A state-backed Russian hacking group is targeting a Swiss laboratory that’s helping investigators solve the March poisoning of Sergei Skripal and his daughter in London.
Called Sandworm, the group has been trying to phish employees of Switzerland’s Spiez Laboratory, a chemical-and biological-weapons facility that is doing forensics work on the Novichok poisoning of the former Russian colonel and double agent, according to Swiss news outlet Sonntags Blick, which reported the attacks on Sunday.
Russia has denied any involvement in Skripal’s poisoning.
Sandworm isn’t as well known as the Russian intelligence (FSB) and military (GRU) entities that stole emails from the Democratic National Committee in 2016, but it has run similar operations. In 2013, the group sent malicious emails to NATO officials and to a Polish energy concern. In 2014, they went after various Eastern European officials working in governments that are critical of Russia, using a version of the BlackEnergy botnet tool originally developed by Russian programmer Oleksiuk Dmytro.
“They’re not going after credentials. They want knowledge that only a few people can use. That’s security-related information and diplomatic information and intelligence on NATO and Ukraine and Poland,” FireEye’s John Hultquist told WIRED in 2014.
In 2015, Sandworm made history with the first successful attack on a power grid, using a version of BlackEnergy to hit the Ukrainian energy sector. The group struck again in December 2016, disrupting power to as many as 200,000 Ukrainians in the dead of winter.
Sandworm’s recent attack on Spiez was subtler, a return to the highly directed phishing attacks they ran in 2013 and 2014. Impersonating members of the lab’s management, they sent an email inviting researchers to a chemical weapons conference — and encouraging them to click on a malware-laden Word attachment.
Kurt Münger of the Swiss Federal Office for Civil Protection told Blick that authorities had not seen any data theft resulting from the attempt.