In the realm of cybersecurity, few threats loom as large as the notorious Sandworm group, now tracked by Google Cloud’s Mandiant as APT44. With its origins rooted in Russia, this malevolent entity has gained infamy for its involvement in a spectrum of operations, from espionage to disruption and disinformation campaigns.

Sandworm’s arsenal is formidable, characterised by the deployment of highly disruptive malware such as BlackEnergy and Industroyer. Since Russia’s war against Ukraine, the group has intensified its efforts to destabilise the region, employing tactics ranging from wipers to cyber operations intricately timed with conventional military activities.

However, recently, the group’s actions have expanded beyond this scope. On the 17 and 18 January 2024, CyberArmyofRussia_Reborn’s Telegram channel posted videos boasting about their successful manipulation of human-machine interfaces (HMIs) at water utilities in both Poland and the United States. These videos depicted actors interacting haphazardly with the control interfaces of the respective facilities. 

While previously linked to APT28, more commonly known as Fancy Bear, Mandiant’s latest report sets Sandworm apart as a distinct entity, APT44. This reclassification points to the group’s evolving tactics and increasing sophistication in executing cyber-attacks. One of the most alarming facets of APT44’s activities is its utilisation of hacktivist personas, including the Cyber Army of Russia Reborn (CARR), XAKNET, and Solntsepek. These personas serve as fronts for the group’s cyber campaigns and have been implicated in various disruptive incidents targeting critical infrastructure worldwide.

Of particular concern are recent claims made by CARR regarding its ability to manipulate operational technology (OT) assets in the United States and the European Union. In January, videos surfaced purportedly showing the group manipulating HMIs at water utilities in multiple Texan towns and a Polish village’s wastewater utility. One such attack caused a water tower overflow in Muleshoe, Texas, flooding streets with tens of thousands of gallons of water. 

Similarly, in March, a video alleged that the group had infiltrated a hydroelectric power station in France and could manipulate water levels. 

While the veracity of these claims remain unconfirmed, Mandiant’s report suggests that APT44 may have indeed caused disruption to critical infrastructure networks. 

Incidents such as a tank overflowing at a US water facility, reportedly linked to cyber incidents impacting multiple local infrastructure systems, underscore the potential consequences of such attacks on public safety and security. According to Ukrainian reporting, water infrastructure is the fourth most targeted sector that is attacked by Russian cyber hackers, surpassing attacks on Ukrainian state security and border services sectors. 

Meanwhile, the water sector remains the least mature among US critical infrastructure sectors, lacking clear measures and adequate funding for defence. 

Attack scenarios could involve targeting dams or disrupting pumps, which control water movement and disinfection processes. Concerns include the manipulation of pumps to either increase water flow or deploy more chemicals than should be deployed. Sabotage of engineering workstations or human-machine interfaces could result in a loss of control over critical systems.

APT44’s activities extend beyond traditional cyber operations, with the group implicated in supply chain attacks and targeting investigative journalism groups like Bellingcat. 

The emergence of APT44 as a formidable adversary underscores the urgent need for enhanced cybersecurity measures and international collaboration to mitigate the risk posed by such entities. As nations grapple with the implications of cyberattacks on critical infrastructure and national security, proactive measures must be taken to defend against evolving threats in the digital realm.

The increasing vulnerability of US water systems is evident, with Iranian-linked operators breaching six American utilities last year and the North Texas Municipal Water District falling victim to a cyberattack in November.

The question of whether cyber-attacks on vital infrastructure constitutes an attack on a NATO country, triggering Article 5 obligations of collective defence, looms large. As policymakers and security experts grapple with this question, the imperative to fortify cyber defences and deter malicious actors like APT44 grows increasingly urgent. Failure to address these threats comprehensively could have far-reaching implications for global security and stability.