Russian hackers as Kremlin’s cyberwarfare sandworms – Le Figaro

Recent insights from Mandiant, a subsidiary of Google specializing in cyber threat analysis, reveal that a Russian group of hackers called APT44 (also dubbed Sandworm) has played a pivotal role in orchestrating disruptive and destructive cyber operations against Ukraine over the past decade, executing the Kremlin’s covert agenda. 

Sandworm hackers

Sandworm activity extends beyond Ukraine’s borders, posing a significant threat to foreign states.

This cyber group has been known to target essential infrastructures such as power plants, leading to the decommissioning of computer systems without any demands for ransom—a tactic not commonly seen among cyber attackers, who typically pursue financial gains.

A cybersecurity expert at Wavestone, Gérôme Billois, confirms the group’s capabilities, noting their unique position as state-supported hackers prepared for in-depth, long-term damage. Unlike typical cybercriminals whose motivations are often monetary, APT44’s objectives align with strategic geopolitical disruptions, reflecting a broader, more ominous strategy dictated by the Russian state.

Thomas Heide Clausen, director of the Master’s degree in Cybersecurity at École Polytechnique, further analyzes the group’s atypical behavior, highlighting their deviation from the common financial incentives of cyber threats. This underscores the unique nature of APT44 as a tool of state-sponsored cyber warfare, where the primary aim is not financial but rather geopolitical destabilization.

Decades of hacking operations against Ukraine

Indeed, the group known as Sandworm, or APT44, initially appeared to form shortly before 2010, although it gained significant notoriety during the Russian invasion of Crimea in February and March of 2014. This timeframe marks the earlier stages of Sandworms activities, indicating their longstanding involvement in cyber operations.

On December 23, 2015, in Ivano-Frankivsk, a city in western Ukraine, Sandworm executed a cyberattack that led to a blackout affecting 230,000 residents. This incident unfolded as an employee of the region’s main electricity supplier noticed unauthorized control of his computer, leading to the shutdown of the city’s electrical systems.

A year later, in 2016, Sandworm carried out a similar attack on Kyiv, the capital of Ukraine. They were able to cut off electricity for several hours for some residents of the city by employing tactics similar to the 2015 blackout.

As of February 2024, there have been 66 reported attacks on Ukrainian electrical infrastructure since the Russian full-scale war began. Jean-Yves Marion, a professor of computer science and cybersecurity researcher, likens these cyberattacks to “throwing a bomb at a power plant,” as they aim to cripple infrastructure efficiently and cost-effectively.

Russian hackers interference in France and the US

In the realm of international cyber politics, 2016 was a significant year because it featured a high-stakes electoral duel between Hillary Clinton and Donald Trump in the United States.

During this period, members of the Democratic Party became victims of a sophisticated phishing campaign, resulting in the unauthorized disclosure of sensitive campaign documents housed on their servers. Cybersecurity firms quickly traced the digital fingerprints of this destabilization operation back to Russian hackers, pointing to a calculated interference in the United States electoral process.

During the 2017 presidential election, the pattern of interference repeated itself in France. As Emmanuel Macron led the polls, a massive leak of campaign documents surfaced online between the election rounds. 

The most recent incident in this series of cyber disruptions occurred in France in April 2024, targeting a less expected site—a mill in the Marne region. At first, the attack was believed to target the Courlon-sur-Yonne dam, but subsequent analysis uncovered the Courlandon mill, situated more than a hundred kilometers away. This misdirection was initially perceived as a failure. 

However, Thomas Heide Clausen of École Polytechnique speculated that it might have been an accidental outcome, whereas Gérôme Billois suggested it could represent a strategic demonstration of the group’s covert operational capabilities.

Such incidents underscore the persistent threat posed by state-sponsored cyber groups in conducting operations that serve to either retaliate against perceived slights against Russia or to destabilize regimes unfriendly to Russian interests.

Considered threat posed by sandworm 

The Sandworm group’s series of aggressive cyber activities has not only drawn international condemnation, but has also received significant attention from cyber defense agencies around the world.

Despite these incidents’ clarity, Sandworm’s full scope and objectives remain shrouded in mystery. As noted by a professor from the University of Lorraine, the true nature of Sandworms’ operations—whether they function like a regular office or as cyber mercenaries—remains elusive. 

In October 2020, the FBI intensified its actions against this Russian-linked cyber group by issuing a search warrant for six of its members, underscoring the severity with which U.S. authorities view their operations.

In March 2022, researchers and attorneys from the University of Berkeley Law School took a substantial step by submitting an official request to the prosecutor of the International Criminal Court in The Hague. They called for an examination of war crimes accusations against Russian hackers, particularly for their cyberattacks against Ukraine. 

Within France, the National Agency for the Security of Information Systems (Anssi) keeps a vigilant eye on sandworms. In 2021, Anssi detailed the group’s suspected activities in a report focusing on a campaign targeting Centreon servers, used by prominent French entities like Airbus, RATP, EDF, and the Ministry of Justice.

Sandworm’s persistent threat poses a complex challenge to global cybersecurity, necessitating continuous vigilance and international cooperation to effectively preempt and respond to these cyber threats. Sandworm is a formidable player in the landscape of international cyber warfare because it combines state-backed cyber operations with global event targeting.

Read all articles by Insight News Media on Google News, subscribe and follow.
Scroll to Top