PCMag editors select and review products independently. If you buy through affiliate links, we may earn commissions, which help support our testing.

PCMag UK

Russia May Be Behind Hack of Texas Water Facility

Google's cybersecurity firm Mandiant uncovers evidence linking the water facility incident to an infamous Russian state-sponsored hacking group called Sandworm.

Michael Kan
 & Michael Kan Principal Reporter

Our team tests, rates, and reviews more than 1,500 products each year to help you make better buying decisions and get more from technology.

Our Expert
LOOK INSIDE PC LABS HOW WE TEST
65 EXPERTS
43 YEARS
41,500+ REVIEWS
(Credit: Bill Oxford via Getty)

A little-known hack of a water facility in Texas may be the work of Russian state-sponsored hackers, according to new findings from security researchers. 

Google-owned Mandiant today published a report linking the water facility hack to Sandworm, also known as APT44, a hacking group that allegedly works within Russia’s military intelligence. 

In January, city officials in the small town of Muleshoe, Texas, disclosed the water facility hack, which caused a water tank to overflow. At the same time, a hacktivist group dubbed CyberArmyofRussia_Reborn posted on its Telegram channel about gaining control of the water systems at Muleshoe, along with another town called Abernathy and water facilities in Poland.

(Credit: CyberArmyofRussia_Reborn)

As proof, CyberArmyofRussia_Reborn posted a video, demonstrating it had control over the Texas water facility computer systems. With the help of Google, Mandiant has since uncovered evidence that the hacktivist group has ties to Sandworm, a Russian operation that has been blamed for launching cyberattacks to disrupt Ukraine’s power plants and the 2018 Winter Olympics in South Korea. 

The evidence includes CyberArmyofRussia_Reborn trying to create a YouTube channel using internet infrastructure linked to Sandworm activity. Mandiant had also spotted CyberArmyofRussia_Reborn publishing data over its Telegram channel that was stolen through previous Sandworm attacks. 

Recommended by Our Editors

Google Will Soon Spot Fake Calls on Supported Android Phones
Google Will Soon Spot Fake Calls on Supported Android Phones
Report Cites Misinformation As Key Threat to Election Security, Doesn't Name the Biggest Offenders
Report Cites Misinformation As Key Threat to Election Security, Doesn't Name the Biggest Offenders
Meta's AI Chatbot Allegedly Helped Hackers Hijack Instagram Accounts
Meta's AI Chatbot Allegedly Helped Hackers Hijack Instagram Accounts

In another case, the hacktivist group even made claims referencing a cyberattack before Sandworm actually carried it out. As a result, both Google’s security team and Mandiant conclude that Sandworm created and is possibly controlling CyberArmyofRussia_Reborn.

That said, Mandiant couldn’t definitively conclude that Sandworm directed the hack of the water facility in Texas. Wired reports it’s possible Sandworm created CyberArmyofRussia_Reborn, but allows the hacktivist group to operate independently. Still, the findings underscore the threat that foreign government hackers pose to US critical infrastructure. 

In November, the US initially warned that Iranian hackers were targeting US water facilities. Then in March, the Environmental Protection Agency issued another alert, saying Chinese state-sponsored hackers had also been spotted trying to infiltrate US critical infrastructure. 

Mandiant’s report adds that Sandworm has largely targeted Ukrainian networks, including deploying “destructive” malware attacks that can corrupt fleets of computers. Still, the company warns that the hacking group could widen its attacks to other countries.

"We therefore assess that changing Western political dynamics, upcoming elections, and emerging issues in Russia’s near abroad will also continue to shape APT44’s operations for the foreseeable future,” Mandiant says.

About Our Expert

Michael Kan

Michael Kan

Principal Reporter

My Experience

I've been a journalist for over 15 years. I got my start as a schools and cities reporter in Kansas City and joined PCMag in 2017, where I cover satellite internet services, cybersecurity, PC hardware, and more. I'm currently based in San Francisco, but previously spent over five years in China, covering the country's technology sector.

Since 2020, I've covered the launch and explosive growth of SpaceX's Starlink satellite internet service, writing 600+ stories on availability and feature launches, but also the regulatory battles over the expansion of satellite constellations, fights with rival providers like AST SpaceMobile and Amazon, and the effort to expand into satellite-based mobile service. I've combed through FCC filings for the latest news and driven to remote corners of California to test Starlink's cellular service.

I also cover cyber threats, from ransomware gangs to the emergence of AI-based malware. In 2024 and 2025, the FTC forced Avast to pay consumers $16.5 million for secretly harvesting and selling their personal information to third-party clients, as revealed in my joint investigation with Motherboard.

I also cover the PC graphics card market. Pandemic-era shortages led me to camp out in front of a Best Buy to get an RTX 3000. I'm now following how the AI-driven memory shortage is impacting the entire consumer electronics market. I'm always eager to learn more, so please jump in the comments with feedback and send me tips.

The Best Tech I've Had:

  • My first video game console: a Nintendo Famicom
  • I loved my Sega Saturn despite PlayStation's popularity.
  • The iPod Video I received as a gift in college
  • Xbox 360 FTW
  • The Galaxy Nexus was the first smartphone I was proud to own.
  • The PC desktop I built in 2013, which still works to this day.

Read the latest from Michael Kan

Read full bio