Since the Russian military agency known as the GRU first entered the spotlight as the hackers that targeted the 2016 US election, it's become increasingly known as the actor behind much of the Kremlin’s most brazen digital behavior. It's responsible for everything from the first-ever blackout triggered by hackers—turning off the power to a quarter million Ukrainians in December 2015—to NotPetya, the worst cyberattack in history, a worm that inflicted $10 billion in damage.

In recent years, security researchers have also found a web of evidence—some of which has until now remained unpublished—that definitively ties the group to other, more mysterious incidents. Those include the breach of two US state boards of elections in 2016, the cyberattack on the 2018 Winter Olympics, and the hacking of the French election in 2017. In fact, those fingerprints link much of that global chaos not just to the GRU, but to a single group of hackers within the agency known as Sandworm.

"This group is tasked with the most aggressive behavior we see from Russia, and possibly the most aggressive we see, period," says John Hultquist, the director of intelligence analysis at security firm FireEye, whose team discovered and named Sandworm in the fall of 2014. "That behavior seems to run the gamut from election interference to technical disruption of the power grid. I can’t think of another group that can claim to have not only tried so many brazen acts, but actually pulled them off."

I’ve also followed Sandworm's escalating attacks over the last three years, telling its story in a book, Sandworm, published last week. In the process of that reporting, security researchers from companies including FireEye and ESET have shared crucial forensic connections that tie the group's hacking incidents into a single, connected, and evolving series of operations.

The French Connection

Russia’s GRU has long been suspected of responsibility for the breach that leaked 9 gigabytes of emails from the campaign of French presidential candidate Emmanuel Macron just before the French election in early May of 2017—nearly a year after carrying out a similar campaign against the Democratic National Committee and the Clinton Campaign in the US. Now one fresh data point from security firm FireEye ties that operation directly to Sandworm, and specifically the NotPetya malware that would hit Ukraine and spread globally just a month after the French election.

"These guys are really about the impact. They’re about sabotage and disruption." Robert Lipovsky, ESET

That link began with a hacking tool first spotted by cybersecurity firm ESET in 2016, a backdoor program written in the Visual Basic Scripting programming language that Sandworm had used in data-destroying attacks against Ukraine. The following year, ESET found that same VBS tool had been installed on the network of a Ukrainian financial sector victim. It had been placed there using the same hijacked updates to Ukrainian accounting software, MEDoc, that had enabled the release of NotPetya just days before. ESET would later point to that VBS backdoor as a key point of evidence that Sandworm—which ESET calls Telebots—was responsible for NotPetya.

In May of 2018, FireEye took a closer look at that VBS backdoor, specifically a command-and-control server based in Bulgaria that Sandworm had apparently used to communicate with it. That server was also, strangely, a "relay" in the anonymity network Tor, serving as one of the volunteer computers in the Tor network that bounces encrypted connections around the world. In this case, the hackers appear to have used that Tor relay trick to obscure the connection from their command-and-control server back to whatever computer they used to administer it.