For years the a hacking unit within the Russian military intelligence agency GRU, known as Sandworm, has carried out some of the worst cyberattacks in history.power outages, bogus ransomware, data destroying worms– behind a carefully maintained veil of anonymity. But after half a decade of botched spy agency operations, blown covers and international indictments, it’s perhaps no surprise that removing the man’s mask at the head of this highly destructive hacking group reveals a familiar face today.
The commander of Sandworm, the notorious division of the agency’s hacking forces responsible for many of the GRU’s most aggressive cyberwarfare and sabotage campaigns, is now an official named Evgenii Serebriakov, intelligence sources say. westerner who spoke to WIRED on condition of anonymity. If this name means anything to you, it may be because Serebriakov was chargedalong with six other GRU agents, after being caught in the middle of a close cyber espionage operation in the Netherlands in 2018 that targeted the Organization for the Prohibition of Chemical Weapons in The Hague.
In this foiled operation, Dutch law enforcement did more than identify and arrest Serebriakov and his team, who were part of another GRU unit commonly known as Fancy Bear or APT28. They also seized Serebriakov’s backpack full of technical equipment, as well as his laptop and other hacking devices from his team’s rental car. As a result, Dutch and American investigators have been able to piece together Serebriakov’s past travels and operations stretching back years and, given his new role, now know in unusual detail the career history of a GRU official. booming.
According to intelligence sources, Serebriakov was made responsible for Sandworm in the spring of 2022 after serving as deputy commander of APT28, and now holds the rank of colonel. Christo Grozev, the Russia-focused lead investigator for the open-source intelligence service Bellingcat, also noted Serebriakov’s rise: Around 2020, Grozev says, Serebriakov began receiving phone calls from GRU generals who, in the strict hierarchy of the agency, only talk to people at higher levels. officials. Grozev, who says he bought the phone data from a Russian black market source, says he also saw the GRU agent’s number appear in the phone records of another powerful military unit focused on counterintelligence. “I realized he had to be in a command position,” Grozev says. “He can’t be a regular hacker anymore.”
The fact that Serebriakov appears to have achieved this position despite having been previously identified and indicted in the failed Dutch operation suggests that he must be of significant value to the GRU – that he is “apparently too good for be abandoned,” adds Grozev.
Serebriakov’s new position as head of Sandworm – officially GRU unit 74455 but also known by the nicknames Voodoo Bear and Iridium – places him at the head of a group of hackers who are perhaps the most prolific practitioners of cyber warfare in the world. (They’ve also engaged in espionage and disinformation campaigns.) Since 2015, Sandworm has led the Russian government’s unprecedented campaign of cyberattacks against Ukraine, penetrating power utilities in the west of Ukraine and Kiev for cause the first and second blackouts triggered by hackers and targeted Ukrainian government agencies, banks and media with countless data-destroying malware operations. In 2017, Sandworm released NotPetya, a piece of self-replicating code that spread to networks around the world and inflicted a record $10 billion in damage. Sandworm then continued to sabotage the 2018 Winter Olympics in Korea and attacked TV broadcasters across the nation of Georgia in 2019, a shocking record of reckless hacking.