News
In recent months, a hacktivist group known as the Cyber Army of Russia Reborn has taken credit for multiple cyber attacks on critical civilian infrastructure facilities in the West, including a hydroelectric dam in France and water utilities in the United States and Poland, WIRED reports. According to Google-affiliated cybersecurity firm Mandiant, the group is linked to Sandworm – Unit 74455 of Russia’s GRU military intelligence agency. The outfit has spearheaded the Kremlin’s cyber warfare operations over the past decade, triggering multiple power outages in Ukraine and targeting the 2018 Winter Olympics in South Korea.
But while Mandiant has found reliable evidence tying the Cyber Army of Russia Reborn to the Sandworm GRU unit, its analysts have not been able to determine whether the “army” is an independent group created in collaboration with Sandworm or one of the cover personas used to disguise the unit’s activities.
In the recent attack on U.S. utilities, the hackers documented their work in videos, which they subsequently uploaded to Telegram to demonstrate how they were able to remotely manipulate the facilities’ human-machine interface, using the software to gain control over the physical equipment. The scope of disruption and the damage done by these attacks remains unclear.
John Hultquist, head of threat intelligence at Mandiant, points out that the attacks perpetrated by the Cyber Army of Russia Reborn are more brazen than the activities of Sandworm, which has never launched a direct disruptive attack against U.S. networks, instead planting self-spreading malware – like in the 2017 NotPetya ransomware attack.
“Even though this group [Cyber Army of Russia Reborn] is operating under this persona that’s tied to Sandworm, they do seem more reckless than any Russian operator we’ve ever seen targeting the United States,” Hultquist says. “They’re actively manipulating operational technology systems in a way that’s highly aggressive, probably disruptive, and dangerous.”
In mid-January 2024, the Cyber Army took responsibility for an attack against water utilities in the Texas towns of Abernathy and Muleshoe, posting a video on Telegram and announcing a “raid across the USA.” The video demonstrated hackers randomly changing values in the facilities’ control interface (as experts subsequently noted, they appear to have only a partial understanding of the system’s functioning, making significant changes to the values as well as random ones).
Reports from local media, which cited municipal officials, confirmed the attack. However, the only known real-world disruption was the overflowing of a single water tank in Muleshoe, which did not result in water service interruptions.
In January, the hacker group hit a wastewater utility in Wydminy – a Polish village known for its government’s staunch support of Ukraine in the face of Russian aggression. In this attack as well, hackers recorded a video in which they flip switches and change values in the control interface, the most notable new element being the inclusion of a Super Mario Bros. soundtrack.
In March, following Emmanuel Macron’s statement about the possibility of deploying French troops to Ukraine, the group purportedly attempted a sabotage operation against the Courlon Sur Yonne hydroelectric dam southeast of Paris. The hackers say that they stopped the flow of electricity produced by the dam, but their claim has yet to be verified, and dam owner Energies France is yet to release an incident report.
As for the evidence linking the Cyber Army of Russia Reborn to Sandworm, Mandiant lists the GRU-controlled IP address, which was used to set up the Cyber Army’s YouTube account. Furthermore, data stolen by Sandworm from Ukrainian targets during “attack-and-leak” operations later resurfaced in Cyber Army’s Telegram posts. While the latter’s reckless operations do not match the more conservative, targeted style of Sandworm’s attacks, Hultquist believes the GRU has “probably been involved in creating this group and running it. If someone even more aggressive than them comes along and operates in that space, carrying out these attacks, they’re not entirely blameless.”
In this setup, the Cyber Army of Russia Reborn acts as a chaotic, purportedly grassroots hacker group, whereas Sandworm has shifted from opportunistic disruptive wiper attacks against Ukrainian targets towards an espionage and support role for Russia's physical war effort, including the infection of Ukrainian command-and-control devices with malware dubbed “Infamous Chisel” to gain battlefield intelligence. Sandworm also runs a server with a website that Russian troops can use to extract data from captured Ukrainian phones.
As Sandworm evolves towards a more traditional military intelligence role, the Cyber Army of Russia has taken over its disruptive tactics. The spinoff hacker group even crosses lines its purported parent organization never dared. As Hultquist points out, if the group turns out to be truly independent of Sandworm, it may demonstrate even less restraint in its methods and choice of targets, ultimately becoming a wild, chaotic force with a capacity to cause “a very real incident.”