The Department of Justice has brought criminal charges against six Russian military intelligence officers believed to be involved in multiple cyberattacks against targets around the world, including online assaults against the Ukrainian power grid in 2015 and 2017.
The indictment last week by a grand jury in Pittsburgh named Yuriy Andrienko, Sergey Detistov, Pavel Frolov, Anatoliy Kovalev, Artem Ochichenko and Petr Pliskin, all officers in Russia’s military intelligence agency, GRU — specifically Unit 74455, a notorious team of hackers dubbed “Sandworm” or “Voodoo Bear” by some security analysts. Each count in the indictment applies to every defendant:
- conspiracy to conduct computer fraud and abuse
- conspiracy to commit wire fraud
- wire fraud (two counts)
- damaging protected computers
- aggravated identity theft (two counts)
The computer fraud charge carries a maximum sentence of five years; the charges of conspiracy to commit wire fraud and wire fraud each carry maximums of 20 years; intentional damage to a protected computer carries 10 years; and aggravated identity theft carries a mandatory two-year sentence. The indictment includes an allegation of false registration of domain names, which would add seven years to the maximum sentence for each wire fraud and damage to a protected computer count, and double the sentence for aggravated identify theft.
In addition to the Ukraine cyberattacks, the men are alleged to have carried out “computer intrusions and attacks” against elections in France, Georgian government and media entities, the 2018 Winter Olympics in South Korea, U.K.-based investigators of the poisoning of Russian dissident Sergei Skripal, and others. Assistant Attorney General John C. Demers called the hackers’ activities “the most disruptive and destructive series of computer attacks ever attributed to a single group.”
“Their [Olympics] cyberattack combined the emotional maturity of a petulant child with the resources of a nation-state,” Demers said at a press conference on Monday.
Ukraine Targeted in Multiple Attacks
The department’s chronology of Unit 74455’s campaign begins with the Ukraine power grid attack, in which the group gained access to the computer systems of three Ukrainian energy distribution companies using spearphishing emails. Once they had access, the team deployed a variant of the BlackEnergy malware to steal user credentials, which they used to access the utilities’ supervisory control and data acquisition (SCADA) networks.
With SCADA access, the attackers were able to disconnect about 225,000 customers with nearly simultaneous attacks against all three companies. Following the attack, the hackers used KillDisk malware to render the infected computers inoperable. (See How a ‘Phantom Mouse’ and Weaponized Excel Files Brought Down Ukraine’s Grid.)
The hackers’ next attack on Ukraine’s energy sector began in April 2016 with the compromise of an unidentified electric company’s computer network. The intruders lay low inside the network until the following December, when they triggered a new malware, later dubbed “Industroyer” by researchers, tailored specifically to attack electric grids by targeting their industrial control systems. (See Experts ID New Cyber Threat to SCADA Systems.)
The most devastating attack began in June 2017 when the hackers unleashed the NotPetya malware. Though this intrusion again targeted Ukrainian organizations including “banks, newspapers and electricity companies,” NotPetya’s unique design enabled it to spread outside of the networks where it was initially activated. Within hours the malware had propagated through networks around the world, including to companies in the U.S. The indictment alleges that “for just three U.S.-related victims … monetary losses reached nearly $1 billion.”
Russia Dismisses Charges as ‘Cliches’
Russia’s Ministry of Foreign Affairs pushed back against the indictment on Tuesday, with spokeswoman Maria Zakharova, in a commentary quoted by Russian news agency Tass, calling the allegations “hackneyed cliches” lacking evidence.
“Russia’s government agencies have nothing to do with any malicious activity in the internet, contrary to what Washington tries to assert,” Zakharova said. “Apparently, behind this there are time-serving political considerations and intentions of Russophobic forces in the United States to keep afloat the agenda of a Russian threat at a time when the presidential election campaign has reached its peak.”
Perhaps anticipating such a reaction, Demers emphasized the work of DOJ’s partners in the private sector — including Cisco, Facebook, Google and Twitter — to “investigate and disrupt the Unit 74455 cyber threat.” Law enforcement and intelligence agencies from counties including Ukraine, Georgia, South Korea, the U.K. and New Zealand also contributed to the investigation.
“All of these partnerships send a clear message that responsible nations and the private sector are prepared to work together to defend against and disrupt significant cyber threats,” Demers said.