Hackers Linked to Russiaâs Military Claim Credit for Sabotaging US Water Utilities WIRED

pTo revisit this article visit My Profile then View saved storiesppBy Andy GreenbergppRussias military intelligence unit known as Sandworm has for the past decade served as the Kremlinâs most aggressive cyberattack force triggering blackouts in Ukraine and releasing selfspreading destructive code in incidents that remain some of the most disruptive hacking events in history In recent months however one group of hackers linked to Sandworm has attempted a kind of digital mayhem that in some respects goes beyond even its predecessor Theyve claimed responsibility for directly targeting the digital systems of water utilities in the United States and Poland as well as a water mill in France flipping switches and changing software settings in an apparent effort to sabotage those countriesâ critical infrastructureppSince the beginning of this year a hacktivist group known as the Cyber Army of Russia or sometimes Cyber Army of Russia Reborn has taken credit on at least three occasions for hacking operations that targeted US and European water and hydroelectric utilities In each case the hackers have posted videos to the social media platform Telegram that show screen recordings of their chaotic manipulation of socalled humanmachine interfaces software that controls physical equipment inside those target networks The apparent victims of that hacking include multiple US water utilities in Texas one Polish wastewater treatment plant and reportedly a French water mill which the hackers claimed was a French hydroelectric dam Itâs unclear exactly how much disruption or damage the hackers may have managed against any of those facilitiesppA new report published today by cybersecurity firm Mandiant draws a link between that hacker group and Sandworm which has been identified for years as Unit 74455 of Russiaâs GRU military intelligence agency Mandiant found evidence that Sandworm helped create Cyber Army of Russia Reborn and tracked multiple instances when data stolen from networks that Sandworm had attacked was later leaked by the Cyber Army of Russia Reborn group Mandiant couldnt determine however whether Cyber Army of Russia Reborn is merely one of the many cover personas that Sandworm has adopted to disguise its activities over the last decade or instead a distinct group that Sandworm helped to create and collaborated with but which is now operating independentlyppEither way Cyber Army of Russia Rebornâs hacking has now in some respects become even more brazen than Sandworm itself says John Hultquist who leads Mandiantâs threatintelligence efforts and has tracked Sandwormâs hackers for nearly a decade He points out that Sandworm has never directly targeted a US network with a disruptive cyberattackâonly planted malware on US networks in preparation for one or in the case of its 2017 NotPetya ransomware attack infected US victims indirectly with selfspreading code Cyber Army of Russia Reborn by contrast hasnât hesitated to cross that lineppâEven though this group is operating under this persona thatâs tied to Sandworm they do seem more reckless than any Russian operator weâve ever seen targeting the United Statesâ Hultquist says âTheyâre actively manipulating operational technology systems in a way thatâs highly aggressive probably disruptive and dangerousâppMandiant didnt have access to the targeted water utility and hydroelectric plant networks so wasnt able to determine how Cyber Army of Russian Reborn got access to those networks One of the groupâs videos posted in midJanuary however shows what appears to be a screen recording that captures the hackersâ manipulation of software interfaces for the control systems of water utilities in the Texas towns of Abernathy and Muleshoe âWe are starting our next raid across the USAâ reads a message introducing the video on Telegram âIn this video there are a couple of critical infrastructure objects namely water supply systemsðâppA screen recording shows Cyber Army of Russian Reborn clicking buttons on the interface of a water utility in TexasppThe video then shows the hackers frenetically clicking around the target interface changing values and settings for both utilitiesâ control systems Though itâs not clear what effects that manipulation may have had the Texas newspaper The Plainview Herald reported in early February that local officials had acknowledged the cyberattacks and confirmed some level of disruption The city manager for Muleshoe Ramon Sanchez reportedly said in a public meeting that the attack on the townâs utility had resulted in one water tank overflowing Officials for the nearby towns of Abernathy and Hale Centerâa target not mentioned in the hackersâ videoâalso said theyâd been hit All three townsâ utilities as well as another in Lockney reportedly disabled their software to prevent its exploitation but officials said that service to the water utilitiesâ customers was never interrupted WIRED reached out to officials from Muleshoe and Abernathy but didnt immediately hear backppAnother screen recording shows Cyber Army of Russian Reborn tampering with the control systems of a Polish wastewater treatment plant seemingly changing settings at radomppAnother video the Cyber Army of Russia Reborn hackers posted in January shows what appears to be a screen recording of a similar attempted sabotage of a wastewater utility in Wydminy a village in Poland a country whose government has been a staunch supporter of Ukraine in the midst of Russiaâs invasion âHi everybody today we will play with the Polish wastewater treatment plants Enjoy watchingâ says an automated Russian voice at the beginning of the video The video then shows the hackers flipping switches and changing values in the software set to a Super Mario Bros soundtrack The Wydminy facility didnt respond to WIREDâs request for commentppA third screen recording shows Cyber Army of Russia Reborns access to what they believed was a French water utility but is reportedly a smalltown water millppIn a third video published in March the hackers similarly record themselves tampering with the control system for what they describe as the Courlon Sur Yonne hydroelectric dam in France In fact the French newspaper Le Monde revealed Wednesday that they had instead accessed the control system for a small water mill running through a village of 300 people That video was posted just after French president Emmanuel Macron had made public statements suggesting he would send French military personnel to Ukraine to aid in its war against Russia The video starts by showing Macron in the form of a rooster holding a French flag âWe recently heard a French rooster crowingâ the video says âToday weâll take a look at the Courlon dam and have a little fun Enjoy watching friends Glory to RussiaâppIn their Telegram post the hackers claim to have lowered the French damâs water level and stopped the flow of electricity it produced though according to Le Monde they failed to even affect the small water mill they actually tampered withppIn the videos the hackers do display some knowledge of how a water utility works as well as some ignorance and random switchflipping says Gus Serino the founder of cybersecurity firm IC Secure and a former staffer at a water utility and at the infrastructure cybersecurity firm Dragos Serino notes that the hackers did for instance change the âstop levelâ for water tanks in the Texas utilities which could have triggered the overflow that officials mentioned But he notes that they also made other seemingly arbitrary changes particularly for the Wydminy wastewater plant that would have had no effectppBy David RobsonppBy Angela WatercutterppBy Mark HarrisppBy Adrienne SoppâYou can see them flipping through all kinds of stuff just to click the buttonâ Serino says âI would say thereâs some level of understanding but not a full understanding of how the system worksâppMandiant found multiple strong clues that Cyber Army of Russia was at the very least created with support from Sandworm if not entirely controlled by that unit of the GRU YouTube accounts for Cyber Army of Russia were set up from an IP address known to be controlled by Sandworm Googleâs Threat Analysis Group found Mandiant like YouTube is a Google subsidiary On multiple occasions Sandworm has also carried out what Mandiantâs Hultquist calls âattackandleakâ operations against Ukrainian targets Sandworm would penetrate the victims network and infect it with wiper malware to destroy the contents of machinesâbut not before stealing the data from the network which in several cases was later leaked in posts on Cyber Army of Russia Reborns Telegram accountppHultquist notes that Cyber Army of Russia Reborns relatively âhaphazardâ hackingâand its entirely faulty targeting of what the hackers may have believed was a French damâdoesnt appear to match the style of Sandworm which has despite its incredibly callous cyberattacks shown somewhat more deliberation in its targeting and methods That may suggest an unusual situation one in which a statesponsored group created a more grassroots front that has now gone on to carry out even more reckless operations of its own The GRU Hultquist says has âprobably been involved in creating this group and running it If someone even more aggressive than them comes along and operates in that space carrying out these attacks theyâre not entirely blamelessâppEven as Sandworms apparent spinoff carries out its chaotic attacks Mandiants report notes that Sandworm itself has shifted somewhat away from the more opportunistic disruptive operations it has carried out in the past In the first year of Russias invasion of Ukraine it launched repeated wiper attacks against Ukrainian targetsâmany of the relentless quickanddirty datadestroying strikes that Mandiant had previously attributed to the GRU as a whole were specifically the work of Sandworm it has now concluded Sandworm also carried out a third blackout attack in 2022 this time in concert with a missile strike on the same area More recently however Sandworm has increasingly taken on an espionage and support role for Russias physical war effort the companys report notesppThat more careful coordination with Russias physical forces has included an operation in which Sandworm used a piece of spyware that US government agencies dubbed Infamous Chisel to infect Android devices used by the Ukrainian military for commandandcontrol an apparent effort to gain battlefield intelligence Mandiant also points to a website set up on a Sandwormlinked server that appears to be a tool for Russian troops to exfiltrate data from captured smartphones including links for extracting messages from apps like Signal and TelegramppâAs their war aims have evolved weve seen the group evolve as wellâ says Dan Black a Mandiant analyst and coauthor of its Sandworm report who served as NATOs deputy head of cyber threat intelligence until last year Black says Sandworm like much of the Russian military has had to change its approach adapting to that espionage and support role as Russias initial aim of quickly toppling Ukraines government has shifted into a protracted war of attrition âWhat we see is a real pivot away from that wiping activity toward espionage for battlefield enablementâ Black saysppEven as Sandworm shifts into that more traditional military intelligence role however the Cyber Army of Russia group that it likely helped to create continues to run wild with disruptive operations far beyond the front lines of Russias war in Ukraine If that spinoff hacker outfit is truly independent of Sandworm Mandiants Hultquist notes that may mean it will continue to demonstrate even less caution or discretion than the GRUs own hackers haveppâSomeone under this persona is doing some really aggressive stuff and theyâre doing it globally and they could ultimately cause a very real incidentâ Hultquist says âIf this is just some random group of hacktivists who lack the structure and restraint of a military organization they may cross lines in ways that no one anticipatesâppUpdated 4172024 940 am ET French newspaper Le Monde reported on Wednesday that the French hydroelectric dam Cyber Army of Russia Reborn claims to have breached was instead a small towns water mill Weve updated this story to reflect that reportingppIn your inbox Get PlaintextâSteven Levys long view on techppWelcome to the hellhole of programmatic advertisingppHow many EV charging stations does the US need to replace gas stationsppA nonprofit tried to fix tech cultureâbut lost control of its ownppIts always sunny Here are the best sunglasses for every adventureppAndrew CoutsppJustin LingppKim ZetterppSamanth SubramanianppDmitri AlperovitchppDavid NieldppNathaniel PeuthererppJoseph CoxppMore From WIREDppReviews and Guidespp 2024 Condà Nast All rights reserved WIRED may earn a portion of sales from products that are purchased through our site as part of our Affiliate Partnerships with retailers The material on this site may not be reproduced distributed transmitted cached or otherwise used except with the prior written permission of Condà Nast Ad Choicesp