For years, the hacking unit within Russia’s GRU military intelligence agency known as Sandworm has carried out some of the worst cyberattacks in history—blackouts, fake ransomware, data-destroying worms—from behind a carefully maintained veil of anonymity. But after half a decade of the spy agency’s botched operations, blown cover stories, and international indictments, perhaps it’s no surprise that pulling the mask off the man leading that highly destructive hacking group today reveals a familiar face.
The commander of Sandworm, the notorious division of the agency’s hacking forces responsible for many of the GRU’s most aggressive campaigns of cyberwar and sabotage, is now an official named Evgenii Serebriakov, according to sources from a Western intelligence service who spoke to WIRED on the condition of anonymity. If that name rings a bell, it may be because Serebriakov was indicted, along with six other GRU agents, after being caught in the midst of a close-range cyberespionage operation in the Netherlands in 2018 that targeted the Organization for the Prohibition of Chemical Weapons in the Hague.
In that foiled operation, Dutch law enforcement didn’t just identify and arrest Serebriakov and his team, who were part of a different GRU unit generally known as Fancy Bear or APT28. They also seized Serebriakov’s backpack full of technical equipment, as well as his laptop and other hacking devices in his team’s rental car. As a result, Dutch and US investigators were able to piece together Serebriakov’s travels and past operations stretching back years and, given his newer role, now know in unusual detail the career history of a rising GRU official.
According to the intelligence service sources, Serebriakov was placed in charge of Sandworm in the spring of 2022 after serving as deputy commander of APT28, and now holds the rank of colonel. Christo Grozev, the lead Russia-focused investigator for open source intelligence outlet Bellingcat, has also noted Serebriakov’s rise: Around 2020, Grozev says, Serebriakov began receiving phone calls from GRU generals who, in the agency’s strict hierarchy, only speak to higher-level officials. Grozev, who says he bought the phone data from a Russian black market source, says he also saw the GRU agent’s number appear in the phone records of another powerful military unit focused on counterintelligence. “I realized he must be in a command position,” says Grozev. “He can’t just be a regular hacker anymore.”
The fact that Serebriakov appears to have attained that position despite having been previously identified and indicted in the failed Netherlands operation suggests that he must have significant value to the GRU—that he’s “apparently too good to dump,” Grozev adds.
Serebriakov’s new position leading Sandworm—officially GRU Unit 74455 but also known by the nicknames Voodoo Bear and Iridium—puts him in charge of a group of hackers who are perhaps the world’s most prolific practitioners of cyberwar. (They’ve also dabbled in espionage and disinformation campaigns.) Since 2015, Sandworm has led the Russian government’s unprecedented campaign of cyberattacks on Ukraine: It penetrated electric utilities in western Ukraine and Kyiv to cause the first- and second-ever blackouts triggered by hackers and targeted Ukrainian government agencies, banks, and media with countless data-destructive malware operations. In 2017, Sandworm released NotPetya, a piece of self-replicating code that spread to networks worldwide and inflicted a record $10 billion in damage. Sandworm then went on to sabotage the 2018 Winter Olympics in Korea and attack TV broadcasters in the nation of Georgia in 2019, a shocking record of reckless hacking.
With Russia’s full-scale invasion of Ukraine a year ago, the GRU’s most aggressive hacking unit, now under Serebriakov’s leadership, has refocused its efforts on that country. From its headquarters in a tower in the Moscow suburb of Khimki, it has launched new volleys of data-destroying malware, attempted to cause a third blackout—which the Ukrainian government says it prevented—and bombarded Ukrainian and Polish organizations with a fake ransomware campaign known as Prestige.
Serebriakov’s pre-Sandworm hacking career was no less brazen. When he was captured along with the six other GRU agents in the Netherlands in 2018, US prosecutors say, he had in his backpack a Wi-Fi Pineapple, a book-sized device designed to spoof Wi-Fi networks and trick victims into connecting to it instead of the intended Wi-Fi hot spot, then carry out man-in-the-middle attacks that intercept or alter the victim’s traffic. Serebriakov’s team had also parked a rented car outside the Organization for the Prohibition of Chemical Weapons building with an antenna for Wi-Fi hacking hidden in the trunk. The team was likely targeting staffers of the OPCW who were investigating Russia’s use of the Novichok nerve agent in the GRU’s attempted assassination of defector Sergei Skripal.
When investigators examined that confiscated Wi-Fi hacking equipment, they found evidence of a long list of Wi-Fi networks it had connected to previously, essentially mapping out the travels of Serebriakov and his colleagues to carry out previous hacking operations. The hackers, it seemed, had targeted officials at the 2016 Summer Olympics in Rio de Janeiro, from which more than 100 Russian athletes had been banned for performance-enhancing drug use, as well as attendees of a conference in Lausanne, Switzerland, focused on anti-doping efforts in athletics.
Exactly why Dutch authorities released Serebriakov and his fellow spies rather than criminally charge them—or extradite them to the US, where they face an indictment for hacking crimes—has never been explained, and the Dutch MIVD defense intelligence service didn’t respond to WIRED’s questions about it at the time.
That the figure at the helm of Sandworm today is someone previously identified in that very publicly blown Netherlands operation may demonstrate Serebriakov’s value to the GRU: According to the intelligence service sources, he’s regarded as having good connections to the security research community and strong technical skills. As for the fiasco of the GRU’s Netherlands mission, the intelligence sources say that was blamed on the agents escorting him and his APT28 colleagues, not the hackers themselves. And in some cases, for the GRU, an indictment only bolsters an agent’s reputation for boldness and risk-taking. “For the Kremlin, it may be ‘great, you’ve made a splash, built the myth, bolstered our reputation as these techno-raiders, good on you,’” says Gavin Wilde, a former official at the US National Security Agency and the White House National Security Council who now serves as a fellow at the Carnegie Endowment for International Peace.
But Serebriakov’s reappearance also indicates that relatively few people serve as key players in high-profile state-sponsored hacking operations, says John Hultquist, the head of threat intelligence at cybersecurity firm Mandiant. Hultquist was part of the group of researchers who initially discovered and named Sandworm, and he has closely tracked the unit for years. “This is someone from a notorious close-access operation, and then he shows up as the leader of another organization we know very well,” says Hultquist, using the term close-access to refer to Serebriakov’s short-range Wi-Fi hacking tactics in the Netherlands. “To a certain extent, it demonstrates how small this world is that we’re trying to keep tabs on.”
“The same individuals show up again and again—and I mean the people with the actual hands on the keyboard,” Hultquist adds. “It speaks to the limited number of people in the field. We’re still living in a world where talent is apparently limited to the point where we know the adversaries intimately.”