Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

10/19/2020
06:40 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Russian Military Officers Unmasked, Indicted for High-Profile Cyberattack Campaigns

US Department of Justice charges members of Sandworm/APT28 for BlackEnergy, NotPetya, Olympic Destroyer, and other major attacks.

Six members of the pervasive yet elusive Russian military hacking operation behind some of the most destructive targeted cyberattacks in the world — the Ukraine power grid in 2015 and 2016, NotPetya, and the 2018 Winter Olympics — have been indicted by the US Department of Justice for these and other cybercrimes.

Related Content:

Destructive and False Flag Cyberattacks to Escalate

2020 State of Cybersecurity Operations and Incident Response

New on The Edge: Expert Tips to Keep WordPress Safe

DoJ and FBI officials today unsealed an Oct. 15 indictment that names and charges officers in Russia's Unit 74455 of the Russian Main Intelligence Directorate (GRU) — aka Sandworm, APT28, VooDoo Bear — in seven counts of conspiracy, computer hacking, wire fraud, aggravated identity theft, and false registration of a domain name.

The wide-ranging indictment details alleged cybercrimes between November 2015 to October 2019 conducted at the behest of the Russian government, including the December 2015 and December 2016 attacks on Ukraine's power grid, finance, and treasury departments using BlackEnergy, Industroyer, and KillDisk malware; attacks on the French elections in 2017 with malware and data leaks; the infamous June 2017 NotPetya attack that destroyed data under the guise of ransomware, including $1 billion in losses for three US organizations; and hacks of the 2018 Winter Olympics, including the Olympic Destroyer malware.

The charges also encompass spear-phishing attacks in April 2018 against organizations investigating the poisoning of Sergei Skripal and his daughter in the UK, and targeted attacks on a media company and government agencies in the nation of Georgia.

"As this case shows, no country has weaponized its cyber capabilities as maliciously and irresponsibly as Russia, wantonly causing unprecedented collateral damage to pursue small tactical advantages and fits of spite," said Assistant Attorney General for National Security John Demers today in a DoJ press conference announcing the indictment.

The indictment names Yuriy Sergeyevich Andrienko, 32; Sergey Vladimirovich Detistov, 35; Pavel Valeryevich Frolov, 28; Anatoliy Sergeyevich Kovalev, 29; Artem Valeryevich Ochichenko, 27; and Petr Nikolayevich Pliskin, 32.

This isn't the first time the GRU has been in the DoJ crosshairs: In October 2018, the DoJ indicted several members of its Military Unit 26165 for hacking and disinformation efforts against anti-doping and other efforts. Kovalev was named in that indictment for allegedly breaking into US state voter elections databases during the 2016 elections.

And according to the indictment, Kovalev allegedly was targeting Russian organizations as well, specifically real estate companies, auto dealers, and cryptocurrency vendors in his country. While the Russian government often looks the other way when cybercriminals it hires attack other nations' interests, the country has been known to take legal action against hackers that attack Russian interests. It's unclear whether Kovalev's moonlighting was known to the GRU.

The Sandworm defendants are part of one of the most active and prolific nation-state hacking groups around. "They've got a rap sheet that includes many of the top 10 hits" of cyberattacks, says John Hultquist, senior director of analysis for Mandiant Threat Intelligence at FireEye. "What separates these guys from some other actors is they are carrying out these attacks beyond the pale: It's not classic espionage. It's disruption of systems."

Hultquist points out that while US election-hacking isn't part of the latest indictment, Sandworm ran the leak operation during the 2016 election-meddling efforts by Russia, and hacked into election infrastructure. "They should absolutely be on our radar for the upcoming elections," he says.

Matt Olney, director of threat intelligence and interdiction at Cisco Talos, which assisted in the DoJ investigation that led to the indictments, says Sandworm is notoriously "quiet" and difficult to spot. "These guys operate very quietly for the most part. When you see them, I would argue that they choose for you to see them," he says, like with their infamous destructive attacks detailed in the indictment.

The indictment isn't likely to curb any cyber operations that Russia has launched against this US election, Hultquist notes. "If they're doing anything election-wise, unfortunately, it's probably already in the works," and it's likely Sandworm that would leak any pilfered information, he says.

"Greatest" Hits
Just before Christmas in 2015, the Sandworm attackers allegedly hacked into networks of three energy distribution companies in Ukraine and shut off electricity for some 225,000 Ukrainian customers. They kicked it up a notch one year later in December 2016, unleashing malware known as Industroyer that wiped out files on an electric company's systems and knocked out power in Kiev for about an hour.

On June 27, 2017, the attackers allegedly dropped the NotPetya malware via a popular accounting program used in Ukraine, called M.E.Doc, by commandeering the update mechanism of the software and uploading their malware to users of the software. Disguised as ransomware, the malware was actually a wiper that destroyed the data on the infected machines. Among the US-based victims were Heritage Valley Health System in Pennsylvania; TNT Express B.V., a FedEx subsidiary; and a major pharmaceutical company, reportedly Merck, which in total suffered some $1 billion in losses from the attack.

Afterward, the suspects allegedly celebrated the attack, according to the indictment.

Sandworm launched a long-tail spear-phishing campaign from December 2017 to February 2018 in the runup to the 2018 Winter Olympics after Russian athletes were banned from the games because of doping violations. The attacks targeted South Korean citizens, officials, Olympic athletes, and International Olympic Committee officials, and culminated with the so-called Olympic Destroyer attacks on the Winter Games computers, a combination of distributed denial-of-service attacks and data-wiping attacks that disabled the Olympics IT systems, shutting down Wi-Fi, monitors, and the Olympics website such that ticket purchasers were unable to print their tickets. The destructive worm also hit several ski resorts near the Olympics, where it disabled gates and lifts.

The attackers took a new tack: creating a convincing forgery of malware associated with the North Korean nation-state Lazarus Group, fooling several experts who initially pinned the blame for the attacks on the DPRK.

What's Next
While it's unlikely the defendants will step foot on US soil or that of US-friendly countries, the hacking charges against the six GRU officers carry some hefty prison sentences, anywhere from five to 27 years for some of the charges. Even so, the indictments do put pressure on the defendants. "They are very young and these indictments reduce their opportunities in the future. It may [also] affect the GRU's ability to recruit," Hultquist says.

And something has to give, Cisco's Olney notes. "Certain activities and actions and targets are just not acceptable from a nation-state. The first path of holding parties responsible by identifying their poor behavior has to be taken," he says, such as indictments. "It's up to the international community to see where we go from here."

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
wessir
50%
50%
wessir,
User Rank: Apprentice
10/22/2020 | 3:48:11 PM
Better you than me
So no indictments for what we do? Laughable we throw mud at them while we do the same.
COVID-19: Latest Security News & Commentary
Dark Reading Staff 11/19/2020
New Proposed DNS Security Features Released
Kelly Jackson Higgins, Executive Editor at Dark Reading,  11/19/2020
How to Identify Cobalt Strike on Your Network
Zohar Buber, Security Analyst,  11/18/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: A GONG is as good as a cyber attack.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-25660
PUBLISHED: 2020-11-23
A flaw was found in the Cephx authentication protocol in versions before 15.2.6 and before 14.2.14, where it does not verify Ceph clients correctly and is then vulnerable to replay attacks in Nautilus. This flaw allows an attacker with access to the Ceph cluster network to authenticate with the Ceph...
CVE-2020-25688
PUBLISHED: 2020-11-23
A flaw was found in rhacm versions before 2.0.5 and before 2.1.0. Two internal service APIs were incorrectly provisioned using a test certificate from the source repository. This would result in all installations using the same certificates. If an attacker could observe network traffic internal to a...
CVE-2020-25696
PUBLISHED: 2020-11-23
A flaw was found in the psql interactive terminal of PostgreSQL in versions before 13.1, before 12.5, before 11.10, before 10.15, before 9.6.20 and before 9.5.24. If an interactive psql session uses \gset when querying a compromised server, the attacker can execute arbitrary code as the operating sy...
CVE-2020-26229
PUBLISHED: 2020-11-23
TYPO3 is an open source PHP based web content management system. In TYPO3 from version 10.4.0, and before version 10.4.10, RSS widgets are susceptible to XML external entity processing. This vulnerability is reasonable, but is theoretical - it was not possible to actually reproduce the vulnerability...
CVE-2020-28984
PUBLISHED: 2020-11-23
prive/formulaires/configurer_preferences.php in SPIP before 3.2.8 does not properly validate the couleur, display, display_navigation, display_outils, imessage, and spip_ecran parameters.