cyber daily logo

Breaking news and updates daily. Subscribe to our Newsletter

Breaking news and updates daily. Subscribe to our Newsletter X facebook linkedin Instagram Instagram

US offering bounty for Sandworm hacking group

The US government is offering a $10-million bounty for information that identifies or locates members of the state-backed hacking group dubbed “Sandworm”.

user iconReporter
Thu, 28 Apr 2022
US offering bounty for Sandworm hacking group
expand image

The Sandworm hackers who work for a division of Russia’s GRU, the country’s military intelligence division, are known for launching damaging and destructive cyber attacks against critical infrastructure, including food supplies and the energy sector.

Sandworm may be best known for the NotPetya ransomware attack in 2017, which primarily hit computer systems in Ukraine and disrupted the countrys power grid, leaving hundreds of thousands of residents without electricity during the depths of winter. In 2020, US prosecutors indicted the same six Sandworm hackers, who are believed to still be in Russia, for the NotPetya attack, as well as several other attacks that targeted the 2018 PyeongChang Winter Olympics in South Korea and for running a hack-and-leak operation to discredit Frances then-presidential frontrunner Emmanuel Macron.

In a statement, the US State Department revealed the NotPetya attack spilled outside of Ukraine across the wider internet, resulting in close to $1 billion in losses to the US private sector, including medical facilities and hospitals.


The timing of the bounty comes as US officials warn that Russia-backed hackers, including Sandworm, could be preparing damaging cyber attacks that target businesses and organisations in the United States following Russias invasion of Ukraine.

Since the start of the invasion in February, security researchers have attributed several cyber attacks to Sandworm, including the use of wiper malware to degrade Viasats satellite network that the Ukrainian military heavily relies on. According to the Ukraine government, it had disrupted another Sandworm attempt earlier this month to target a Ukrainian energy provider using malware it repurposed from cyber attacks it launched against Ukraine in 2016.

The FBI added that it had conducted an operation to disrupt a massive botnet that infected thousands of compromised routers, including many located in the US, by locking the Sandworm hackers out, about half of the botnets command and control servers.

Sandworm is also blamed for several other destructive cyber attacks in Ukraine, according to new research from Microsoft, as part of the groups efforts to support Russian military objectives by degrading Ukraines economy.

According to Microsoft, Sandworm, which it calls Iridium as part of its metal-themed convention of naming cyber adversaries, also launched a destructive attack on the network of a transportation and logistics provider in western Ukraine, which the company said may have been to hamper Ukraines efforts to supply the bulk of military equipment and humanitarian assistance entering the country to conflict zones in the countrys east.

The technology giant also warned that Sandworm and another GRU hacking unit named Fancy Bear, continues to pursue companies that support the communications sector and an unnamed major internet provider. Microsoft did not reveal which internet provider but warned that the activity was detected as recently as this month. Last month, the Ukrainian government claimed it had neutralised a cyber attack targeting the IT infrastructure of Ukrtelecom, the countrys largest internet provider.

According to Tom Burt, Microsofts customer security chief, the company has observed close to 40 destructive attacks directly targeting critical infrastructure, with about 40 per cent of those attacks aimed at organisations in critical infrastructure sectors that could have negative second-order effects on the Ukrainian government, military, economy and people.

Not all of the attacks were successful. In one case, Microsoft stated it found evidence that Sandworm was setting the stage for a file-encrypting attack on an agriculture firm, likely to disrupt its grain production supply, for which Ukraine is a major global exporter.

Burt added that Sandworm and Fancy Bear are two of six separate Russian state-run hacking groups targeting Ukraine in more than 237 operations since just before the invasion.

The attacks have not only degraded the systems of institutions in Ukraine but have also sought to disrupt people’s access to reliable information and critical life services and have attempted to shake confidence in the country’s leadership.

We have also observed limited espionage attack activity involving other NATO member states, and some disinformation activity, Burt said.

[Related: European wind-energy sector hacking linked to Conti ransomware group]

cyber daily subscribe
Be the first to hear the latest developments in the cyber industry.