Russia’s military intelligence unit known as Sandworm has, for the past decade, served as the Kremlin’s most aggressive cyberattack force, triggering blackouts in Ukraine and releasing self-spreading, destructive code in incidents that remain some of the most disruptive hacking events in history. In recent months, however, one group of hackers linked to Sandworm has attempted a kind of digital mayhem that, in some respects, goes beyond even its predecessor: They’ve claimed responsibility for directly targeting the digital systems of a hydroelectric dam in France and water utilities in the United States and Poland, flipping switches and changing software settings in an apparent effort to sabotage those countries’ critical infrastructure.
Since the beginning of this year, a hacktivist group known as the Cyber Army of Russia, or sometimes Cyber Army of Russia Reborn, has taken credit on at least three occasions for hacking operations that targeted US and European water and hydroelectric utilities. In each case, the hackers have posted videos to the social media platform Telegram that show screen recordings of their chaotic manipulation of so-called human-machine interfaces, software that controls physical equipment inside those target networks. The apparent victims of that hacking include multiple US water utilities in Texas, one Polish wastewater treatment plant, and a French hydroelectric plant—though it’s not clear exactly how much disruption or damage the hackers may have managed against any of those facilities.
A new report published today by cybersecurity firm Mandiant draws a link between that hacker group and Sandworm, which has been identified for years as Unit 74455 of Russia’s GRU military intelligence agency. Mandiant found evidence that Sandworm helped create Cyber Army of Russia Reborn and tracked multiple instances when data stolen from networks that Sandworm had attacked was later leaked by the Cyber Army of Russia Reborn group. Mandiant couldn’t determine, however, whether Cyber Army of Russia Reborn is merely one of the many cover personas that Sandworm has adopted to disguise its activities over the last decade or instead a distinct group that Sandworm helped to create and collaborated with but which is now operating independently.
Either way, Cyber Army of Russia Reborn’s hacking has now, in some respects, become even more brazen than Sandworm itself, says John Hultquist, who leads Mandiant’s threat-intelligence efforts and has tracked Sandworm’s hackers for nearly a decade. He points out that Sandworm has never directly targeted a US network with a disruptive cyberattack—only planted malware on US networks in preparation for one or, in the case of its 2017 NotPetya ransomware attack, infected US victims indirectly with self-spreading code. Cyber Army of Russia Reborn, by contrast, hasn’t hesitated to cross that line.
“Even though this group is operating under this persona that’s tied to Sandworm, they do seem more reckless than any Russian operator we’ve ever seen targeting the United States,” Hultquist says. “They’re actively manipulating operational technology systems in a way that’s highly aggressive, probably disruptive, and dangerous.”
An Overflowed Tank and a French Rooster
Mandiant didn’t have access to the targeted water utility and hydroelectric plant networks, so wasn’t able to determine how Cyber Army of Russian Reborn got access to those networks. One of the group’s videos posted in mid-January, however, shows what appears to be a screen recording that captures the hackers’ manipulation of software interfaces for the control systems of water utilities in the Texas towns of Abernathy and Muleshoe. “We are starting our next raid across the USA,” reads a message introducing the video on Telegram. “In this video there are a couple of critical infrastructure objects, namely water supply systems😋”
A screen recording shows Cyber Army of Russian Reborn clicking buttons on the interface of a water utility in Texas.
Cyber Army of Russia Reborn via Telegram
The video then shows the hackers frenetically clicking around the target interface, changing values and settings for both utilities’ control systems. Though it’s not clear what effects that manipulation may have had, the Texas newspaper The Plainview Herald reported in early February that local officials had acknowledged the cyberattacks and confirmed some level of disruption. The city manager for Muleshoe, Ramon Sanchez, reportedly said in a public meeting that the attack on the town’s utility had resulted in one water tank overflowing. Officials for the nearby towns of Abernathy and Hale Center—a target not mentioned in the hackers’ video—also said they’d been hit. All three towns’ utilities, as well as another, in Lockney, reportedly disabled their software to prevent its exploitation, but officials said that service to the water utilities’ customers was never interrupted. (WIRED reached out to officials from Muleshoe and Abernathy but didn’t immediately hear back.)
Another screen recording shows Cyber Army of Russian Reborn tampering with the control systems of a Polish wastewater treatment plant, seemingly changing settings at radom.
Cyber Army of Russia Reborn via Telegram
Another video the Cyber Army of Russia Reborn hackers posted in January shows what appears to be a screen recording of a similar attempted sabotage of a wastewater utility in Wydminy, a village in Poland, a country whose government has been a staunch supporter of Ukraine in the midst of Russia’s invasion. “Hi everybody, today we will play with the Polish wastewater treatment plants. Enjoy watching!” says an automated Russian voice at the beginning of the video. The video then shows the hackers flipping switches and changing values in the software, set to a Super Mario Bros. soundtrack.
A third screen recording shows Cyber Army of Russia Reborn’s access to a French water utility.
Cyber Army of Russia Reborn via Telegram
In a third video, published in March, the hackers similarly record themselves tampering with the control system for what they describe as the Courlon Sur Yonne hydroelectric dam in France. That video was posted just after French president Emmanuel Macron had made public statements suggesting he would send French military personnel to Ukraine to aid in its war against Russia. The video starts by showing Macron in the form of a rooster holding a French flag. “We recently heard a French rooster crowing,” the video says. “Today we’ll take a look at the Courlon dam and have a little fun. Enjoy watching, friends. Glory to Russia!”
In their Telegram post, the hackers claim to have lowered the French dam’s water level and stopped the flow of electricity it produced, though WIRED couldn’t confirm those claims. Neither the Wydminy facility nor the owner of the Courlon dam, Energies France, responded to WIRED’s request for comment.
In the videos, the hackers do display some knowledge of how a water utility works, as well as some ignorance and random switch-flipping, says Gus Serino, the founder of cybersecurity firm I&C Secure and a former staffer at a water utility and at the infrastructure cybersecurity firm Dragos. Serino notes that the hackers did, for instance, change the “stop level” for water tanks in the Texas utilities, which could have triggered the overflow that officials mentioned. But he notes that they also made other seemingly arbitrary changes, particularly for the Wydminy wastewater plant, that would have had no effect.
