Yevgeny Serebriakov, a famous Russian hacker, has been named head of Sandworm, a group of cybercriminals linked to Russian military intelligence and known for its aggressiveness in Ukraine, according to the US magazine Wired.
It is a name that seems to be taken from a science fiction novel by Frank Herbert, author of the saga Dune. But Sandworm is not a fictional monster: it is one of Russia’s most feared hacker groups, representing the main cyber arm of the GRU, Russia’s military intelligence service, according to Washington.
This group of cybercriminals under the command of Moscow has had a face since Wednesday, March 15: Yevgeny Serebriakov is its new boss, according to the website Wiredwho claims to have received confirmation from officials of the US intelligence services.
Sandworm, present in Ukraine since 2013
A promotion that Wired describes it as a meeting between one of the “most reckless” Russian cybercriminals and the most aggressive organization of hackers in Russia. A cocktail that, with the invasion war in Ukraine as a backdrop, could worry Kiev.
Sandworm was known to Ukrainians long before Yevgeny Serebriakov allegedly took control. “This region seems to be the favorite playground of this group, although we do not know for sure all the operations that it has carried out in the world,” says Benoît Grunemwald, a cybersecurity expert at the Slovak company Eset, which is very present in Ukraine. where he collaborates with the authorities to counter cyberattacks since the beginning of the war.
This group “appeared on our radar in this region starting in 2013, and has maintained a constant presence there through multiple attacks since then,” summarizes this specialist. At that time, the link between Sandworm and the GRU had not yet been established.
But it was clear that these hackers did not belong to ordinary cybercriminals who act mainly out of financial interest. “The targets chosen were generally of strategic interest to the states,” notes Benoît Grunemwald.
His main feat in Ukraine, before the Russian offensive launched in 2022, was to cut off electricity in part of Kiev in 2016, thanks to the Industroyer virus, after having paralyzed part of the country’s power plants – a year earlier – using other software. malicious of his own creation.
“This is clearly a specialized cybersabotage group that excels at destroying data or facilities,” says John Fokker, head of threat intelligence at the Trellix Research Center, a US cybersecurity company.
Attack on Macron’s campaign in 2017
Although Sandworm has a proven tropism for the Ukraine, the group has also been able to export its knowledge to other territories. He was responsible for the spread of NotPetya, one of the most destructive ransomware attacks in history, in 2017. It cost hundreds of victims around the world more than $1 billion, according to US authorities.
These cybercriminals have also made their mark on the political scene. They participated in the vast Russian operation to destabilize the 2016 US presidential election by stealing documents from Democratic Party servers. A year later, these same Russians were accused of trying to replicate the maneuver during the French elections by attacking the servers of Emmanuel Macron’s campaign team.
In other words, “Sandworm’s specialty is attacks against electrical infrastructures, but the group knows how to adapt to circumstances”, summarizes Benoît Grunemwald. Whenever operations make noise. A detail that quickly led cybersecurity experts to suspect links between Sandworm and the GRU, “an intelligence service known for its coups,” as John Fokker points out. But it wasn’t until 2020 that Washington associated Sandworm with Unit 74455, which is the official name of the GRU’s main cyber-military unit.
A cybercriminal arrested in the Netherlands
The arrival of Yevgeny Serebriakov at the head of a group as aggressive as Sandworm may seem logical. This Russian is, in fact, known for being “technically very gifted” and “likes to take risks,” he says. Wired. His main feat is, paradoxically, the operation during which he was arrested. And that failed.
In 2018, Yevgeny Serebriakov was detained by Dutch police in a parking lot in front of the Organization for the Prohibition of Chemical Weapons (OPCW) building in The Hague. He carried with him the trappings of the perfect cyberspy who had come to listen as intently as possible to the discussions about the attempted poisoning of former Russian double agent Sergei Skripal by the GRU, which were currently taking place in the building.
Yevgeny Serebriakov was arrested along with other Russians and handed over to the Russian authorities soon after. “Not surprisingly, they all had diplomatic passports, so the Netherlands could not, for example, extradite them to the United States, as was suggested at the time. The only thing to do was label them persona non grata in the country and ask the Russians to get them back,” says John Fokker, who was a member of the Dutch Navy’s special forces before becoming a cybersecurity specialist at Trellix.
In 2018, Yevgeny Serebriakov was already working for the GRU, but in a different group, specialized in cyber-espionage and at a lower level. He already had an extensive resume: he had participated in operations on the sidelines of the Rio Olympics and against the World Anti-Doping Agency in 2016, in the midst of the scandal involving Russian athletes.
“So he’s a very experienced agent who, if confirmed, has taken over Sandworm,” acknowledges John Fokker. Wired He is not alone in pointing out that Yevgeny Serebriakov has risen through the ranks. Christo Grozev, Russia specialist at the investigative website Bellingcat, made the same deduction… after obtaining the hacker’s phone records. He received calls from GRU generals, which “made me realize that he himself must have been appointed to a command post,” Christo Grozev told Wired.
It remains to be seen what impact this appointment may have on Ukraine’s cyberwarfare. Russian hackers were very active at the beginning of the invasion, but without doing much damage. The arrival of Yevgeny Serebriakov could be a sign that Moscow wants to hit harder. If the appointment is confirmed, “[ello] it could indicate that something is afoot,” says John Fokker. Trellix had observed that Sandworm had been quiet in the Ukraine for a few months. The calm before the storm?