Unit 74455 seems to be a cybermilitary unit of the GRU, Russia's military intelligence. Western cybersecurity analysts refer to it as Sandworm, Telebots, Voodoo Bear, and Iron Viking. The organization is believed to have been behind the 2015 Ukraine power grid attack, 2017 attacks on Ukraine with the Petya ransomware and system wiper, interference in the 2017 French presidential election, an attack on the 2018 Winter Olympics, and attacks on the Parliament of Georgia.
March 2020 — Booz Allen Hamilton analyzed 15 years worth, 2004-2019, of public documentation on activity by the GRU, Russia's military intelligence agency. Their report, Bearing Witness, is quite detailed, with 512 footnotes. Many organizations have analyzed the technology of the over 200 espionage, disruption, and disinformation incidents and campaigns. BAH was working on the psychology, the idea being that technical analysis tells us what has happened, while the psychology might provide some hints of what may happen in the future.
January 14 2014 —
Kaspersky Lab reported
that the Red October campaign had
infiltrated computer networks over the past five years
at diplomatic, government, and scientific research
It can steal data from the traditional target of workstations,
but also mobile devices including smartphones,
Cisco enterprise network equipment,
stealing data from USB devices and also recovering and
stealing their deleted files,
and from internal servers.
The attacks are under the control of center C&C servers
and are carefully customized for each victim.
that its exploits were written by Chinese hackers
while some modules were created by Russian speakers;
the C&C server domains were registered by identities
*.ru email addresses.
The target organizations are mostly in Eastern Europe,
the former USSR, and central Asia, but are also in
Western Europe and North America.
Targets include Tibetan activists and Asian
military and energy sector targets.
However, Kaspersky saw no evidence linking this to a
nation-state sponsored attack, the information would be
valuable to a nation-state but might be traded in the
underground and sold to the highest bidder.
In December of the same year the security firm Blue Coat reported what they called The Inception Framework, a sophisticated cyber espionage system directed at companies and other organizations operating in Russia. The companies are from Russia itself, Romania, Venezuela, and Mozambique. Embassies and other diplomatic offices in Romania, Paraguay, and Turkey have also been hit. Kaspersky Labs says that this is a variant of the Red October APT, and called it after a more recent movie, Cloud Atlas.
2013–present December 2015
grid hack 2017 Petya Ukraine
March-May 2014 — BAE Systems reported on a large-scale cyber espionage by Russia targeting systems around the world, predominantly Ukrainian government systems at first and then including NATO systems. The Atlantic Council reported in May "Russian Cyber Campaign Continues to Penetrate NATO Ministries".
July 2014 — Sentinel Labs reported and issued a more detailed analysis on what they named "Gyges", an advanced persistent threat that appeared to come from Russia and target government orgranizations. They had spotted it back in March. As they said, "Gyges is an early example of how advanced techniques and code developed by governments for espionage are effectively being repurposed, modularized and coupled with other malware to commit cybercrime." They believe "it was used as a "bus" or "carrier" for much more sophisticated attacks such as government data exfiltration. So we started digging, and eventually recovered government traces inside the "carrier" code, which we later connected to previous targeted attacks that used the same characteristics. At this point it became clear that the "carrier" code was originally developed as part of an espionage campaign." It exfiltrated its data by an SSL connection to a C&C (command and control) server in Russia, part of IP block 126.96.36.199/24. That was part of the SevStar Network AS35816, Lancom Ltd., Sevastopol, Russia.
November 2014 — Recorded Future reported on Russian governmental cyber-espionage against companies involved in industrial control systems, pharmaceuticals, defense, aviation, and petroleum. They identified Uroburous, Energetic Bear, and APT28 as three main advanced malware families being used by Russia for espionage. They are used in a coordinated fashion — while all three are used aggressively, you seldom find more than one on a target system.
Uroburous was named by GData, Kaspersky calls it Epic Turla, BAE Systems calls it Snake and SnakeNet. It has been around since 2008 and targets governments, embassies, the defence and pharmaceutical industries, and research and education. Kaspersky has analyzed a Linux backdoor component. Also see this analysis.
Energetic Bear was named by CrowdStrike, Kaspersky calls it Crouching Yeti, iSIGHT Partners calls it Koala Team, and Symatec calls it Dragonfly. It targets aviation, defense, energy, industrial control systems and petroleum pipelines.
APT28 was named by FireEye/Mandiant, iSIGHT Partners calls it Tsar Team, Eset calls it Sednet, CrowdStrike calls it Fancy Bear, Trend Micro calls it Operation Pawn Storm, and others call it Sofacy and Sednit and STRONTIUM and APT28. It targets NATO and Eastern European governments and military agencies, the defense industry, and "Russian adversaries" as the report puts it.
FireEye/Mandiant also named APT29 and its backdoor component HAMMERTOSS. They suspect that it is sponsored by the Russian government.
January 2015 — A group calling itself "CyberCaliphate", posing as associated with ISIS, hacked the French television broadcaster TV5 Monde. The U.S. Defense Intelligence Agency's Russia Military Power Report 2017 reported this, attributing it to an article on channelregister.co.uk.
June–July 2016 — A group posing as a hacker calling himself "Guccifer 2.0" claimed in early 2016 to have broken into Hillary Clinton's private e-mail server, and in June 2016 claimed to have broken into the Democratic National Committee's computer network. The messages claimed that Guccifer was Romanian, but several analysts pointed to inconsistencies within the writing, saying that it appeared to be from multiple people, some of them Russian.
CrowdStrike's analysis is that Fancy Bear is affiliated with the GRU, Главное Разведывательное Управление or Main Intelligence Department, the primary military intelligence service, while Cozy Bear is affiliated with FSB, Федеральная Служба Безопасности, the foreign intelligence service formerly known as KGB.
On 22 July 2016 WikiLeaks published 20,000 Democratic National Committee emails. Analysis immediately pointed to Russian involvement, an attempt by Russian to influence the coming U.S. election and make Donald Trump the U.S. President. The intrusions were further operations of Fancy Bear (see above) and another known Russian operation called Cozy Bear. It wasn't collaboration, both groups independently broke into DNC systems and stole the same data. The intrusions had been happening since the summer of 2015, and both were expelled from the system on 11-12 June. The emails were released at the end of the week before the Democratic National Convention.
13 August 2016 — A group calling itself the ShadowBrokers dumped an archive onto PasteBin containing what seemed to be NSA exploits used to attack systems from Cisco, Fortinet, and others. Securelist showed how an unusual implementation of RC5 and RC6 links that archive to the Equation Group (see more on that group below). According to a Reuters story, NSA believes that an employee or contractor left them on a publicly exposed computer. Investigators were assuming that the Shadow Brokers were affiliated with the Russian government.
30 September 2016 — Newsweek magazine published a story reporting on Donald Trump's violation of the U.S. trade embargo against Cuba. The magazine's web site was then hit with a DDoS attack linked to Russia. See the stories in the Talking Points Memo and in Dark Reading.
October 2016 — The U.S. Office of the Director of National Intelligence and the Department of Homeland Security announced that they were confident that the Russian government was behind intrusions into "U.S. political organizations", a reference to breaches at the Democratic National Committee and the Democratic Congressional Campaign Committee.
"U.S. government officially accuses Russia of
hacking campaign to interfere with elections"
Washington Post, October 7 2016
At the Wall Street Journal CEO Summit on 15 Nov 2016, Admiral Mike Rogers, the director of the National Security Agency, said: "There shouldn't be any doubt in anybody's mind. This was not something that was done casually. This was not something done by chance. This was not a target that was selected purely arbitrarily. [...] This was a conscious effort by a nation-state to attempt to achieve a specific effect." See reports in The Hill, The Washington Post, and The Wall Street Journal.
December 2016 — The Washington Post published a story about CrowdStrike's analysis of the link between the malware used in the DNC intrusion and that used to track an Android phone app used by the Ukrainian army during its fight against pro-Russian separatists in eastern Ukraine in 2014-2016.
CrowdStrike determined that the attackers were they group that they had initially called "Fancy Bear", which turned out to be the GRU, Russian military intelligence. The FBI is reported to have privately concluded that the GRU was behind the DNC hack, but to have said nothing publicly.
Washington Post, 22 Dec 2016
Russian interference in 2016 U.S. Presidential election
The U.S. intelligence community and the Department of Homeland Security concluded that Russian civilian and military intelligence services had attacked and penetrated U.S. government and private sector entities. They broke into Democratic National Committee servers in 2015 and 2016, and published stolen data on the Internet. Details from these documents dominated news coverage for several days immediately before the November 8th election, which Hillary Clinton appeared to be leading by a wide margin until the final week. U.S. intelligence and DHS labeled the activity as GRIZZLY STEPPE. On 29 December, President Obama announced sanctions against Russia. President-Elect Donald Trump, the beneficiary of the Russian hacking, first tried to dismiss and later downplayed the reports.
U.S. Office of the Director of National Intelligence
August 2017 — News stories were reporting on automated "bots" affecting opinion through blogs, Twitter, and Facebook, refining techniques for the 2018 U.S. elections.Russian
In 2017 we started seeing reports of
GPS spoofing by Russia
in central Moscow and in the Black Sea.
The U.S. Department of Transportation
issued a global maritime advisory.
New Scientist USA Today CNN Wired UK
July 2018 — USA Today reported that Russia had been meddling in 27 countries in Europe and North America since 2004. The action ranged from active cyberattacks to disinformation.
Attempted Russian interference in 2018 U.S. mid-term election
Several media outlets along with the U.S. Department of Defense istelf reported that the U.S. Cyber Command disrupted the activities of a Russian "troll factory" on the day of the 2018 U.S. mid-term election.
2022 Russian Invasion of Ukraine2022 Russian Invasion of Ukraine 2022 Ukraine cyberattacks
Russia had been attacking Ukrainian infrastructure at least since 2015. Largely electrical power generation and distribution, but also transportation, banks, and other targets.
When Russia invaded Ukraine in late February 2022, the biggest surprise for many was the lack of overt cyberattacks. There was some, like the attack on the Viasat KA-SAT network used by Ukrainian armed forces, police, and intelligence service. As a side-effect, the Viasat attack took out control of a large number of German wind generators.
Then multiple destructive attacks from Russia hit Ukrainian targets on February 23 and 24, just before the invasion started, including: WhisperGate, HermeticWizard, IsaacWiper, and CaddyWiper.
Update: Destructive Malware Targeting Organizations in Ukraine
Strengthening Cybersecurity of SATCOM Network Providers and Customers
U.S. Government Attributes Cyberattacks on SATCOM Networks to Russian State-Sponsored Malicious Cyber Actors
It seems that the U.S. had been quietly disabling enormous Russian botnets before the invasion.
U.S. F.B.I accouncement U.S. Department of Justice announcement
The New York Times reported on the story, and Brian Krebs provided links to more technical details.
The New York Times published a long interactive article on 16 December 2022. It says, "Russia not only botched the attack by land and air, but also put too much faith in another wing of its vaunted arsenal: hacking."
States including Russia had been using hacking for espionage, financial crimes, subversion, and sabotage for years. Sandworm, also known as Unit 74455, is a cybermilitary unit of the GRU, Russia's military intelligence organization.
Sandworm is believed to have been behind the December 2015 attacks on Ukrainian electrical infrastructure, the 2017 attacks with the NotPetya malware, and others. "But nobody really knew how it would play out in a full-scale military conflict." Approaching the first anniversary of Russia's invasion, hacking had not yet been an effective Russian weapon.
How Putin's War in Ukraine Became a Catastrophe for Russia
In May 2021, the Kaspersky security firm released a new report about a hacking group "Red Stinger" using the "CloudWizard" APT to carry out espionage attacks against both sides in the conflict — against pro-Russia targets in eastearn Ukraine and against pro-Ukraine targets in central Ukraine. Security firms ESET and CyberX had discovered similar infrastructure and malware in 2016 and 2017.
Kasperkey's 19 May 2023 report ESET 2016 "Groundbait" report CyberX 2017 "Operation BugDrop" report Wired story