A legendary hacker at the head of the cyber arm of Russian military intelligence

It's a name that sounds like it came out of a science fiction novel by Frank Herbert, author of the Dune saga. But Sandworm – a "sandworm" – is not a fictional monster: it is one of the most feared Russian hacker groups, which represents the main cyber arm of the GRU, the Russian military intelligence service, according to Washington.

This group of cybercriminals under the orders of Moscow has a face since Wednesday, March 15: Yevgeny Serebriakov, would be the new boss, according to the site Wired, which claims to have had confirmation by American intelligence officials.

© FBI

Sandworm, present in Ukraine since 2013

A promotion that Wired calls a meeting between one of the "most reckless Russian cybercriminals and the most aggressive hacker organization in Russia". A cocktail that, against the backdrop of the war of invasion in Ukraine, could be likely to worry Kiev.

Ukrainians knew Sandworm well before the supposed arrival of Yevgeny Serebriakov at its head. "This region appears to be the favorite playground of this group, even if we do not know with certainty all the operations it has carried out in the world," notes Benoît Grunemwald, cybersecurity expert for the Slovak company Eset, very present in Ukraine where it collaborates with the authorities to counter cyberattacks since the beginning of the war.

Read also on France 24: War in Ukraine: "There has never been such a variety of cyber operations in a conflict"

This group "appeared on our radars in this region from 2013, and has maintained a constant presence through multiple attacks since then," summarizes this specialist. At the time, the link between Sandworm and the GRU had not yet been established.

But it was clear that these hackers did not belong to the common cybercriminals who act primarily out of financial interest. "The targets chosen were generally of strategic interest to the states," says Benoît Grunemwald.

Their main feats of arms in Ukraine, before the Russian offensive launched in 2022, were to cut the power in part of Kiev in 2016, thanks to the Industroyer virus, after paralyzing part of the country's power plants – a year earlier, using another malware of their manufacture.

"It's clearly a cyber-sabotage group that excels at destroying data or facilities," said John Fokker, head of threat intelligence at the Trellix research center, a U.S. cybersecurity firm.

Attack on Macron's campaign in 2017

Even if Sandworm has a proven tropism for Ukraine, the group has also been able to export its know-how to other territories. He is also responsible for the 2017 spread of NotPetya, one of the most destructive ransomware in history. The latter has cost more than a billion dollars to hundreds of victims around the world, according to US authorities.

These cybercriminals have also distinguished themselves on the political scene. They participated in the vast Russian operation to destabilize the 2016 US presidential election by stealing documents from the servers of the Democratic Party. A year later, these same Russians were accused of trying to replicate the maneuver during the French election by targeting the servers of Emmanuel Macron's campaign team.

Read also on France 24: The GRU, Putin's not-so-secret weapon

In other words, "Sandworm specializes in attacks against electrical infrastructure, but the group knows how to adapt to circumstances," says Benoît Grunemwald. As long as the operations make noise. It's a detail that quickly led cybersecurity experts to suspect links between Sandworm and the GRU, "an intelligence service known for its stunts," as John Fokker points out. But it was not until 2020 that Washington associated Sandworm with Unit 74455, which is the official name of the GRU's main cyber arm.

Cybercriminal arrested and released in the Netherlands

The arrival of Yevgeny Serebriakov at the head of a very aggressive group like Sandworm may seem logical. This Russian is, indeed, known to be "technically very talented" and to "like to take risks," says Wired. His main feat is, paradoxically, the operation during which he was arrested. And that failed.

In 2018, Yevgeny Serebriakov was arrested by Dutch police in a parking lot in front of the Organisation for the Prohibition of Chemical Weapons (OPCW) building in The Hague. He carries with him the paraphernalia of the perfect cyber-spy who came to listen as closely as possible to the discussions relating to the attempted poisoning by the GRU of the former Russian double agent Sergei Skripal, which were taking place at that time in the premises of this institution.

Arrested along with other Russians, Yevgeny Serebriakov was handed over to Russian authorities shortly after. "It's no wonder, they all had diplomatic passports, so the Netherlands could not, for example, extradite them to the United States, as was suggested at the time. The only thing that could be done is to call them persona non-grata in the country and ask the Russians to get them back," said John Fokker, who was a member of the Dutch Navy's special forces before becoming a cybersecurity specialist at Trellix.

In 2018, Yevgeny Serebriakov was already working for the GRU, but in another group, specialized in cyberespionage and at a lower level. He already had a full resume: he had participated in operations on the sidelines of the Rio Olympics and against the World Anti-Doping Agency in 2016, in the midst of a scandal splashing Russian athletes.

"So he's a very experienced agent who, if confirmed, has taken the helm of Sandworm," Fokker said. Wired is not alone in noting that Yevgeny Serebriakov has risen in rank. Christo Grozev, a Russia specialist for the investigative website Bellingcat, made the same deduction... after obtaining phone records from this hacker. He was getting calls from GRU generals who don't directly call the cyber spy menu, which "made me realize that he himself must have been appointed to a commandery position," Grozev told Wired.

It remains to be seen what impact such an appointment could have on cyberwarfare in Ukraine. Russian hackers were very active at the beginning of the invasion, but without doing significant damage. The arrival of Yevgeny Serebriakov could be a sign that Moscow wants to hit harder. If confirmed, "[it] could indicate that something is afoot," Fokker said. Trellix had noticed that Sandworm had kept a low profile in Ukraine for a few months. The calm before the storm?

The summary of the week France 24 invites you to look back on the news that marked the week

I subscribe

Take international news with you everywhere! Download the France 24 app