Kremlin-controlled Sandworm hackers remain the most substantial threat to Ukrainian cyberspace while also eyeing targets abroad, according to new research.
“To date, no other Russian government-backed cyber group has played a more central role in shaping and supporting Russia’s military campaign,” said Google-owned cybersecurity firm Mandiant.
In an analysis published on Wednesday, Mandiant detailed Sandworm’s latest operations and, for the first time, designated the group as an advanced persistent threat actor — APT44.
Sandworm has previously been attributed by multiple governments to a unit within Russia’s Main Intelligence Directorate (GRU).
Contrary to other Russian state-backed threat actors, which tend to specialize in a specific field, Sandworm is actively engaged “in the full spectrum” of attacks, including cyberespionage, destructive operations and influence campaigns, researchers said.
The group appears to be integrated with the activities of Russia’s conventional army, supporting or accompanying their operations. For example, in October 2022, APT44 disrupted a Ukrainian power facility in the midst of Russia’s winter campaign of military and drone strikes targeting Ukraine’s energy grid, Mandiant said.
Researchers claim that Sandworm is responsible “for nearly all of the disruptive and destructive operations against Ukraine over the past decade.”
Among the group’s most successful hacks were “first-of-their-kind” disruptions of Ukraine’s energy grid in the winters of 2015 and 2016, and the global NotPetya attack timed to coincide with Ukraine’s Constitution Day in 2017.
In the second year of the war in Ukraine, however, Sandworm attacks transitioned from disruption to intelligence collection, researchers said. The likely goal of this strategy is to provide a battlefield advantage to Russia’s armed forces.
Last August, for example, Sandworm launched an espionage campaign named “Infamous Chisel,” with the goal of collecting information from Android devices, as well as data from applications specific to the Ukrainian military.
Going global
Despite Ukraine being its main focus, Sandworm has also been carrying out global operations in “key political, military, and economic hotspots for Russia,” according to Mandiant.
Even amid an ongoing war, researchers have observed the group sustaining access and espionage operations across North America, Europe, the Middle East, Central Asia and Latin America.
Sandworm has previously targeted the Organization for the Prohibition of Chemical Weapons (OPCW) for its role in the Novichok poisoning investigations and the investigative journalist nonprofit Bellingcat.
We’ve recently been subjected to a phishing attack via email. The email was made to appear as if it came from USAID and encouraged readers to click a link which downloads a malicious file. We’ve reported it to @USAID. pic.twitter.com/SAsCjbZUe6
— Bellingcat (@bellingcat) December 22, 2023
Most recently, Sandworm-aligned hackers were linked to the attack on a Texas water facility, according to Mandiant. The attack was carried out by a group called CyberArmyofRussia_Reborn, which poses as a hacktivist collective but, in reality, has a close operational relationship with Sandworm.
In January, the group took credit for manipulating human-machine interfaces and controlling operational technology assets at Polish and U.S. water utilities.
In March, the hackers claimed to disrupt electricity generation at a French hydroelectric facility by manipulating water levels.
Mandiant said it cannot independently verify these intrusions or the group’s links to APT44. However, researchers noted that officials from the affected U.S. utilities publicly acknowledged incidents at entities advertised as victims in a video that CyberArmyofRussia_Reborn posted on its YouTube channel.
Researchers said that the global threat posed by Sandworm will continue to grow this year as a record number of people are expected to participate in national elections across the world.
“Sandworm’s history of attempting to interfere in democratic processes further elevates the severity of the threat the group may pose in the near term,” Mandiant said.
Recorded Future
Intelligence Cloud.