The U.S. Department of Justice (DOJ) has charged six computer hackers, all of whom were residents and nationals of the Russian Federation (Russia) and officers in Unit 74455 of the Russian Main Intelligence Directorate (GRU), a military intelligence agency of the General Staff of the Armed Forces. The group is believed to be part of one of Russia's most elite and secretive hacking groups, known as Sandworm.

Their computer attacks used some of the world’s most destructive malware to date, including: KillDisk and Industroyer, which each caused blackouts in Ukraine; NotPetya, which caused nearly $1 billion in losses to the three victims identified in the indictment alone; and Olympic Destroyer, which disrupted thousands of computers used to support the 2018 PyeongChang Winter Olympics. The indictment charges the defendants with conspiracy, computer hacking, wire fraud, aggravated identity theft, and false registration of a domain name.

According to the indictment, beginning in or around November 2015 and continuing until at least in or around October 2019, the defendants and their co-conspirators deployed destructive malware and took other disruptive actions, for the strategic benefit of Russia, through unauthorized access  to victim computers (hacking).  As alleged, the conspiracy was responsible for the following destructive, disruptive, or otherwise destabilizing computer intrusions and attacks:

  • Ukrainian Government & Critical Infrastructure: December 2015 through December 2016 destructive malware attacks against Ukraine’s electric power grid, Ministry of Finance, and State Treasury Service, using malware known as BlackEnergy, Industroyer, and KillDisk;
  • French Elections: April and May 2017 spearphishing campaigns and related hack-and-leak efforts targeting French President Macron’s “La République En Marche!” (En Marche!) political party, French politicians, and local French governments prior to the 2017 French elections;
  • Worldwide Businesses and Critical Infrastructure (NotPetya): June 27, 2017 destructive malware attacks that infected computers worldwide using malware known as NotPetya, including hospitals and other medical facilities in the Heritage Valley Health System (Heritage Valley) in the Western District of Pennsylvania; a FedEx Corporation subsidiary, TNT Express B.V.; and a large U.S. pharmaceutical manufacturer, which together suffered nearly $1 billion in losses from the attacks;
  • PyeongChang Winter Olympics Hosts, Participants, Partners, and Attendees: December 2017 through February 2018 spearphishing campaigns and malicious mobile applications targeting South Korean citizens and officials, Olympic athletes, partners, and visitors, and International Olympic Committee (IOC) officials;
  • PyeongChang Winter Olympics IT Systems (Olympic Destroyer): December 2017 through February 2018 intrusions into computers supporting the 2018 PyeongChang Winter Olympic Games, which culminated in the Feb. 9, 2018, destructive malware attack against the opening ceremony, using malware known as Olympic Destroyer;
  • Novichok Poisoning Investigations: April 2018 spearphishing campaigns targeting investigations by the Organisation for the Prohibition of Chemical Weapons (OPCW) and the United Kingdom’s Defence Science and Technology Laboratory (DSTL) into the nerve agent poisoning of Sergei Skripal, his daughter, and several U.K. citizens; and
  • Georgian Companies and Government Entities: a 2018 spearphishing campaign targeting a major media company, 2019 efforts to compromise the network of Parliament, and a wide-ranging website defacement campaign in 2019.

Cybersecurity researchers have tracked the Conspirators and their malicious activity using the labels “Sandworm Team,” “Telebots,” “Voodoo Bear,” and “Iron Viking.”

The indictment accuses each defendant of committing the following overt acts in furtherance of the charged crimes:

Defendant

Summary of Overt Acts

Yuriy Sergeyevich Andrienko

·      Developed components of the NotPetya and Olympic Destroyer malware.

Sergey Vladimirovich Detistov

·      Developed components of the NotPetya malware; and

·      Prepared spearphishing campaigns targeting the 2018 PyeongChang Winter Olympic Games. 

Pavel Valeryevich Frolov

·       Developed components of the KillDisk and NotPetya malware.

Anatoliy Sergeyevich Kovalev

·       Developed spearphishing techniques and messages used to target:

-       En Marche! officials;

-       employees of the DSTL;

-       members of the IOC and Olympic athletes; and

-       employees of a Georgian media entity.

Artem Valeryevich Ochichenko

·       Participated in spearphishing campaigns targeting 2018 PyeongChang Winter Olympic Games partners; and

·       Conducted technical reconnaissance of the Parliament of Georgia official domain and attempted to gain unauthorized access to its network.

Petr Nikolayevich Pliskin

·       Developed components of the NotPetya and Olympic Destroyer malware. 

The defendants and their co-conspirators caused damage and disruption to computer networks worldwide, including in France, Georgia, the Netherlands, Republic of Korea, Ukraine, the United Kingdom, and the United States. 

 

According to Kacey Clark, Threat Researcher at Digital Shadows, a San Francisco-based provider of digital risk protection solutions, "The tactics employed in Sandworm's campaigns align with Russian Main Intelligence Directorate (GRU)'s philosophy of leveraging aggressive and sometimes destructive cyberattacks. The charges filed against Sandworm represent not only the first criminal charges against Sandworm for its most destructive attacks but the first time that most of the charged threat actors have been publicly identified as members of the cybercriminal group. They also represent Sandworm's first global law enforcement reaction to their deployment of the NotPetya ransomware that has crippled networks worldwide."

The NotPetya malware spread worldwide, damaged computers used in critical infrastructure, and caused enormous financial losses. Those losses were only part of the harm, however, says the DOJ.  For example, the NotPetya malware impaired Heritage Valley’s provision of critical medical services to citizens of the Western District of Pennsylvania through its two hospitals, 60 offices, and 18 community satellite facilities. The attack caused the unavailability of patient lists, patient history, physical examination files, and laboratory records. Heritage Valley lost access to its mission-critical computer systems (such as those relating to cardiology, nuclear medicine, radiology, and surgery) for approximately one week and administrative computer systems for almost one month, thereby causing a threat to public health and safety.

Clark adds, "According to the Government Communications Headquarters (GCHQ), Russia is assessed as a highly competent threat actor with demonstrated potential to carry out operations that have a myriad of impacts across any industry. Russia has been carrying out disruptive cyber activities to establish itself forcefully in various ways, including seeking to disrupt other countries' elections. For example, it has been widely reported that Russian state-associated groups were behind the "hack and leak" cyberattack, which aimed to breach French political party members' accounts in the run-up to the 2017 French elections.The United Kingdom's Secret Intelligence Service (SIS) reported that this activity "comes to the very muddy nexus between business and corruption and state power in Russia." GCHQ also stated a "considerable balance of intelligence now which shows the links between serious and organized crime groups and Russian state activity."

"Considering the GRU allegedly sponsored Sandworm, its members' arrest and extraction are unlikely. However, it is possible that authorities would impose sanctions against the alleged cybercriminals and the GRU unit that sponsors them, considering this countermeasure has previously been used," notes Clark. "For now, Sandworm's indictments will limit their ability to use the Western financial system or travel to any country that may have an extradition agreement with the US. Is this indictment to deter future activity from Russia state-associated threat actors? Perhaps not, but it is a step in the right direction. Generally speaking, this will remind threat actors that cyberattacks will not occur without consequences.”

Hank Schless, Senior Manager, Security Solutions at Lookout, a San Francisco, Calif.-based provider of mobile security solutions, notes that the breadth of targets and attack types shows that state-sponsored hacking groups are no longer just a threat to governments.

"Many organizations possess valuable data, such as about infrastructure, medicine and the economy, that a political adversary like Russia would use for malicious intent. Now that smartphones and tablets can access this type of data just as easily as a laptop or computer, groups like Sandworm are expanding their arsenal out to include phishing attacks, malicious mobile apps, and mobile vulnerability exploitation," says Schless. "For example, stealing research data from a pharmaceutical institution that is leading the search for a COVID-19 vaccine could give Russian-based drug developers enough of a leg up to beat a US-based company to the end goal.  

Other groups, says Schless, such as North Korea’s Lazarus Group, carry out many targeted attacks against financial institutions in particular.

"Groups like this use tactics, such as spear phishing, that are just as likely to reach targets on both computers, smartphones, or tablets. They know that the likelihood of a successful phishing attack increases dramatically if the target receives it on a mobile device. They can phish login credentials from particular users that would allow them to get into the corporate infrastructure, then move laterally around the infrastructure for surveillance purposes or to exfiltrate valuable data," he says. 

Schless adds, "Mobile users are accustomed to downloading helpful apps in unfamiliar situations. In the case of something like a large event, attackers will use social engineering to convince targets to download a malicious app under the guise of it being helpful to the mobile user. Sandworm used the PyeongChang Olympics as a platform to distribute mobile malware in the form of malicious apps. These apps can be used to spy on the device users, exfiltrate data on the device, and gain access to any other apps the user logs into on that device.”