credit on at least three occasions for hacking operations that targeted US and European water and hydroelectric utilities. In each case, the hackers have posted videos to the social media platform Telegram that show screen recordings of their chaotic manipulation of so-called human-machine interfaces, software that controls physical equipment inside those target networks. The apparent victims of that hacking include multiple US water utilities in Texas, one Polish wastewater treatment plant, and, reportedly, a French water mill, which the hackers claimed was a French hydroelectric dam. It’s unclear exactly how much disruption or damage the hackers may have managed against any of those facilities.
A new report published today by cybersecurity firm Mandiant draws a link between that hacker group and Sandworm, which has been identified for years as Unit 74455 of Russia’s GRU military intelligence agency. Mandiant found evidence that Sandworm helped create Cyber Army of Russia Reborn and tracked multiple instances when data stolen from networks that Sandworm had attacked was later leaked by the Cyber Army of Russia Reborn group. Mandiant couldn't determine, however, whether Cyber Army of Russia Reborn is merely one of the many cover personas that Sandworm has adopted to disguise its activities over the last decade or instead a distinct group that Sandworm helped to create and collaborated with but which is now operating independently.
Either way, Cyber Army of Russia Reborn’s hacking has now, in some respects, become even more brazen than Sandworm itself, says John Hultquist, who leads Mandiant’s threat-intelligence efforts and has tracked Sandworm’s hackers for nearly a decade. He points out that Sandworm has never directly targeted a US network with a disruptive cyberattack—only planted malware on US networks in preparation for one or, in the case of its 2017 NotPetya ransomware attack, infected US victims indirectly with self-spreading code. Cyber Army of Russia Reborn, by contrast, hasn’t hesitated to cross that line.
“Even though this group is operating under this persona that’s tied to Sandworm, they do seem more reckless than any Russian operator we’ve ever seen targeting the United States,” Hultquist says. “They’re actively manipulating operational technology systems in a way that’s highly aggressive, probably disruptive, and dangerous.”
An Overflowed Tank and a French Rooster
Mandiant didn't have access to the targeted water utility and hydroelectric plant networks, so wasn't able to determine how Cyber Army of Russian Reborn got access to those networks. One of the group’s videos posted in mid-January, however, shows what appears to be a screen recording that captures the hackers’ manipulation of software interfaces for the control systems of water utilities in the Texas towns of Abernathy and Muleshoe. “We are starting our next raid across the USA,” reads a message introducing the video on Telegram. “In this video there are a couple of critical infrastructure objects, namely water supply systems😋”
The video then shows the hackers frenetically clicking around the target interface, changing values and settings for both utilities’ control systems. Though it’s not clear what effects that manipulation may have had, the Texas newspaper The Plainview Herald reported in early February that local officials had acknowledged the cyberattacks and confirmed some level of disruption. The city manager for Muleshoe, Ramon Sanchez, reportedly said in a public meeting that the attack on the town’s utility had resulted in one water tank overflowing. Officials for the nearby towns of Abernathy and Hale Center—a target not mentioned in the hackers’ video—also said they’d been hit. All three towns’ utilities, as well as another, in Lockney, reportedly disabled their software to prevent its exploitation, but officials said that service to the water utilities’ customers was never interrupted. (WIRED reached out to officials from Muleshoe and Abernathy but didn't immediately hear back.)
Another video the Cyber Army of Russia Reborn hackers posted in January shows what appears to be a screen recording of a similar attempted sabotage of a wastewater utility in Wydminy, a village in Poland, a country whose government has been a staunch supporter of Ukraine in the midst of Russia’s invasion. “Hi everybody, today we will play with the Polish wastewater treatment plants. Enjoy watching!” says an automated Russian voice at the beginning of the video. The video then shows the hackers flipping switches and changing values in the software, set to a Super Mario Bros. soundtrack. The Wydminy facility didn't respond to WIRED’s request for comment.
In a third video, published in March, the hackers similarly record themselves tampering with the control system for what they describe as the Courlon Sur Yonne hydroelectric dam in France. In fact, the French newspaper Le Monde revealed Wednesday that they had instead accessed the control system for a small water mill running through a village of 300 people. That video was posted just after French president Emmanuel Macron had made public statements suggesting he would send French military personnel to Ukraine to aid in its war against Russia. The video starts by showing Macron in the form of a rooster holding a French flag. “We recently heard a French rooster crowing,” the video says. “Today we’ll take a look at the Courlon dam and have a little fun. Enjoy watching, friends. Glory to Russia!”
In their Telegram post, the hackers claim to have lowered the French dam’s water level and stopped the flow of electricity it produced, though according to Le Monde, they failed to even affect the small water mill they actually tampered with.
In the videos, the hackers do display some knowledge of how a water utility works, as well as some ignorance and random switch-flipping, says Gus Serino, the founder of cybersecurity firm I&C Secure and a former staffer at a water utility and at the infrastructure cybersecurity firm Dragos. Serino notes that the hackers did, for instance, change the “stop level” for water tanks in the Texas utilities, which could have triggered the overflow that officials mentioned. But he notes that they also made other seemingly arbitrary changes, particularly for the Wydminy wastewater plant, that would have had no effect.
“You can see them flipping through all kinds of stuff just to click the button,” Serino says. “I would say there’s some level of understanding but not a full understanding of how the system works.”
Signs of Sandworm
Mandiant found multiple strong clues that Cyber Army of Russia was, at the very least, created with support from Sandworm if not entirely controlled by that unit of the GRU. YouTube accounts for Cyber Army of Russia were set up from an IP address known to be controlled by Sandworm, Google’s Threat Analysis Group found. (Mandiant, like YouTube, is a Google subsidiary.) On multiple occasions, Sandworm has also carried out what Mandiant’s Hultquist calls “attack-and-leak” operations against Ukrainian targets: Sandworm would penetrate the victim's network and infect it with wiper malware to destroy the contents of machines—but not before stealing the data from the network, which in several cases was later leaked in posts on Cyber Army of Russia Reborn's Telegram account.
Hultquist notes that Cyber Army of Russia Reborn's relatively “haphazard” hacking—and its entirely faulty targeting of what the hackers may have believed was a French dam—doesn't appear to match the style of Sandworm, which has, despite its incredibly callous cyberattacks, shown somewhat more deliberation in its targeting and methods. That may suggest an unusual situation, one in which a state-sponsored group created a more grassroots front that has now gone on to carry out even more reckless operations of its own. The GRU, Hultquist says, has “probably been involved in creating this group and running it. If someone even more aggressive than them comes along and operates in that space, carrying out these attacks, they’re not entirely blameless.”
Even as Sandworm's apparent spinoff carries out its chaotic attacks, Mandiant's report notes that Sandworm itself has shifted somewhat away from the more opportunistic disruptive operations it has carried out in the past. In the first year of Russia's invasion of Ukraine, it launched repeated wiper attacks against Ukrainian targets—many of the relentless, quick-and-dirty data-destroying strikes that Mandiant had previously attributed to the GRU as a whole were specifically the work of Sandworm, it has now concluded. Sandworm also carried out a third blackout attack in 2022, this time in concert with a missile strike on the same area. More recently, however, Sandworm has increasingly taken on an espionage and support role for Russia's physical war effort, the company's report notes.
That more careful coordination with Russia's physical forces has included an operation in which Sandworm used a piece of spyware that US government agencies dubbed Infamous Chisel to infect Android devices used by the Ukrainian military for command-and-control, an apparent effort to gain battlefield intelligence. Mandiant also points to a website set up on a Sandworm-linked server that appears to be a tool for Russian troops to exfiltrate data from captured smartphones, including links for extracting messages from apps like Signal and Telegram.
“As their war aims have evolved, we've seen the group evolve as well,” says Dan Black, a Mandiant analyst and coauthor of its Sandworm report who served as NATO's deputy head of cyber threat intelligence until last year. Black says Sandworm, like much of the Russian military, has had to change its approach, adapting to that espionage and support role as Russia's initial aim of quickly toppling Ukraine's government has shifted into a protracted war of attrition. “What we see is a real pivot away from that wiping activity toward espionage for battlefield enablement,” Black says.
Even as Sandworm shifts into that more traditional military intelligence role, however, the Cyber Army of Russia group that it likely helped to create continues to run wild with disruptive operations, far beyond the front lines of Russia's war in Ukraine. If that spinoff hacker outfit is truly independent of Sandworm, Mandiant's Hultquist notes, that may mean it will continue to demonstrate even less caution or discretion than the GRU's own hackers have.
“Someone under this persona is doing some really aggressive stuff, and they’re doing it globally, and they could ultimately cause a very real incident,” Hultquist says. “If this is just some random group of hacktivists who lack the structure and restraint of a military organization, they may cross lines in ways that no one anticipates.”
Updated 4/17/2024 9:40 am ET: French newspaper Le Monde reported on Wednesday that the French hydroelectric dam Cyber Army of Russia Reborn claims to have breached was, instead, a small town's water mill. We've updated this story to reflect that reporting.
