over the years, Behind a carefully maintained veil of anonymity, a hacking unit within Russia’s GRU military intelligence agency known as Sandworm has carried out some of the worst cyberattacks in history — power outages, fake ransomware, data-destroying worms. But after five years of spy agency botched operations, swashbuckling cover stories and international prosecutions, it’s perhaps no surprise that the man who leads this destructive hacking group today takes off his mask and reveals a familiar face up.
According to a Western intelligence source, Sandworm was the commander of the agency’s notorious hacker unit, responsible for many of the GRU’s most aggressive cyber warfare and sabotage operations, and is now an officer named Evgenii Serebriakov. anonymous. If that name rings, it’s probably because Serebriakov and six other GRU operatives were indicted in The Hague after their capture in 2018 in a close-range cyber-espionage operation in the Netherlands against the Organization for the Prohibition of Chemical Weapons.
In that failed operation, Dutch law enforcement not only identified and arrested Serebriakov and his team, they were part of another GRU unit, commonly known as Fancy Bear or APT28. They also seized Serebriakov’s backpack full of tech gear, as well as his laptop and other hacking equipment in the team’s rented car. As a result, investigators in the Netherlands and the United States were able to piece together Serebryakov’s travels and actions over the past few years, and given his new role, now have a very detailed look at the career history of a rising GRU officer .
According to intelligence sources, Serebriakov was named head of Sandworm in the spring of 2022 after serving as deputy commander of APT28, and now holds the rank of colonel. Christo Grozev, the lead Russian investigator at the open-source intelligence agency Bellingcat, has also noticed Serebriakov’s rise: Around 2020, Grozev said, Serebriakov began getting calls from GRU generals, who were at the agency’s strict hierarchy. In the system, these generals only communicate with higher ranking officials. Grozev, who said he bought the phone data from black-market sources in Russia, said he also saw the number of a GRU agent appear in the phone logs of another powerful military unit focused on counterespionage. “I realized he must be in a commanding position,” Grozev said. “He can’t just be an ordinary hacker anymore.”
Serebriakov appears to have secured that post, although his previous identification and indictment in the failed Dutch operation suggests he must have been of great value to the GRU — he was “clearly too good to be thrown out,” Grozev added.
Serebriakov’s new role is the moniker of leading Sandworm (officially known as GRU 74455, but also known as Voodoo Bear and Iridium), which puts him in charge of a group of hackers who may be the world’s most prolific practitioner of cyber warfare. (They’ve also dabbled in espionage and disinformation.) Since 2015, Sandworm has led the Russian government’s unprecedented cyberattack campaign against Ukraine: It infiltrated power companies in western Ukraine and Kiev, causing the first-ever and the second blackout hack and numerous data-destructive malware operations targeting Ukrainian government agencies, banks, and media. In 2017, Sandworm released NotPetya, a self-replicating piece of code that spread across a global network and caused a record $10 billion in damage. Sandworm then went on to disrupt the 2018 Winter Olympics in South Korea and attack the Georgian nation’s television broadcaster in 2019, an astounding record of reckless hacking.
