CyberWarfare / ExoWarfare

U.S. Charges Russian Intelligence Officers for NotPetya, Industroyer Attacks

The U.S. Department of Justice on Monday announced charges against six Russian intelligence officers for their alleged role in several major cyberattacks conducted over the past years.

The defendants are Yuriy Sergeyevich Andrienko, aged 32, Sergey Vladimirovich Detistov, 35, Pavel Valeryevich Frolov, 28, Anatoliy Sergeyevich Kovalev, 29, Artem Valeryevich Ochichenko, 27, and Petr Nikolayevich Pliskin, 32.

They have all been charged with damaging protected computers, conspiracy to conduct computer fraud and abuse, wire fraud, conspiracy to commit wire fraud, and aggravated identity theft.

The men are said to be members of Russia’s GRU military intelligence agency, which has long been known to conduct hacking operations on behalf of Moscow. Specifically, the suspects are said to be part of a group named Sandworm, which is also known as Telebots, Iron Viking and Voodoo Bear.

Sandworm is believed to be behind many high-profile attacks launched over the past years. The indictment against the Russian intelligence officers mentions attacks on Ukraine, including the destructive attacks aimed at the country’s power grid in 2015 and 2016 using the malware families known as BlackEnergy and Industroyer.

The group has also been linked to the NotPetya attack, which involved a wiper disguised as ransomware and which cost many companies millions of dollars. This attack was attributed to Russia by several governments in 2018.

The indictment also mentions the operation targeting elections in France in 2017, which involved data leaks. The hackers are also said to have targeted the PyeongChang Winter Olympics with the Olympic Destroyer malware, as well as Georgian companies and government organizations. For the attacks on Georgia, the US and the UK officially blamed Russia earlier this year.

John Hultquist, senior director of analysis at FireEye’s Mandiant Threat Intelligence, pointed out that while it’s not mentioned in the indictment, Sandworm was also involved in operations aimed at the 2016 presidential elections in the United States.

“This actor’s involvement in election interference in France is especially important as we near the end of elections in the US. One possible scenario we are anticipating is a very late game hack and leak operation, such as the one that was carried out in France. This incident is a reminder that dramatic late game operations are possible in the eleventh hour. Additionally, leaked information included fabricated materials, a reminder that actors may mix legitimate, stolen materials with items they have fabricated themselves,” Hultquist told SecurityWeek.

The Justice Department claims the defendants were involved in developing malware and malware components, preparing and conducting spear-phishing campaigns, and conducting reconnaissance.

The suspects are all at large and have been added by the FBI to its Cyber’s Most Wanted list. If convicted, they could be sentenced to lengthy prison terms.

“For more than two years we have worked tirelessly to expose these Russian GRU Officers who engaged in a global campaign of hacking, disruption and destabilization, representing the most destructive and costly cyber-attacks in history,” said Scott Brady, U.S. Attorney for the Western District of Pennsylvania. “The crimes committed by Russian government officials were against real victims who suffered real harm. We have an obligation to hold accountable those who commit crimes – no matter where they reside and no matter for whom they work – in order to seek justice on behalf of these victims.”

U.S. authorities have credited several companies in the private sector for their assistance in the Sandworm investigation, including Google, Cisco Talos, Facebook and Twitter.