Mandiant today released a report that links Sandworm, a Russian state-backed threat actor, to a series of recent cyberattacks against water utilities.

The Google LLC unit also changed the codename it uses to track the hacking group. Mandiant will refer to Sandstorm as APT44 going forward, with APT being an abbreviation of advanced persistent threat. That’s a term commonly used to describe state-backed hacking groups.

Mandiant believes that APT44 is an arm of Russia’s GRU military intelligence agency. “APT44 has aggressively pursued a multi-pronged effort to help the Russian military gain a wartime advantage and is responsible for nearly all of the disruptive and destructive operations against Ukraine over the past decade,” Mandiant researchers detailed in a blog post that accompanied today’s report.

One focus of the new report is a hacking group known as Cyber Army of Russia Reborn, or CARR. Mandiant researchers have determined that the group is affiliated with APT44. According to Wired, it’s currently unclear whether CARR is simply a cover for APT44 or operates separately.

In January, CARR published videos purporting to show it had breached two Texas towns’ water infrastructure. The clips depict a hacker manipulating a software control interface connected to a set of water utility systems. Officials in Muleshoe, one of the Texas towns affected by the breach, later confirmed a cyberattack caused a water tank to overflow.

CARR has also targeted utility infrastructure in Europe. In one incident, the hackers appear to have breached a Polish wastewater treatment facility. CARR also claimed to have disrupted energy generation at a hydroelectric dam in France, but local officials later clarified the affected facility was a small watermill. The mill’s operations weren’t harmed by the breach.

Today’s Mandiant report also links APT44 to a number of hacking campaigns related to Russia’s invasion of Ukraine.

According to the Google unit, APT44 has developed a piece of spyware dubbed Infamous Chisel for Russian troops. The malware is designed to infect Android handsets that Ukraine’s military uses for command-and-control activities. In another operation, APT44 set up a website for exfiltrating data from captured smartphones.

Mandiant has also linked the hacking group to a recent software supply chain attack. According to the Google unit, the operation saw APT44 compromise multiple critical infrastructure networks in Eastern Europe and Central Asia. The hacking group subsequently installed wiper, or data deletion, malware on one of the targeted organization’s systems.

“As Russia’s war continues, we anticipate Ukraine will remain the principal focus of APT44 operations,” Mandiant’s researchers wrote. “However, as history indicates, the group’s readiness to conduct cyber operations in furtherance of the Kremlin’s wider strategic objectives globally is ingrained in its mandate.”

Photo: Unsplash