Winter is coming. So are Russia’s elite hackers.

TALLINN — On the eve of another European winter, one of Russia’s most skilled, stealthy hacking groups is targeting the Continent’s energy infrastructure.

Sandworm, a group linked to Russian intelligence, has been hacking Ukrainian targets in recent years, but “we’re now seeing that they’re interested in the energy sector across Europe,” Jamie Collier, lead threat intelligence adviser at Google, told POLITICO. 

“With the onset of winter, that’s clearly a concern,” Collier added.

The Sandworm group is one of the Kremlin’s most notorious cyberthreats, often working in the shadows. Western intelligence previously tied the group to a 2015 attack that took down Ukraine’s power grid, and to another disruption of the Ukrainian power grid in 2023. It is part of Russia’s GRU military intelligence division, according to the U.K. government. 

The warnings come as European governments investigate the rupture of two critical undersea telecoms cables connecting EU countries — in the latest incident of “hybrid” sabotage, disruption and digital attacks seen on Europe’s eastern border with Russia since Moscow invaded neighboring Ukraine in 2022.

It adds to the sector’s woes after this week’s sharp gas price hike following an announcement by Russian giant Gazprom that it was cutting off flows to top Austrian importer OMV due to a contractual dispute.

Sandra Joyce, head of threat intelligence at Google’s Mandiant cyber division, first raised the concern with top European officials at the Tallinn Digital Summit in Estonia Tuesday.

“That’s what they’re targeting this morning as we’re sitting here,” Joyce said of Sandworm’s continued hacking attempts on Europe’s energy grid.

Google said in April that Sandworm, also called APT44 or Seashell Blizzard, “remains a formidable threat to Ukraine,” and that “to date, no other Russian government-backed cyber group has played a more central role in shaping and supporting Russia’s military campaign.” 

Although the group is often associated with destructive attacks, it also has a “very capable” information-gathering element, Collier said. Russia often blends network intrusions and information operations, he added — such as by deploying “wiper” malware to destroy systems or data and also stealing data to pass to hacktivist groups. 

The warnings risk further rocking Europe’s energy sector, which has seen an increase in cyberattacks on its infrastructure in recent years.

An analysis by the Eurelectric lobby group, released Tuesday, said that since 2022 European energy and supply firms have faced 48 publicly known attacks, which is likely just the tip of the iceberg of hacking activity. Almost two-thirds of global recorded cyberattacks in 2023 came from Russia, the group said.