18 April 2024

Russian military hackers targeted US water utilities and hydroelectric facilities in Europe


Russian military hackers targeted US water utilities and hydroelectric facilities in Europe

The group of hackers known as "CyberArmyofRussia_Reborn," associated with Russian intelligence, has in recent months targeted a hydroelectric power station in France and water supply facilities in the United States and Poland, according to a new extensive report from cybersecurity firm Mandiant.

This marks the first time hackers linked Russian military intelligence (the Main Directorate of the General Staff of the Armed Forces of the Russian Federation, GRU) have posed a direct threat to critical infrastructure in Western countries.

While the majority of the attack-and-leak activity that Mandiant has tracked from the GRU-associated Telegram personas has centered on Ukrainian entities, CyberArmyofRussia_Reborn’s claimed intrusion activity has not been so limited.

Since the beginning of the year “CyberArmyofRussia_Reborn,” a hacktivist collective affiliated with the state-backed military hacker group Sandworm, which Mandiant now tracks as APT44, has claimed responsibility for hacking operations at least three times directed against American and European water supply and hydroenergy enterprises—the dams of the Kurlon-sur-Yonne hydroelectric power station in France, several water supply enterprises in Texas (USA), and a wastewater treatment plant in Poland.

After each hack, attackers posted videos on Telegram showing them changing software settings, attempting to disrupt the operation of the facilities. The result of the attack on the water supply system in the Texas town of Mulshu was the release of tens of thousands of gallons of water from the local water tower, The Washington Post reported.

Between January 17 and 18, 2024, the group’s Telegram channel released videos claiming responsibility for tampering with human machine interfaces (HMI) controlling operational technology (OT) assets in water utilities in Poland and the United States. Subsequently, on March 2, 2024, another video was posted by the group, claiming their involvement in disrupting electricity generation at a hydroelectric facility in France by manipulating water levels.

The videos show individuals seemingly interacting with the interfaces governing the OT assets of the respective water or hydroelectric facilities. Mandiant said it was not able to independently verify the claimed intrusions or their connection to APT44.

Earlier this week, researchers at Finnish security company WithSecure (formerly F-Secure Business) said they discovered a new backdoor, dubbed ‘Kapeka,’ which they linked to Sandstorm. The tool has been used in attacks against Eastern European targets since at least the middle of the year 2022.

Back to the list

Latest Posts

Threat actors abusing Foxit PDF Reader flaw to deploy multiple malware variants

Threat actors abusing Foxit PDF Reader flaw to deploy multiple malware variants

The flaw involves Foxit PDF Reader's handling of pop-up messages.
20 May 2024
China-linked APT group uses malware to spy on commercial shipping

China-linked APT group uses malware to spy on commercial shipping

Mustang Panda infiltrated the computer systems of cargo shipping companies in Norway, Greece, and the Netherlands.
20 May 2024
The Grandoreiro malware is back up and running after January disruption

The Grandoreiro malware is back up and running after January disruption

Grandoreiro now targets over 1,500 banks worldwide, spanning more than 60 countries across Central and South America, Africa, Europe, and the Indo-Pacific region.
20 May 2024