Russia’s military intelligence unit known as Sandworm has served, over the past decade, as the Kremlin’s most aggressive cyberattack force, causing blackouts in Ukraine and releasing destructive, self-spreading code in incidents that remain some of the world’s biggest hacking events. most disturbing in history. However, in recent months, a group of hackers linked to Sandworm has attempted a kind of digital mayhem that, in some ways, goes beyond even its predecessor: they have claimed responsibility for directly attacking the digital systems of a hydroelectric dam in France and water companies in the United States and Poland, flipping switches and changing software settings in an apparent effort to sabotage critical infrastructure in those countries.
Since early this year, a hacktivist group known as the Cyber Army of Russia, or sometimes the Cyber Army of Russia Reborn, has taken credit on at least three occasions for hacking operations targeting water and hydropower companies. from the United States and Europe. In each case, the hackers have posted videos on the social media platform Telegram showing screen recordings of their chaotic manipulation of so-called human-machine interfaces, software that controls physical equipment within those targeted networks. Apparent victims of that hack include several American water utilities in Texas, a Polish wastewater treatment plant and a French hydroelectric plant, although it’s unclear exactly how much disruption or damage the hackers may have caused against any of those. facilities.
TO new report published today by the cybersecurity firm Mandiant establishes a link between that group of hackers and Sandworm, which has been identified for years as Unit 74455 of the Russian military intelligence agency GRU. Mandiant found evidence that Sandworm helped create Cyber Army of Russia Reborn and tracked multiple cases in which data stolen from networks Sandworm had attacked was later leaked by the Cyber Army of Russia Reborn group. Mandiant was unable to determine, however, whether the Cyber Army of Russia Reborn is simply one of the many covert personas that Sandworm has adopted to disguise its activities over the past decade or, conversely, a distinct group that Sandworm helped create. and with which he collaborated, but which is now operating independently.
Either way, the Cyber Army of Russia Reborn hack has now become, in some ways, even more brazen than Sandworm itself, says John Hultquist, who leads Mandiant’s threat intelligence efforts and has tracked down the Sandworm hackers for almost a decade. He notes that Sandworm has never directly targeted a US network with a disruptive cyberattack; it only planted malware on US networks in preparation for one or, in the case of its 2017 NotPetya ransomware attack, indirectly infected US victims with self-spreading code. The Cyber Army of Russia Reborn, on the other hand, has not hesitated to cross that line.
“Although this group operates under this Sandworm-linked persona, they seem more reckless than any Russian operator we’ve seen targeting the United States,” Hultquist says. “They are actively manipulating operational technology systems in a very aggressive, likely disruptive and dangerous manner.”
An overflowing tank and a French rooster
Mandiant did not have access to the targeted water utility and hydroelectric plant networks, so it could not determine how the Cyber Army of Russian Reborn gained access to those networks. However, one of the group’s videos posted in mid-January shows what appears to be a screen recording capturing the hackers’ tampering with software interfaces for water utilities’ control systems in the cities of Abernathy and Muleshoe in Texas. “We are beginning our next foray into the United States,” reads a message introducing the video on Telegram. “In this video there are a couple of critical infrastructure objects, namely water supply systems😋”
The video then shows the hackers frantically clicking around the target interface, changing values and settings for both utilities’ control systems. Although it is not clear what effects that manipulation may have had, the Texas newspaper The Plainview Herald reported in early February that local officials had acknowledged the cyber attacks and confirmed some level of disruption. Muleshoe City Manager Ramon Sanchez reportedly said at a public meeting that the attack on the city’s utility had caused a water tank to overflow. Officials in the nearby towns of Abernathy and Hale Center, a target not mentioned in the hackers’ video, also said they had been hit. Utilities in all three cities, as well as another in Lockney, reportedly disabled their software to prevent exploitation, but officials said service to the water companies’ customers was never interrupted. (WIRED reached out to Muleshoe and Abernathy officials but did not immediately receive a response.)
Another video that Cyber Army of Russia Reborn hackers posted in January shows what appears to be a screen recording of a similar attempted sabotage of a wastewater company in Wydminy, a town in Poland, a country whose government has been a strong supporter of Ukraine in recent years. in the middle of the Russian invasion. “Hello everyone, today we will play with Polish wastewater treatment plants. “I enjoy watching!” says an automated Russian voice at the beginning of the video. The video then shows the hackers flipping switches and changing values in the software, set to a Super Mario Bros. soundtrack.
In a third video, posted in March, hackers also film themselves manipulating the control system of what they describe as the Courlon Sur Yonne hydroelectric dam in France. That video was released just after French President Emmanuel Macron made public statements suggesting that he would send French military personnel to Ukraine to help in its war against Russia. The video begins by showing Macron in the form of a rooster holding a French flag. “We recently heard a French rooster crow,” the video says. “Today we will take a look at the Courlon Dam and have a little fun. Enjoy watching, friends. Glory to Russia!”
In their Telegram post, the hackers claim to have lowered the water level of the French dam and stopped the flow of electricity it produced, although WIRED was unable to confirm those claims. Neither the Wydminy facility nor Courlon dam owner Energies France responded to WIRED’s request for comment.
In the videos, the hackers show some knowledge of how a water utility works, as well as some ignorance and random switch flipping, says Gus Serino, founder of cybersecurity firm I&C Secure and former employee of a water utility and Dragos, infrastructure cybersecurity company. Serino notes that hackers, for example, changed the “stop level” of water tanks at Texas utilities, which could have caused the overflow officials mentioned. But he points out that they also made other seemingly arbitrary changes, particularly to the Wydminy wastewater plant, that would have had no effect.