The US and UK governments have both accused Russia of launching a cyber attack against the Georgian government last year. The attacks, mounted on 28 October 2019, came from Russia’s notorious GRU military intelligence unit, according to announcements from the US State Department and the UK’s National Cyber Security Centre.
This is a rare statement of attribution from western governments. Both the US and the UK rebuked Russia for its behaviour and pledged their support for Georgia.
In its announcement, the US State Department said:
This action contradicts Russia’s attempts to claim it is a responsible actor in cyberspace and demonstrates a continuing pattern of reckless Russian GRU cyber operations against a number of countries. These operations aim to sow division, create insecurity, and undermine democratic institutions.
Sandworm has been active in Ukraine, reaching power utilities there in 2015 and 2016 in attacks that deprived thousands of electrical power. The hacking group has also been linked to NotPetya, a worm that spread globally in 2017. In his book of the same name, Greenberg tracked this group’s connection to several egregious hacks, including the attack on the Olympic Games in Seoul in 2018, which it tried to blame on North Korea.
The group is also said to be responsible for the 2016 attack on US election infrastructure, and for the theft of emails from the Democratic National Committee (DNC) and their distribution to WikiLeaks. An FBI indictment released as part of the Robert Mueller investigation tied GRU operatives to that attack. Sandworm has also been spotted uploading malicious Android apps to the Google Play Store.
In the book, Greenberg linked all these attacks to Russia’s Main Directorate of the General Staff of the Armed Forces of the Russian Federation (GRU). He identified Sandworm as GRU Unit 74455, operating from a Moscow suburb.
The UK government backed up the US claims. Its National Cyber Security Centre (NCSC) said that it “assesses with the highest level of probability” (which is 95% or more) that the GRU carried out large-scale disruptive cyberattacks against web hosting companies in Georgia, defacing sites including those belonging to the Georgian government, courts, NGOs, media and businesses. It also disrupted broadcast services in the country, the government said, adding that Georgia is a strategic partner of the US.
Foreign Secretary Dominic Raab added:
The Russian government has a clear choice: continue this aggressive pattern of behaviour against other countries, or become a responsible partner which respects international law.
The UK government also identifies Sandworm as BlackEnergy Group (after the 2015 Ukraine electrical system attack), Telebots, and VoodooBear. Alongside the electrical grid and NotPetya attacks, it was also responsible for the BadRabbit ransomware in October 2017, according to the NCSC.
Greenberg added that the US is shining a light on cyber-subterfuge by going public with its claims. He also suggested that it could be an attempt to head off any election shenanigans:
Calling out the Georgian attacks, a US official tells me, is meant to make the rules clearer for the Kremlin: These… twitter.com/i/web/status/1…
—
Andy Greenberg (@a_greenberg) February 20, 2020
It’s important to note that the Sandworm hacking group is a separate thing from the malware of the same name.