Russian Military Officers Unmasked, Indicted for High-Profile Cyberattack Campaigns

US Department of Justice charges members of Sandworm/APT28 for BlackEnergy, NotPetya, Olympic Destroyer, and other major attacks.

Six members of the pervasive yet elusive Russian military hacking operation behind some of the most destructive targeted cyberattacks in the world — the Ukraine power grid in 2015 and 2016, NotPetya, and the 2018 Winter Olympics — have been indicted by the US Department of Justice for these and other cybercrimes.

DoJ and FBI officials today unsealed an Oct. 15 indictment that names and charges officers in Russia's Unit 74455 of the Russian Main Intelligence Directorate (GRU) — aka Sandworm, APT28, VooDoo Bear — in seven counts of conspiracy, computer hacking, wire fraud, aggravated identity theft, and false registration of a domain name.

The wide-ranging indictment details alleged cybercrimes between November 2015 to October 2019 conducted at the behest of the Russian government, including the December 2015 and December 2016 attacks on Ukraine's power grid, finance, and treasury departments using BlackEnergy, Industroyer, and KillDisk malware; attacks on the French elections in 2017 with malware and data leaks; the infamous June 2017 NotPetya attack that destroyed data under the guise of ransomware, including $1 billion in losses for three US organizations; and hacks of the 2018 Winter Olympics, including the Olympic Destroyer malware.

The charges also encompass spear-phishing attacks in April 2018 against organizations investigating the poisoning of Sergei Skripal and his daughter in the UK, and targeted attacks on a media company and government agencies in the nation of Georgia.

"As this case shows, no country has weaponized its cyber capabilities as maliciously and irresponsibly as Russia, wantonly causing unprecedented collateral damage to pursue small tactical advantages and fits of spite," said Assistant Attorney General for National Security John Demers today in a DoJ press conference announcing the indictment.

The indictment names Yuriy Sergeyevich Andrienko, 32; Sergey Vladimirovich Detistov, 35; Pavel Valeryevich Frolov, 28; Anatoliy Sergeyevich Kovalev, 29; Artem Valeryevich Ochichenko, 27; and Petr Nikolayevich Pliskin, 32.

This isn't the first time the GRU has been in the DoJ crosshairs: In October 2018, the DoJ indicted several members of its Military Unit 26165 for hacking and disinformation efforts against anti-doping and other efforts. Kovalev was named in that indictment for allegedly breaking into US state voter elections databases during the 2016 elections.

And according to the indictment, Kovalev allegedly was targeting Russian organizations as well, specifically real estate companies, auto dealers, and cryptocurrency vendors in his country. While the Russian government often looks the other way when cybercriminals it hires attack other nations' interests, the country has been known to take legal action against hackers that attack Russian interests. It's unclear whether Kovalev's moonlighting was known to the GRU.

The Sandworm defendants are part of one of the most active and prolific nation-state hacking groups around. "They've got a rap sheet that includes many of the top 10 hits" of cyberattacks, says John Hultquist, senior director of analysis for Mandiant Threat Intelligence at FireEye. "What separates these guys from some other actors is they are carrying out these attacks beyond the pale: It's not classic espionage. It's disruption of systems."

Hultquist points out that while US election-hacking isn't part of the latest indictment, Sandworm ran the leak operation during the 2016 election-meddling efforts by Russia, and hacked into election infrastructure. "They should absolutely be on our radar for the upcoming elections," he says.

Matt Olney, director of threat intelligence and interdiction at Cisco Talos, which assisted in the DoJ investigation that led to the indictments, says Sandworm is notoriously "quiet" and difficult to spot. "These guys operate very quietly for the most part. When you see them, I would argue that they choose for you to see them," he says, like with their infamous destructive attacks detailed in the indictment.

The indictment isn't likely to curb any cyber operations that Russia has launched against this US election, Hultquist notes. "If they're doing anything election-wise, unfortunately, it's probably already in the works," and it's likely Sandworm that would leak any pilfered information, he says.

"Greatest" Hits
Just before Christmas in 2015, the Sandworm attackers allegedly hacked into networks of three energy distribution companies in Ukraine and shut off electricity for some 225,000 Ukrainian customers. They kicked it up a notch one year later in December 2016, unleashing malware known as Industroyer that wiped out files on an electric company's systems and knocked out power in Kiev for about an hour.

On June 27, 2017, the attackers allegedly dropped the NotPetya malware via a popular accounting program used in Ukraine, called M.E.Doc, by commandeering the update mechanism of the software and uploading their malware to users of the software. Disguised as ransomware, the malware was actually a wiper that destroyed the data on the infected machines. Among the US-based victims were Heritage Valley Health System in Pennsylvania; TNT Express B.V., a FedEx subsidiary; and a major pharmaceutical company, reportedly Merck, which in total suffered some $1 billion in losses from the attack.

Afterward, the suspects allegedly celebrated the attack, according to the indictment.

Sandworm launched a long-tail spear-phishing campaign from December 2017 to February 2018 in the runup to the 2018 Winter Olympics after Russian athletes were banned from the games because of doping violations. The attacks targeted South Korean citizens, officials, Olympic athletes, and International Olympic Committee officials, and culminated with the so-called Olympic Destroyer attacks on the Winter Games computers, a combination of distributed denial-of-service attacks and data-wiping attacks that disabled the Olympics IT systems, shutting down Wi-Fi, monitors, and the Olympics website such that ticket purchasers were unable to print their tickets. The destructive worm also hit several ski resorts near the Olympics, where it disabled gates and lifts.

The attackers took a new tack: creating a convincing forgery of malware associated with the North Korean nation-state Lazarus Group, fooling several experts who initially pinned the blame for the attacks on the DPRK.

What's Next
While it's unlikely the defendants will step foot on US soil or that of US-friendly countries, the hacking charges against the six GRU officers carry some hefty prison sentences, anywhere from five to 27 years for some of the charges. Even so, the indictments do put pressure on the defendants. "They are very young and these indictments reduce their opportunities in the future. It may [also] affect the GRU's ability to recruit," Hultquist says.

And something has to give, Cisco's Olney notes. "Certain activities and actions and targets are just not acceptable from a nation-state. The first path of holding parties responsible by identifying their poor behavior has to be taken," he says, such as indictments. "It's up to the international community to see where we go from here."

About the Author(s)

Kelly Jackson Higgins, Editor-in-Chief, Dark Reading

Kelly Jackson Higgins is the Editor-in-Chief of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise Magazine, Virginia Business magazine, and other major media properties. Jackson Higgins was recently selected as one of the Top 10 Cybersecurity Journalists in the US, and named as one of Folio's 2019 Top Women in Media. She began her career as a sports writer in the Washington, DC metropolitan area, and earned her BA at William & Mary. Follow her on Twitter @kjhiggins.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights