Treasury sanctions Russian hackers that breached US water utilities
The leaders of a Russian nationalist hacktivist group were sanctioned by the U.S. Treasury Department on Friday over a January incident that caused overflowing water storage tanks in multiple counties in Texas.
Yuliya Vladimirovna Pankratova and Denis Olegovich Degtyarenko are the leader and “primary hacker,” respectively, of the Cyber Army of Russia Reborn (CARR), according to the Treasury Department. The hacktivist group is known for exaggerated claims and unsophisticated cyberattacks against critical infrastructure in the U.S. and Europe, but they have been linked to the Russian Main Intelligence Directorate military unit dubbed by Mandiant as “Sandworm,” which is best known for successfully hacking into Ukraine’s grid and the hack on the 2018 Winter Olympics.
Brian Nelson, under secretary of the treasury for terrorism and financial intelligence, said in a statement that the targeting of U.S. critical infrastructure by CARR and its members represents “an unacceptable threat to our citizens and our communities, with potentially dangerous consequences.”
“The United States has and will continue to take action, using our full range of tools, to hold accountable these and other individuals for their malicious cyber activities,” Nelson added.
In January, CARR claimed responsibility for manipulating the controls of a water overflow tank in Muleshow, Texas by posting a video on Telegram that supposedly showed the attack occurring. Officials in nearby towns Abernathy and Hale Center also said they were hit. While the attack did not impact services, the relative ease with which the hacktivist group manipulated controls — ultimately spilling tens of thousands of gallons of water — still bodes ill for other critical networks that can be accessed online.
However, the group’s links to Sandworm are still unclear. Mandiant noted in an April report that the hacktivists may be informing the Russian military unit of their actions or they may be taking directions. A YouTube channel created by the group has been linked to an IP used by Sandworm, according to the cyber firm.
“Despite CARR briefly gaining control of these industrial control systems, instances of major damage to victims have thus far been avoided due to CARR’s lack of technical sophistication,” the Treasury release noted.
The Treasury Department alleges that Pankratova controlled the gang’s actions and acted as a spokesperson. In an interview with Wired, a spokesperson for CARR that called themselves “Julia” boasted of the water overflows as a way to send a message,though it’s not clear if Pankratova is the same individual.
Degtyarenko, who also goes by Dena, according to the announcement, was behind the compromise of another unnamed U.S. energy company, according to the Treasury. The agency also said Dena was known to be developing training materials in May that were intended to compromise SCADA systems, leaving open the possibility to distribute those materials to “external groups.”
Sanctions have become a common reflex from the Biden administration following hacks on critical infrastructure. The Treasury Department in November sanctioned the CyberAv3ngers, a fake hacktivist persona run by the Iranian Islamic Revolutionary Guard Corps Cyber-Electronic Command, for defacing several programmable logic controllers made by an Israeli manufacturer that were located in water facilities in Pennsylvania. The defacement was part of long-running operations between Iran and Israel and did not disrupt services.
