Mandiant uncovers Russian hack tied to Texas water plant incident

April 18, 2024
1 min read

TLDR:

  • Mandiant researchers link Sandworm hacking unit to recent attacks on critical infrastructure, including a Texas water facility.
  • The hacking unit is suspected to be controlling the CyberArmyofRussia_Reborn group, which claimed responsibility for the attack on the water tanks in Muleshoe, Texas.

Researchers from Google-owned Mandiant have concluded that the notorious Russian military intelligence hacking operation known as Sandworm is likely responsible for recent attacks on water utilities in the United States, Poland, and France. The group has been linked to a string of online personas claiming to have carried out these attacks, including Xaknet, Cyber Army of Russia Reborn, and Solntsepek.

The CyberArmyofRussia_Reborn group, believed to be controlled by Sandworm, targeted a water system in Texas by posting a video on Telegram showing the pumps being turned on to cause an overflow in the tank water level. While the exact membership of the group is unknown, researchers have observed links between Sandworm and CyberArmyofRussia_Reborn, indicating a coordinated effort.

This revelation signifies a significant escalation in Russia’s attacks on U.S. critical infrastructure, as Sandworm had previously not carried out disruptive attacks on U.S. soil. Mandiant has upgraded Sandworm to a fully fledged advanced persistent threat group, known as APT44, and describes it as a highly capable and dangerous state-backed hacking group engaged in various cyber operations and attacks.

APT44, believed to operate as Unit 74455 within the Main Intelligence Directorate of the Russian Armed Forces GRU, primarily targets government, defense, transportation, energy, media, and civil society organizations. The group has also targeted Western electoral systems and institutions, including those in NATO member countries, and has previously disrupted electricity distribution in Ukraine.

The White House has been emphasizing the need for improved cybersecurity defenses in the water sector, which has been facing challenges in making adequate investments. Despite efforts to enforce stricter cybersecurity rules, the sector continues to be vulnerable to cyber threats and attacks.

Latest from Blog

EU push for unified incident report rules

TLDR: The Federation of European Risk Management Associations (FERMA) is urging the EU to harmonize cyber incident reporting requirements ahead of new legislation. Upcoming legislation such as the NIS2 Directive, DORA, and