Report examines recent activities of Russian cybercriminals from Sandworm

On April 17, 2024, the cybersecurity firm, Mandiant, which belongs to Google, published a report on APT44, aka “Sandworm”, a cybercriminal group with ties to Russian intelligence. Since early 2024, the group has reportedly shifted its strategy, now also operating under the name of ultranationalist hacktivist groups.

“APT44 is cultivating hacktivist identities as assets for its information campaigns, [the cybercriminal group] has used at least three hacktivist-type Telegram channels to claim disruptive attacks,” reads the report.

APT44 is allegedly behind the CyberArmyofRussia_Reborn (CARR) Telegram channel, known for its extreme messaging. For Mandiant, the new strategy aims to “make the GRU’s capabilities seem more powerful through exaggerated claims of its influence.”

Since early 2024, CARR claimed attacks against water treatment and distribution facilities in the West, including one in France. In January 2024, the cybercriminals thus managed to make a water tower spill over in Texas, and took control of a treatment plant in Poland.

On March 2, 2024, CARR also claimed the hack of the Courlon-sur-Yonne hydropower station, in the French region of Bourgogne-Franche-Comté. Yet, despite publishing a video clip of wide-open dam valves, the cybercriminals got the target wrong. They actually attacked the Courlandon station, in the Marne department, a small facility that still runs on an old water mill.

The attack’s main effect was a 20-centimeter drop of the water level upstream. The operational consequences, for a station that produces little power, were therefore almost zero.