NSA Report Attributing Malware to Russian Hacking Group Sandworm Signals That the Group Is Still Active

The National Security Agency (NSA) last week accused Sandworm Team, a Russian military hacking group, of ongoing efforts to target email servers around the world. The NSA’s attribution signals that Sandworm, which has a long history of targeting industrial control systems, continues to pose a significant threat to U.S. critical infrastructure.

The Sandworm hacking group is part of the Russian General Staff’s Main Intelligence Directorate, or GRU. The NSA’s technical advisory states that since at least August 2019, Sandworm has been deploying a malware program designed to target and exploit a vulnerability in Exim mail transfer agent software, which is widely used in Unix and Linux operating systems. After the malware is successfully exploited, the infected machine downloads and executes a script from a Sandworm-controlled domain, attempting to add privileged users, disable network security settings, enable remote access, and perform additional scripts that enable further exploitation. This process would create a backdoor for hackers to run their computer code and execute commands while bypassing most, if not all, relevant security protocols.

Sandworm could potentially exploit this vulnerability to sabotage U.S. critical infrastructure by targeting its industrial control systems – the machines, software, and associated networks used to provide critical infrastructure services. While the security patches for this vulnerability have been available for over a year, industrial control systems are often viewed as too difficult or too important to take offline to properly patch. As a result, U.S. energy, telecommunications, transportation, and other critical infrastructure may still be vulnerable to Sandworm’s malware.

This vulnerability is particularly troubling given Sandworm’s long history of targeting the United States and its allies, including industrial control systems in the U.S. and Ukrainian energy sectors. Active since at least 2009, Sandworm has executed the most disruptive and destructive cyber campaigns ever attributed to a state-sponsored hacking group.

In 2015 and 2016, for example, Sandworm conducted multiple blackout-inducing cyberattacks against Ukraine’s energy grid, part of Russia’s broader efforts to destabilize Ukraine and prevent its realignment with the West. In 2017, Sandworm targeted Ukraine’s government and financial and energy sectors with malware known as NotPetya, which quickly spread around the world, causing over $10 billion in damages and productivity losses.

But Sandworm’s operations go far beyond Ukraine. Between 2011 and 2014, Sandworm conducted a protracted cyber campaign that succeeded in gaining access to some U.S. industrial control systems, according to the Department of Homeland Security’s Industrial Control Systems Cyber Emergency Response Team. In 2018, a Sandworm operation using malware known as Olympic Destroyer temporarily crippled the digital systems supporting the PyeongChang Winter Olympic Games – an apparent retaliation for Russia’s earlier suspension from the Olympics over its organized doping program.

While the United States has previously attributed and condemned Sandworm’s actions, Washington must do more to hinder this continued campaign of cyber aggression. As the congressionally charted Cyberspace Solarium Commission recommended in its March report, the United States should establish and fund a National Cybersecurity Certification and Labeling Authority aimed at enhancing the security of industrial control systems. In addition, Washington should increase the funding and support it provides to Ukraine for cybersecurity and response capabilities, which would effectively remove one of the most significant testing grounds for Russian cyber operations.

Furthermore, Washington should explore additional sanctions against Russia to reinforce U.S. efforts to hold Moscow to account and deter cyberattacks against critical infrastructure. Finally, Washington should call for an international agreement prohibiting cyber operations targeting industrial control systems, in line with similar international accords that prohibit conventional attacks on non-military targets. If respected, such an agreement would significantly curtail Russia’s aggressive cyber operations and bolster U.S. national security.

Trevor Logan is a cyber research analyst at the Foundation for Defense of Democracies (FDD), where he also contributes to FDD’s Center on Cyber and Technology Innovation (CCTI). For more analysis from Trevor and CCTI, please subscribe HERE. Follow Trevor on Twitter @TrevorLoganFDD. Follow FDD on Twitter @FDD and @FDD_CCTI. FDD is a Washington, DC-based, nonpartisan research institute focusing on national security and foreign policy.