Who is Sandworm?
Individuals in the Russian Sandworm hacking group are believed to all be members of the Russian Military Unit 74455. This unit forms part of the Russian Main Intelligence Directorate commonly known as the GRU (Main Directorate of the General Staff of the Armed Forces of the Russian Federation). Sandworm is also known as the VoodooBear. The US Justice Department has previously charged members of Sandworm for their interference in the 2016 US elections. Furthermore, the EU imposed sanctions on GRU in August 2020. The sanctions were for hacking the Organization for the Prohibition of Chemical Weapons (OPCW) in the Netherlands in 2018. Furthermore, the UK National Cyber Security Centre assessed “with high confidence” that GRU had been actively targeting the Summer Olympics. The 2020 Summer Olympic games were to be held in Tokyo before they were postponed due to Covid-19.
The Charges
The US Justice Department charged six members of Russia’s Sandworm hacking group for major cyberattacks spanning the last 5 years. The group is accused of worldwide cyberattacks including hacking the French elections in 2017 and the 2018 Olympics in Korea. They are also accused of unleashing the “NotPetya” malware in 2017, which spread globally and inflicted immense financial harm. And for launching destructive malware against Ukraine’s power grid in the winters of 2015 and 2016. Finally, the group is charged for targeting government and non‑government websites in the country of Georgia in October 2019. Assistant Attorney General For National Security, John C. Demers, stated in an announcement that the Sandworm members “stand accused of conducting the most disruptive and destructive series of computer attacks ever attributed to a single group.”
Sandworm’s Attack on Ukraine’s Power Grid
In December 2015, just before Christmas, Sandworm launched destructive malware attacks against a collection of Ukrainian electricity utilities. This plunged 230 thousand people into darkness and cold in the midst of winter for a period of 1 to 6 hours. These attacks were the first such attacks against Industrial Control Systems (ICS) of critical civilian infrastructure. Since then other such attacks have been conducted against ICSs. Such as the attack on a European energy company with a Trojan in January this year. As described by Andy Greenberg, a senior writer at Wired magazine, the Sandworm group “took over the mouse movements of the operators in a control room of these facilities and locked them out of the computer. And these poor operators were forced to watch as their own mouse clicked through circuit breakers and turned off the power to a quarter-million Ukrainian civilians. They even bombarded it with fake phone calls just to kind of add another layer of chaos. It was a truly unique and brutal kind of cyberattack.”
The NotPetya Attack
The NotPetya cyberattack is regarded by many as the most damaging and costly cyberattack in history. It was pushed out by Sandworm to thousands of networks in the Ukraine and from there it quickly spread to other companies’ networks around the world. Initially “NotPetya” was thought to be ransomware but this was not the case. Changes made by “NotPetya” cannot be undone, even by the hackers themselves. “NotPetya” is a worm designed to attack Windows based systems that spreads quickly and brings down entire networks in seconds. The aim of the attack was simply to cause damage and impair companies in critical sectors from providing services to its customers. Sectors affected included transportation and health, not only in the Ukraine but also in places as far away as Pennsylvania. It caused millions of dollars in damages to companies such as Merck, the New Jersey pharmaceutical firm, and FedEx. It also struck Maersk, the world’s largest shipping firm based in Denmark. Greenberg states: “Each one of these companies suffered damages unlike we usually see for any cyberattack. And when you add them all up, the White House estimated that NotPetya cost at least $10 billion.”