A Texas water facility hack, initially disclosed by city officials in Muleshoe in January, may be linked to Russian state-sponsored hackers, according to a new report by Google-owned Mandiant. The security researchers identified the group behind the attack as Sandworm, also known as APT44, which is believed to operate under Russia’s military intelligence.
The incident involved an overflow of a water tank after hackers gained control of the facility’s computer systems. A group called CyberArmyofRussia_Reborn claimed responsibility for this and similar hacks in another Texas town, Abernathy, and in Poland. They publicized their actions through a video on their Telegram channel, showcasing their access.
Mandiant’s investigation revealed that CyberArmyofRussia_Reborn had used internet infrastructure previously linked to Sandworm. Additionally, the group had shared data stolen in other Sandworm operations and made premature claims about attacks that Sandworm later executed. This evidence led Mandiant and Google’s security team to suggest that Sandworm might have created and could be controlling CyberArmyofRussia_Reborn.
While it is unclear if Sandworm directly orchestrated the Texas attack, Mandiant highlighted the autonomy that CyberArmyofRussia_Reborn might possess. This situation reflects the broader risk posed by foreign cyberattacks on U.S. critical infrastructure, previously targeted by Iranian and Chinese hackers as per U.S. government warnings.
Mandiant warned that Sandworm, primarily targeting Ukraine with malware attacks, could potentially expand its disruptive cyber activities to other nations due to shifting political dynamics and regional tensions.