Russian Intel Officers Charged in U.S. Federal Court with the Deployment of Destructive and Disruptive Actions in Cyberspace
“Defendants’ Malware Attacks Caused Nearly One Billion USD in Losses to Three Victims Alone; Also Sought to Disrupt the 2017 French Elections and the 2018 Winter Olympic Games.” – U.S. Justice Department.
This past week, a federal grand jury in Pittsburgh, Pennsylvania handed down an indictment charging six computer hackers, all of whom were residents and nationals of the Russian Federation (Russia). The intelligence officers were from the Unit 74455 of the Russian Main Intelligence Directorate (GRU), a military intelligence agency of the Russia’s Armed Forces.
These GRU financed hackers – as well as their co-conspirators — perpetrated computer intrusions and attacks intended to support Russian government efforts to undermine, retaliate against, or otherwise destabilize:
(1) Ukraine; (2) Georgia; (3) elections in France; (4) efforts to hold Russia accountable for its use of a weapons-grade nerve agent, Novichok, on foreign soil; and (5) the 2018 PyeongChang Winter Olympic Games after Russian athletes were banned from participating under their nation’s flag, as a consequence of Russian government-sponsored doping effort.
The indictment charges the defendants with conspiracy, computer hacking, wire fraud, aggravated identity theft, and false registration of a domain name.
According to the grand jury indictment, “Beginning in November 2015 — and continuing until at least in or around October 2019 – [T]he defendants and their co-conspirators deployed destructive malware and took other disruptive actions, for the strategic benefit of Russia, through unauthorized access to victim computers (hacking). As alleged by Department of Justice, the conspiracy was responsible for the following destructive, disruptive, or otherwise destabilizing computer intrusions and attacks:
- Ukrainian Government & Critical Infrastructure: December 2015 through December 2016 destructive malware attacks against Ukraine’s electric power grid, Ministry of Finance, and State Treasury Service, using malware known as BlackEnergy, Industroyer, and KillDisk;
- French Elections: April and May 2017 spearphishing campaigns and related hack-and-leak efforts targeting French President Macron’s “La République En Marche!” (En Marche!) political party, French politicians, and local French governments prior to the 2017 French elections;
- Worldwide Businesses and Critical Infrastructure (NotPetya): June 27, 2017 destructive malware attacks that infected computers worldwide using malware known as NotPetya, including hospitals and other medical facilities in the Heritage Valley Health System (Heritage Valley) in the Western District of Pennsylvania; a FedEx Corporation subsidiary, TNT Express B.V.; and a large U.S. pharmaceutical manufacturer, which together suffered nearly $1 billion in losses from the attacks;
- PyeongChang Winter Olympics Hosts, Participants, Partners, and Attendees: December 2017 through February 2018 spearphishing campaigns and malicious mobile applications targeting South Korean citizens and officials, Olympic athletes, partners, and visitors, and International Olympic Committee (IOC) officials;
- PyeongChang Winter Olympics IT Systems (Olympic Destroyer): December 2017 through February 2018 intrusions into computers supporting the 2018 PyeongChang Winter Olympic Games, which culminated in the Feb. 9, 2018, destructive malware attack against the opening ceremony, using malware known as Olympic Destroyer;
- Novichok Poisoning Investigations: April 2018 spearphishing campaigns targeting investigations by the Organisation for the Prohibition of Chemical Weapons (OPCW) and the United Kingdom’s Defence Science and Technology Laboratory (DSTL) into the nerve agent poisoning of Sergei Skripal, his daughter, and several U.K. citizens; and
- Georgian Companies and Government Entities: a 2018 spearphishing campaign targeting a major media company, 2019 efforts to compromise the network of Parliament, and a wide-ranging website defacement campaign in 2019.
- Cybersecurity researchers have tracked the Conspirators and their malicious activity using the labels “Sandworm Team,” “Telebots,” “Voodoo Bear,” and “Iron Viking.”
The criminal charges were announced by members of the DOJ and FBI including Assistant Attorney General John C. Demers; FBI Deputy Director David Bowdich; U.S. Attorney for the Western District of Pennsylvania Scott W. Brady; and Special Agents in Charge of the FBI’s Atlanta, Oklahoma City, and Pittsburgh Field Offices, J.C. “Chris” Hacker, Melissa R. Godbold, and Michael A. Christman, respectively.
“No country has weaponized its cyber capabilities as maliciously or irresponsibly as Russia, wantonly causing unprecedented damage to pursue small tactical advantages and to satisfy fits of spite,” said Assistant Attorney General John C. Demers.
“Today the department has charged these Russian officers with conducting the most disruptive and destructive series of computer attacks ever attributed to a single group, by the unleashing the NotPetya malware. No nation will recapture greatness while behaving in this manner,” Special Agent Demers said.
“The FBI has repeatedly warned that Russia is a highly capable cyber adversary, and the information revealed in this indictment illustrates how pervasive and destructive Russia’s cyber activities truly are,” said FBI Deputy Director David Bowdich. “But this indictment also highlights the FBI’s capabilities. We have the tools to investigate these malicious malware attacks, identify the perpetrators, and then impose risks and consequences on them. As demonstrated today, we will relentlessly pursue those who threaten the United States and its citizens.”
“For more than two years we have worked tirelessly to expose these Russian GRU Officers who engaged in a global campaign of hacking, disruption and destabilization, representing the most destructive and costly cyber-attacks in history,” said U.S. Attorney Scott W. Brady for the Western District of Pennsylvania.
“The crimes committed by Russian government officials were against real victims who suffered real harm. We have an obligation to hold accountable those who commit crimes – no matter where they reside and no matter for whom they work – in order to seek justice on behalf of these victims,” said Brady, the prosecutor in charge of the case.
“The exceptional talent and dedication of our teams in Pittsburgh, Atlanta and Oklahoma City who spent years tracking these members of the GRU is unmatched,” said FBI Pittsburgh Special Agent in Charge Michael A. Christman. “These criminals underestimated the power of shared intelligence, resources and expertise through law enforcement, private sector and international partnerships,” he told reporters.
The defendants, Yuriy Sergeyevich Andrienko (Юрий Сергеевич Андриенко), 32; Sergey Vladimirovich Detistov (Сергей Владимирович Детистов), 35; Pavel Valeryevich Frolov (Павел Валерьевич Фролов), 28; Anatoliy Sergeyevich Kovalev (Анатолий Сергеевич Ковалев), 29; Artem Valeryevich Ochichenko (Артем Валерьевич Очиченко), 27; and Petr Nikolayevich Pliskin (Петр Николаевич Плискин), 32, are all charged in seven counts including: conspiracy to conduct computer fraud and abuse, conspiracy to commit wire fraud, wire fraud, damaging protected computers, and aggravated identity theft. Each defendant is charged in every count.
The indictment accuses each defendant of committing the following overt acts in furtherance of the charged crimes:
Defendant | Summary of Overt Acts |
Yuriy Sergeyevich Andrienko | · Developed components of the NotPetya and Olympic Destroyer malware. |
Sergey Vladimirovich Detistov | · Developed components of the NotPetya malware; and
· Prepared spearphishing campaigns targeting the 2018 PyeongChang Winter Olympic Games. |
Pavel Valeryevich Frolov | · Developed components of the KillDisk and NotPetya malware. |
Anatoliy Sergeyevich Kovalev | · Developed spearphishing techniques and messages used to target:
– En Marche! officials; – employees of the DSTL; – members of the IOC and Olympic athletes; and – employees of a Georgian media entity. |
Artem Valeryevich Ochichenko | · Participated in spearphishing campaigns targeting 2018 PyeongChang Winter Olympic Games partners; and
· Conducted technical reconnaissance of the Parliament of Georgia official domain and attempted to gain unauthorized access to its network. |
Petr Nikolayevich Pliskin | · Developed components of the NotPetya and Olympic Destroyer malware. |