The group of hackers known as "CyberArmyofRussia_Reborn," associated with Russian intelligence, has in recent months targeted a hydroelectric power station in France and water supply facilities in the United States and Poland, according to a new extensive report from cybersecurity firm Mandiant.

This marks the first time hackers linked Russian military intelligence (the Main Directorate of the General Staff of the Armed Forces of the Russian Federation, GRU) have posed a direct threat to critical infrastructure in Western countries.

While the majority of the attack-and-leak activity that Mandiant has tracked from the GRU-associated Telegram personas has centered on Ukrainian entities, CyberArmyofRussia_Reborn’s claimed intrusion activity has not been so limited.

Since the beginning of the year “CyberArmyofRussia_Reborn,” a hacktivist collective affiliated with the state-backed military hacker group Sandworm, which Mandiant now tracks as APT44, has claimed responsibility for hacking operations at least three times directed against American and European water supply and hydroenergy enterprises—the dams of the Kurlon-sur-Yonne hydroelectric power station in France, several water supply enterprises in Texas (USA), and a wastewater treatment plant in Poland.

After each hack, attackers posted videos on Telegram showing them changing software settings, attempting to disrupt the operation of the facilities. The result of the attack on the water supply system in the Texas town of Mulshu was the release of tens of thousands of gallons of water from the local water tower, The Washington Post reported.

Between January 17 and 18, 2024, the group’s Telegram channel released videos claiming responsibility for tampering with human machine interfaces (HMI) controlling operational technology (OT) assets in water utilities in Poland and the United States. Subsequently, on March 2, 2024, another video was posted by the group, claiming their involvement in disrupting electricity generation at a hydroelectric facility in France by manipulating water levels.

The videos show individuals seemingly interacting with the interfaces governing the OT assets of the respective water or hydroelectric facilities. Mandiant said it was not able to independently verify the claimed intrusions or their connection to APT44.

Earlier this week, researchers at Finnish security company WithSecure (formerly F-Secure Business) said they discovered a new backdoor, dubbed ‘Kapeka,’ which they linked to Sandstorm. The tool has been used in attacks against Eastern European targets since at least the middle of the year 2022.