Russian Sandworm Hackers Pose as Hacktivists in Water Utility Breaches

The Sandworm hacking group, associated with Russia military intelligence, has been employing a sophisticated strategy involving the use of multiple personas to conceal its activities. Mandiant, has conducted research revealing the extent of this strategy and its implications. Sandworm, known by various aliases like Black Energy, Seashell Blizzard, and Voodoo Bear, has a history dating back to at least 2009, its operations have been attributed to Unit 74455, the Main Centre for Special Technologies (GTsST) within the Main Directorate of the General Staff of the Armed Forces of the Russian Federation (GU), better known as the Main Intelligence Directorate (GRU).

Mandiant’s research has uncovered that Sandworm has been using at least three Telegram channels, namely XakNet Team, CyberArmyofRussias_Reborm, and Solntsepek, as platforms to promote its activities and shape narratives favoring Russia. These channels operate independently but in parallel, creating a complex web of misinformation and cyber operations. One significant aspect of Sandworm’s strategy is the creation and management of online personal through these channels. These personas, posing as hacktivist groups, amplify the group’s activities and serve as conduits for disinformation campaigns. Although most of the attack-and-leak activity that Mandiant attributed to the GRU and involved Telegram personas centered on Ukrainian entities, CyberArmyofRussia_Reborn claimed attacks on water utilities in the U.S. and Poland and a hydroelectric facility in France.

Security Officer Comments:
Mandiant's findings highlight the group’s adaptability and agility in the using these personas to further its objectives. The personas not only obscure Sandworm's true identity but also allow it to manipulate perceptions and narratives. Mandiant warns that based on APT44's patterns of activity, there's a very high chance that the group will attempt to interfere with upcoming national elections and other significant political events in various countries, including the U.S. However, researchers believe that Ukraine will continue to be the threat actor's primary focus for as long as the war continues. At the same time, Sandworm is versatile enough for running operations for global-level strategic objectives.

Suggested Corrections:
As part of their research, the Google Tag Team has created a Virus Total collection featuring APT44-related indicators of compromise and is available for registered users. Additionally, hunting rules for detecting malware used by APT 44 can be found in the TAG teams report below:
Organizations can make APT groups’ lives more difficult. Here’s how:
  • Defense-in-depth strategy: A comprehensive defense-in-depth strategy is crucial to combat APTs. This includes implementing multiple layers of security controls, such as strong perimeter defenses, network segmentation, endpoint protection, intrusion detection systems, data encryption, access controls, and continuous monitoring for anomalies.
  • Threat intelligence and sharing: Ideally, organizations should actively participate in threat intelligence sharing communities and collaborate with industry peers, government agencies, and security vendors. Sharing information about APTs and their techniques can help detect and mitigate attacks more effectively.
  • Employee education and awareness: Regular security awareness programs, phishing simulations, and training sessions can educate employees about the latest threats, social engineering techniques, and safe computing practices.
  • Incident response and recovery: Despite preventive measures, organizations should have a well-defined incident response plan. This includes incident detection, containment, eradication, and recovery procedures to minimize the impact of APT attacks and restore normal operations.