Mandiant: Notorious Russian hacking unit linked to breach of Texas water facility

Researchers from the Google-owned firm conclude that Sandworm personas are linked to several recent attacks on critical infrastructure. 
The Russian flag flies at the embassy's compound in Washington, DC, on April 15, 2021. (Photo by MANDEL NGAN/AFP via Getty Images)

The potent and enduring Russian military intelligence hacking operation known as Sandworm was likely responsible for attacks on water utilities in the United States, Poland and a small water mill in France, researchers with Google’s Mandiant said Wednesday.

Wednesday’s report concludes that Sandworm is behind a set of online personas — including Xaknet, Cyber Army of Russia Reborn and Solntsepek — that have been linked to a string of recent attacks on critical infrastructure, including a water system in Texas. The personas claim the attacks as their own and often exaggerate their impact, while attempting to put distance between the incidents and one of Russia’s most notorious hacking crews. 

Sandworm is suspected of controlling the work of a pro-Russian hacktivist group that calls itself the CyberArmyofRussia_Reborn (CARR) that has targeted U.S. water utilities, according to Mandiant. On January 18, the hacktivist group posted a splashy video to Telegram that targeted water tanks in Muleshoe, Texas, appearing to use the human-machine interface (HMI) to turn on the pumps, causing the tank water level to overflow.

Muleshoe city officials confirmed the overflow in February while noting that it did not cause any service disruptions.


It is unclear whether Sandworm, a Russian military intelligence unit, is directing the work of CARR or whether the group informs its contacts within Russian intelligence after it has carried out an operation, Mandiant cautioned. CARR’s exact membership is unknown and may include individuals who are not members of Russian intelligence. 

Mandiant has observed links between Sandworm and CARR, including a YouTube channel created by the hacktivist group linked to infrastructure that, in turn, is linked to Sandworm. “These patterns of interaction align with TAG’s assessment that CyberArmyofRussia_Reborn is created and controlled by APT44,” Mandiant argues.

Russia’s attack using a persona controlled by Sandworm represents a significant escalation of the Kremlin’s attacks on U.S. critical infrastructure. Russian ransomware gangs have operated with impunity and have attacked U.S. critical infrastructure for years, causing major disruptions such as the Colonial Pipeline hack, but nation-state groups like Sandworm have to date not carried out disruptive attacks on U.S. soil.

Mandiant previously believed that the CyberArmyofRussia_Reborn was linked to the Russian hacking group APT28, also known as Fancy Bear. Mandiant said that after re-analyzing the data, it was able to attribute the suspected activity to Sandworm “with high confidence.”

CyberArmyofRussia_Reborn joins a small but growing group of hacktivist personas linked to nation-linked hackers that target U.S. critical infrastructure. The CyberAv3ngers, a group run by the Iranian Government Islamic Revolutionary Guard Corps, last year hit water facilities in Aliquippa, Pennsylvania., and others that were using devices made by the Israeli firm Unitronics.


Other attacks on critical infrastructure carried out by personas under Sandworm’s control include a March incident in which the group calling itself Solntsepek claimed credit for an attack on multiple Ukrainian telecommunications providers. Ukrainian officials told CyberScoop at the time that the attack was likely carried out by Sandworm. 

Wednesday’s findings are part of a comprehensive analysis in which Mandiant upgraded Sandworm as a fully fledged advanced persistent threat group. The group it now refers to as APT 44 is considered to be among the most capable, dangerous state-backed hacking groups.  

“APT44 is a uniquely dynamic threat actor that is actively engaged in the full spectrum of cyber espionage, attack, and influence operations,” Mandiant researchers wrote in the report.

“APT44 is the most brazen threat actor there is, in the midst of one of the most intense campaigns of cyber activity we’ve ever seen, in full-blown support of Russia’s war of territorial aggression,” Dan Black, a lead author of the report and manager of cyber espionage analysis for Mandiant, said in a statement. “There is no other threat actor today that is more worthy of our collective attention, and the threat APT44 poses is evolving rapidly.”

APT44 is believed to operate as Unit 74455. It is part of the Main Centre for Special Technologies, within the Main Directorate of the General Staff of the Armed Forces of the Russian Federation, which is commonly known as the Main Intelligence Directorate, or GRU, according to Mandiant. 


The group primarily targets government, defense, transportation, energy, media and civil society organizations in Russia’s near abroad, the researchers said. It has repeatedly targeted Western electoral systems and institutions, including in NATO member countries. On three separate occasions, the group has succeeded in using a cyberattack to disrupt electricity distribution in Ukraine.

The Russian embassy in Washington, D.C., did not respond to a request for comment.

Sandworm’s operations targeting U.S. water facilities come as the White House has been sounding the alarm that the water sector needs to improve its cybersecurity defenses. With many of the nation’s water utilities strapped for resources, cybersecurity investments have fallen by the wayside. 

The White House has tried to put in place more stringent cybersecurity rules for the sector but has failed to find an effective mechanism by which to do so. The Environmental Protection Agency issued a directive last year for water utilities to beef up their defenses but withdrew that rule after several states and industry trade groups sued.

Latest Podcasts