The U.S. government has stepped up its hunt for six Russian intelligence officers, best known as the state-backed hacking group dubbed “Sandworm,” by offering a $10 million bounty for information that identifies or locates its members.
The Sandworm hackers — who work for a division of Russia’s GRU, the country’s military intelligence division — are known for launching damaging and destructive cyberattacks against critical infrastructure, including food supplies and the energy sector.
Sandworm may be best known for the NotPetya ransomware attack in 2017, which primarily hit computer systems in Ukraine and disrupted the country’s power grid, leaving hundreds of thousands of residents without electricity during the depths of winter. In 2020, U.S. prosecutors indicted the same six Sandworm hackers, who are believed to still be in Russia, for the NotPetya attack, as well as several other attacks that targeted the 2018 PyeongChang Winter Olympics in South Korea and for running a hack-and-leak operation to discredit France’s then-presidential frontrunner Emmanuel Macron.
In a statement this week, the U.S. State Department said the NotPetya attack spilled outside of Ukraine across the wider internet, resulting in close to $1 billion in losses to the U.S. private sector, including medical facilities and hospitals.
The timing of the bounty comes as U.S. officials warn that Russia-backed hackers, including Sandworm, could be preparing damaging cyberattacks that target businesses and organizations in the United States following Russia’s invasion of Ukraine.
Since the start of the invasion in February, security researchers have attributed several cyberattacks to Sandworm, including the use of “wiper” malware to degrade Viasat’s satellite network that the Ukrainian military heavily relies on. Ukraine’s government said earlier this month it had disrupted another Sandworm attempt to target a Ukrainian energy provider using malware it repurposed from cyberattacks it launched against Ukraine in 2016.
The FBI also this month said it conducted an operation to disrupt a massive botnet that infected thousands of compromised routers, including many located in the U.S., by locking the Sandworm hackers out about half of the botnet’s command and control servers.
Sandworm is also blamed for several other destructive cyberattacks in Ukraine, according to new research from Microsoft, as part of the group’s efforts to support Russian military objectives by degrading Ukraine’s economy.
Microsoft said that Sandworm, which it calls “Iridium” as part of its metal-themed convention of naming cyber adversaries, also launched a destructive attack on the network of a transportation and logistics provider in Western Ukraine, which the company said may have been to hamper Ukraine’s efforts to supply the bulk of military equipment and humanitarian assistance entering the country to conflict zones in the country’s east.
The technology giant also warned that Sandworm — and Fancy Bear, another GRU hacking unit known as Fancy Bear — continues to pursue companies that support the communications sector and an unnamed “major” internet provider. Microsoft did not say which internet provider but warned that the activity was detected as recently as this month. The Ukrainian government said last month it had “neutralized” a cyberattack targeting the IT infrastructure of Ukrtelecom, the country’s largest internet provider.
Tom Burt, Microsoft’s consumer security chief, said the company has observed close to 40 destructive attacks directly targeting critical infrastructure, with about 40% of those attacks “aimed at organizations in critical infrastructure sectors that could have negative second-order effects on the Ukrainian government, military, economy and people.”
Not all of the attacks were successful. In one case, Microsoft said it found evidence that Sandworm was setting the stage for a file-encrypting attack on an agriculture firm, likely to disrupt its grain production supply, for which Ukraine is a major global exporter.
Sandworm and Fancy Bear are two of six separate Russian state-run hacking groups targeting Ukraine in more than 237 operations since just before the invasion, Burt said.
“The attacks have not only degraded the systems of institutions in Ukraine but have also sought to disrupt people’s access to reliable information and critical life services, and have attempted to shake confidence in the country’s leadership,” said Burt. “We have also observed limited espionage attack activity involving other NATO member states, and some disinformation activity.”