The Russian state-sponsored hackers known as Sandworm have launched some of the most aggressive and disruptive cyberattacks in history: intrusions that planted malware inside US electric utilities in 2014, operations that triggered blackouts in Ukraine—not once, but twice—and ultimately NotPetya, the most costly cyberattack ever. But according to Google, several of Sandworm's quieter operations have gone unnoticed in recent years.
At the CyberwarCon conference in Arlington, Virginia today, Google security researchers Neel Mehta and Billy Leonard described a series of new details about Sandworm's activities since 2017 that ranged from its role in targeting the French election to its attempt to disrupt the last Winter Olympics to—perhaps the most unlikely new example of Sandworm's tactics—attempting to infect large numbers of Android phones with rogue apps. They even tried to compromise Android developers, in an attempt to taint their legitimate apps with malware.
The Google researchers say they wanted to call attention to the overlooked operations of Sandworm, a group that they argue hasn't gotten as much mainstream attention as the linked Russian hacking group known as APT28 or Fancy Bear, despite the enormous scale of Sandworm's damage in attacks like NotPetya and earlier operations in Ukraine. (Both APT28 and Sandworm are widely believed to be part of Russia's military intelligence agency, the GRU.) "Sandworm has been just as effective for a long period of time, and caused significant damage on the CNA front," Leonard told WIRED ahead of his CyberwarCon talk. CNA refers to a computer network attack, the sort ..