HQ/EMEAFind out how we can help your business
Russian Sandworm hackers, notorious for associating with Russian military intelligence, have employed a sophisticated strategy to hide their cyber operations. This cybercriminal threat group, BlackEnergy, Seashell Blizzard, or Voodoo Bear, has been posing as a hacktivist organisation to deceive their targets, execute malicious operations, and attack water utility agencies.
This deceptive tactic involves multiple fake online identities, with Sandworm utilising at least three Telegram channels to expand its activities and propagate favourable narratives to Russia. Since at least 2009, Sandworm’s operations have been attributed to Unit 74455, a division of the Main Intelligence Directorate (GRU) of the Russian Armed Forces.
The group’s modus operandi involves various techniques, including phishing, credential harvesting, exploiting vulnerabilities, and compromising supply chains. Mandiant has designated Sandworm as APT44, describing it as Russia’s primary cyber sabotage unit.
The Sandworm group’s fake identities have started propagating at the same time as Russia started its invasion of Ukraine.
Following Russia’s invasion of Ukraine, Sandworm expanded its use of fake online personas for data leaks and disruptive actions against various organisations, not just in Ukraine but in other opposing countries. Three main hacktivist-branded Telegram channels, namely XakNet Team, CyberArmyofRussia_Reborn, and Solntsepek have been identified as channels for the hacking group’s activities.
While the exact degree of control Sandworm exercises over these personas remains unclear, Google TAG has found evidence linking CyberArmyofRussia_Reborn to Sandworm infrastructure. A separate researcher has also observed instances where APT44 infrastructure was used to exfiltrate data later leaked by CyberArmyofRussia_Reborn.
Despite much of Sandworm’s activity focusing on Ukrainian targets, CyberArmyofRussia_Reborn has claimed attacks on various water utilities in the United States, Poland, and a hydroelectric facility in France.
Although these claims cannot be independently verified, the officials at the affected utilities in the U.S. have confirmed incidents and malfunctions corresponding to the claimed breaches.
On the other hand, the Solntsepek channel, initially involved in leaking personally identifiable information from Ukrainian military personnel, rebranded in 2023 to take credit for APT44’s disruptive cyberattacks.
Sandworm’s actions show the growing threat of nation-backed attackers, especially in conflicts such as the ongoing geopolitical war in Ukraine, where critical infrastructure and services are targeted to cause widespread disruption and damage.
