The Russian state-sponsored hackers known as Sandworm have launched some of the most aggressive and disruptive cyberattacks in history: intrusions that planted malware inside US electric utilities in 2014, operations that triggered blackouts in Ukraine—not once, but twice—and ultimately NotPetya, the most costly cyberattack ever. But according to Google, several of Sandworm's quieter operations have gone unnoticed in recent years.

At the CyberwarCon conference in Arlington, Virginia today, Google security researchers Neel Mehta and Billy Leonard described a series of new details about Sandworm's activities since 2017 that ranged from its role in targeting the French election to its attempt to disrupt the last Winter Olympics to—perhaps the most unlikely new example of Sandworm's tactics—attempting to infect large numbers of Android phones with rogue apps. They even tried to compromise Android developers, in an attempt to taint their legitimate apps with malware.

The Google researchers say they wanted to call attention to the overlooked operations of Sandworm, a group that they argue hasn't gotten as much mainstream attention as the linked Russian hacking group known as APT28 or Fancy Bear, despite the enormous scale of Sandworm's damage in attacks like NotPetya and earlier operations in Ukraine. (Both APT28 and Sandworm are widely believed to be part of Russia's military intelligence agency, the GRU.) "Sandworm has been just as effective for a long period of time, and caused significant damage on the CNA front," Leonard told WIRED ahead of his CyberwarCon talk. CNA refers to a computer network attack, the sort of disruptive hacking distinguished from mere espionage or cybercrime. "But they’ve still had these long-running campaigns that have gone under the radar."

"Sandworm was using Ukraine as a testing ground, a proving ground for new activities." Billy Leonard, Google

Google's investigation into Sandworm's Android targeting began in late 2017, around the same time when, according to threat intelligence firm FireEye, the hacker group appears to have begun its campaign to disrupt the 2018 winter games in Pyeongchang, South Korea. Leonard and Mehta now say that in December 2017, they found that Sandworm's hackers were also creating malicious versions of Korean-language Android apps—such as transit schedule, media, and finance software—adding their own malicious "wrapper" around those legitimate apps and uploading versions of them to the Google Play Store.

Google quickly removed those malicious apps from Play, but soon found that the same malicious code had been added two months earlier to a version of a Ukrainian mail app Ukr.net—which had also been uploaded to Google's app store. "That had been their first foray into Android malware," says Leonard. "As in the past, Sandworm was using Ukraine as a testing ground, a proving ground for new activities."

Leonard and Mehta say that even including that earlier Ukrainian effort, Sandworm's malicious apps infected fewer than 1,000 phones in total. They also aren't sure what the malware was intended to do; the malicious code they saw was only a downloader, capable of serving as a "beachhead" for other malware components with unknown functionality. The ultimate goal could have ranged from espionage—hacking and leaking information, as the GRU has carried out against other Olympics-related targets like the Worldwide Anti-Doping Agency—to a data-destroying attack like the Olympic Destroyer malware that hit Pyeongchang.

In October and November 2018, Google says it saw Sandworm try another, somewhat more sophisticated attempt at compromising Android devices. This time the hackers went after Android developers, largely in Ukraine, using phishing emails and attachments laced with malware designed to exploit known Microsoft Office vulnerabilities and plant a common hacking framework known as Powershell Empire. In one case, Sandworm successfully compromised the developer of a Ukrainian history app, and used that access to push out a malicious update that resembled the Android malware Google had seen the year before. Google says no phones were infected this time, because it caught the change before it reached Google Play.