A hacking group behind cyberattacks on water systems in the United States, Poland and France is connected to the Russian military, a cybersecurity firm has found, signaling a possible escalation by Moscow to target adversaries’ infrastructure.
Sandworm has long been identified as Unit 74455 of Russia’s GRU military intelligence agency and has been tied to attacks on Ukrainian telecom providers and the NotPetya malware attack that affected companies around the world.
Researchers at security firm Mandiant, which is owned by Google Cloud, said it found Sandworm appears to have a direct link with several pro-Russia hacktivist groups.
Getty Images
One of them is the Cyber Army of Russia Reborn (CARR) also known as Cyber Army of Russia, which has claimed responsibility for cyberattacks on water systems this year.
Mandiant said that Sandworm can “direct and influence” the group’s activities. The CARR posted on Telegram in January that it had targeted systems that control water supplies in several Texan towns and a wastewater utility in a Polish village.
One attack took place in Muleshoe, Texas, causing a water tower to overflow and sending tens of thousands of gallons of water into the street.
The city’s manager Ramon Sanchez told The Washington Post the password for the system’s control system interface was hacked, adding, “you don’t think that’s going to happen to you.” Around the same time two other towns in north Texas— Abernathy and Hale Center—detected malicious activity on their networks.
The hackers posted videos to Telegram showing screen recordings of their manipulation of human-machine interfaces in the attacks which CNN reported the FBI is investigating.
“We’re starting another raid on the USA,” the video caption next to one Telegram post said, as the hackers added they would show how they exploited “a couple critical infrastructure facilities, namely water supply systems,” next to a smiley face emoji.
In March, the same hacking group shared video claiming it had broken into a French hydroelectric power station and could manipulate water levels. French newspaper Le Monde reported Wednesday that the Russian hackers had targeted a French mill when they thought they were hacking into a hydroelectric dam in Courlon-sur-Yonne.
Mandiant said its research showed Sandworm helped create CARR but it could not determine if the group was a cover persona for Sandworm to disguise its activities, or a distinct group operating independently.
While the group is linked to Sandworm, “they do seem more reckless than any Russian operator we’ve ever seen targeting the United States,” John Hultquist, who leads Mandiant’s threat-intelligence efforts, said, according to Wired.
“They’re actively manipulating operational technology systems in a way that’s highly aggressive,” he added. Mandiant said Sandworm also supports Moscow’s war aims in Ukraine.
U.S. water systems have become hacking targets with Iranian-linked operators breaking into at least six American utilities last year, while in November, North Texas Municipal Water District (NTMWD) was hit by a cyberattack.
The White House and the Environmental Protection Agency sent a letter to U.S. governors last month asking them to improve cybersecurity defenses on water facilities, CNN reported. Newsweek has contacted the Kremlin and the FBI for comment.
Uncommon Knowledge
Newsweek is committed to challenging conventional wisdom and finding connections in the search for common ground.
Newsweek is committed to challenging conventional wisdom and finding connections in the search for common ground.