For years, the Known as Sandworm, the hacking unit of Russia’s GRI military intelligence agency has carried out some of the worst cyberattacks in history, including blackouts, fake ransomware, and data-destroying worms. But after half a decade of the spy agency’s scandals, cover-ups and international indictments, it’s perhaps no surprise that today the man leading that highly destructive hacking group is unmasking.
Western intelligence sources told Wired that the commander of Sandworm, the agency’s hacking forces unit responsible for many of the GRU’s worst cyberwar and cyberwar campaigns, is now an official named Yevgeny Serebryakov. Anonymity. In the year That name might ring a bell, as Serebryakov, who was arrested in 2018 in the Netherlands in a cyberespionage operation aimed at banning chemical weapons, was indicted along with six other GRU agents. in the Hague.
In that failed operation, Dutch law enforcement did not identify and arrest Serebryakov and his group, part of the GRU, commonly known as Fancy Bear or APT28. They also seized Serebryakov’s backpack full of technical equipment, as well as a laptop in the team’s rental car and other hacks. As a result, Dutch and American investigators were able to piece together Serebryakov’s travels and work going back over the years, and gained an unusual insight into the career history of a GRU official who was now rising under his new role.
According to intelligence service sources, Serebryakov served as deputy commander of APT28 in 2015. In 2022, he was put in charge of the Sandworm and now holds the rank of colonel. Kristo Grozev, chief Russia-focused investigator at open-source intelligence outlet BellingCat, also noted Serebryakov’s development: Around 2020, Grozev says, Serebryakov began receiving phone calls from GRU generals who spoke only to the highest levels in the agency’s tight hierarchy. Authorities. Grozev, who says he bought the phone data from a Russian black market source, also said he saw the number of a GRU agent in the phone records of another powerful military unit focused on counterintelligence. “I realized that it should be in a command position,” says Grozev. “He can no longer be a regular hacker.”
The fact that Serebryakov appears to have secured that position despite being previously identified and charged with the Dutch operation suggests he must be of great value to the GRU – “it seems too good to throw away,” Grozve added.
Serebryakov’s new position, Sandworm – officially GRU Unit 74455 but also known by the nicknames Voodoo Bear and Iridium – put him in charge of a group of hackers who are perhaps the most skilled cyberwarfare practitioners in the world. (They also conducted espionage and disinformation campaigns.) Since 2015, Sandworm has led the Russian government in an unprecedented cyberattack in Ukraine: it penetrated electrical utilities in western Ukraine and Kiev, causing the first and second blackouts. Hackers and Ukrainian government agencies, banks and media with countless data-destructive malware operations. In the year In 2017, the sandworm NotPetya spread its self-replicating code to networks around the world, causing a record $10 billion in damage. The sandworm disrupted the 2018 Winter Olympics in Korea and began attacking television broadcasts in the country of Georgia in 2019.