Kremlin's Sandworm blamed for cyberattacks on US, European water utilities

The Russian military's notorious Sandworm crew was likely behind cyberattacks on US and European water plants that, in at least one case, caused a tank to overflow.

In a report today, Google's Mandiant threat-hunting team linked the intelligence outfit to disruptions at water and hydroelectric utilities earlier this year. This includes a series of attempts to disrupt Texas water facilities via remote-management software.

At least one of these intrusions caused a system malfunction, leading to a water tank overflow, Mandiant noted in its latest dossier [PDF].

Sandworm, which is understood to work for Russia's GRU military intelligence and is now labeled APT44 by Mandiant, has strongly supported the ongoing invasion of Ukraine.

This has included hitting Russia's neighbor with data-wiping malware, knocking out a segment of satellite comms terminals as well as mobile and internet services; stealing military secrets; and shutting down a Ukrainian power plant.

"Yet the threat posed by Sandworm is far from limited to Ukraine," Mandiant warned. 

The researchers said Sandworm operates the Telegram channels XakNet Team, CyberArmyofRussia_Reborn1, and Solntsepek, to draw attention to its activities and share any stolen data as it masquerades as some kind of independent hacktivist effort. Those channels mostly focus on causing chaos in Ukraine, though CyberArmyofRussia_Reborn1 has demonstrated it will go after Western targets, too.

"A majority of the attack-and-leak activity that Mandiant has tracked from GRU-linked Telegram personas has centered on Ukrainian entities," as the report put it. "However, CyberArmyofRussia_Reborn's claimed intrusion activity has not been so limited" and extends to US and European critical infrastructure organizations' operational technology (OT), Mandiant added. 

• Russia's Sandworm – not just missile strikes – to blame for Ukrainian power blackouts
• Sandworm's Kyivstar attack should serve as a reminder of the Kremlin crew's 'global reach'
• US task force aims to plug security leaks in water sector
• Cybercrims: When we hit IT, they sometimes pay, but when we hit OT... jackpot

In January, CyberArmyofRussia_Reborn's Telegram channel claimed credit for disrupting human machine interfaces (HMI) controlling OT systems at Polish and US water utilities. Shortly after, city officials in Muleshoe, Texas, confirmed that someone compromised its water infrastructure equipment and caused a tank to overflow.

Similar attempts were made at systems in nearby towns, Abernathy and Hale Center, and city officials reportedly "determined the common link to be the vendor software they use that keeps their water systems remotely accessible," according to local news reports.

Then in March, the same Telegram gang posted another video and claimed it compromised the technology controlling water levels at a French hydroelectric facility, thus allowing the miscreants to disrupt electricity generation.

"We assess that changing Western political dynamics, future elections, and emerging issues in Russia's near abroad will continue to shape APT44's operations for the foreseeable future," Mandiant concluded. ®