“APT44 poses a persistent and high-severity threat to governments and critical infrastructure operators around the world, where Russian interests intersect” : in a report published on April 17, Mandiant, a cybersecurity company owned by Google, details the operation of the APT44 hacker group, otherwise known as “Sandworm”. Since the discovery of the cybercriminal group by Mandiant ten years ago, its dangerousness has been revised upwards, in particular because of its capacity to carry out espionage activities, attacks and influence operations with support from the Russian government.
Russian hackers manage to overflow a water tower
As early as January, the Telegram channel CyberArmyofRussia_Reborn (CARR) claimed to have carried out computer attacks against water treatment or distribution installations in Poland, the United States and France. Until now, it was not possible to know whether these cyberattacks were linked to the Sandworm hacker group. The report published by Mandiant reveals that this Telegram channel is indeed used by APT44 as a propaganda channel, on behalf of Russian military intelligence (GRU). CARR is one of Sandworm's three information channels, along with Xaknet and Solntsepek, which was behind the cyberattack against the Ukrainian operator Kyivstar last December.
Advertisement
In detail, the report lists Sandworm's various claims on hydraulic infrastructure, via the CARR channel. Between January 17 and 18, the latter published videos taking responsibility for the hacking of a wastewater treatment plant in Poland. In Muleshoe, Texas (United States), a water tower was targeted: the pirates managed to make it overflow, and tens of thousands of liters of water then accumulated in the streets and pipes. . At the same time, other Texas cities are also detecting malicious activity in their water systems.
Water management systems particularly vulnerable
In France, Sandworm also claims to have targeted the Courlon-sur-Yonne hydroelectric power station (Bourgogne-Franche-Comté) on March 2. The hacker group then published drone images of the dam, with video extracts from valve opening software. Gold according to The world, Russian elite hackers had the wrong target, by hacking a small private installation on a mill, located in Courlandon (Grand Est). As a result, the water level upstream fell by… 20 centimeters.
“Mandiant is not currently able to independently verify intrusion activity with APT44, temper the researchers. However, the officials of the American public services concerned have publicly acknowledged the incidents which occurred in the companies presented as victims by CARR. However, water supply systems remain easy targets for hackers: harmed by a lack of funding and personnel, they often struggle to implement necessary cybersecurity. On the other hand, the frequent use of these infrastructures by remote control software makes them vulnerable to possible security breaches.
A group involved in MacronLeaks
Mandiant researchers also “observed the group carrying out espionage operations in North America, Europe, the Middle East, Central Asia and Latin America”. They add : “With record numbers of people participating in national elections in 2024, Sandworm's history of attempting to interfere in democratic processes further increases the severity of the threat the group may pose in the short term.”
Advertisement
Sandworm has previously been implicated in the 2017 MacronLeaks, a spying campaign in which internal emails from “En Marche!” were hacked. The gang of cybercriminals is also accused of having hacked the information systems of the 2018 Olympic Games, during the opening ceremony in Pyeongchang (South Korea). They are also suspected of being behind the NotPetya ransomware, which affected businesses around the world and cost more than a billion dollars.
Selected for you