Russia’s Sandworm APT linked to attack on Texas water plant

Researchers have linked a cyberattack on a Texas water facility to Sandworm, a top Russian military-aligned threat group responsible for a decade of “disruptive and destructive” campaigns targeting Ukraine.

In a detailed analysis of the group’s activities published by Mandiant, the cybersecurity firm said no other cyber gang had “played a more central role in shaping and supporting Russia’s military campaign” against Ukraine than Sandworm.

Its numerous and constant cyberattacks have included everything from attacks on Ukraine’s energy grid in the winters of 2015 and 2016, through to last year’s targeting of Android handsets used by Ukrainian military personnel.

“Yet the threat posed by Sandworm is far from limited to Ukraine,” the Mandiant researchers said.

“Mandiant continues to see operations from the group that are global in scope in key political, military, and economic hotspots for Russia.”

An example cited in the report was an attack this January against operational technology at a water facility in Muleshoe, Texas.

A Telegram account called CyberArmyofRussia_Reborn posted a video purporting to show hackers manipulating settings on the facility’s human-machine interface (HMI). Local officials later confirmed the cyberattack caused a tank to overflow but did not disrupt water delivery.

Mandiant said while it could not independently verify the hack or its connection to Sandworm, CyberArmyofRussia_Reborn was one of several “front personas” or “hacktivist identities” linked to the threat group.

The personas were concocted as part of a strategy to generate “second-order psychological effects” designed, among other things, to make the threat group’s attacks “appear more potent through exaggerated claims of impact.”

Assuming Sandworm was responsible for the Muleshoe attack, it would mean Russian operatives have joined gangs from China and Iran in targeting U.S. water facilities recently.

Growing concerns at a government level about the risks nation-state actors pose to the country’s critical infrastructure have prompted the Environmental Protection Agency (EPA) to form a task force to look into hardening security measures across the industry.

Sandworm ‘graduates’ to APT status

A key entity within Russia’s Main Directorate of the General Staff of the Armed Forces (GRU), Sandworm is “actively engaged in the full spectrum of espionage, attack, and influence operations,” Mandiant’s researchers said in their analysis.

Because of the “active and diffuse” nature of the threat it posed, the researchers said they decided to “graduate” the group to advanced persistent threat status, and from now on would track it as APT44.

The APT prefix is commonly used by researchers to track a number of sophisticated, stealthy threat groups.

“APT44 will almost certainly continue to present one of the widest and highest severity cyber threats globally,” the researchers said.

“As Russia’s war continues, we anticipate Ukraine will remain the principal focus of APT44 operations. However, as history indicates, the group’s readiness to conduct cyber operations in furtherance of the Kremlin’s wider strategic objectives globally is ingrained in its mandate. We therefore assess that changing Western political dynamics, upcoming elections, and emerging issues in Russia’s near abroad will also continue to shape APT44’s operations for the foreseeable future.”