Skip to content

Illustration by Security Management

United States, Britain Link Russian GRU Unit to Sandworm

For the first time, the United States linked a Russian military unit to the hacking group known as Sandworm which is said to be responsible for some of the most significant cyberattacks around the globe over the past 10 years.

U.S. Secretary of State Mike Pompeo released a statement saying Russia’s General Staff Main Intelligence Directorate (GRU) Main Center for Special Technologies, also known as GTsST, Unit 74455, and Sandworm, carried out a cyberattack against the country of Georgia on 28 October 2019.

“The incident, which directly affected the Georgian population, disrupted operations of several thousand Georgian government and privately-run websites and interrupted the broadcast of at least two major television stations,” Pompeo said. “This action contradicts Russia’s attempts to claim it is a responsible actor in cyberspace and demonstrates a continuing pattern of reckless Russian GRU cyber operations against a number of countries. These operations aim to sow division, create insecurity, and undermine democratic institutions.”

Other nations also joined the United States in attributing the attacks on Georgia to Russia, including the United Kingdom.

“The GRU’s reckless and brazen campaign of cyberattacks against Georgia, a sovereign and independent nation, is totally unacceptable,” said U.K. Foreign Secretary Dominic Raab in a statement. “The Russian government has a clear choice: continue this aggressive pattern of behavior against other countries, or become a responsible partner which respects international law.”

The cyberattack against Georgia hit more than 2,000 websites and the country’s national television station. The BBC reported that in many instances, website home pages were altered to display an image of former President Mikheil Saakashvili with the caption “I’ll be back.” Saakashvili relinquished his Georgian citizenship and is wanted on criminal charges.

The Russian unit GTsST has also been linked to the NotPetya worm that caused billions of dollars of damage in Ukraine and the Olympic Destroyer malware that targeted the 2018 Winter Olympics, according to WIRED.

“This just continues the pattern of fairly reckless GRU cyberoperations that, from our understanding, are intended to sow division, create insecurity, and undermine democratic institutions,” said a senior U.S. official who spoke to WIRED under condition of anonymity. “Failing to call out such activity when it’s observed and attributed risks creating a norm of inaction, a systemic risk of not acknowledging to the world that these types of behaviors are unacceptable.”

The State Department’s decision to call out Russia’s actions is being seen as an attempt to curb it from interfering in the U.S. 2020 presidential elections.

“The accusation, issued by Secretary of State Mike Pompeo, was particularly notable at a time when President Trump has been seeking to shift blame for interference in the 2016 election from Russia to Ukraine, a central element of his impeachment trial last month,” according to The New York Times.