The US Department of Justice has unsealed charges today against six Russian nationals believed to be members of one of Russia's elite hacking and cyberwar units — known as Sandworm.
In court documents today, US officials said all six suspects are officers in Unit 74455 of the Russian Main Intelligence Directorate (GRU), a military intelligence agency part of the Russian Army.
As part of this unit, US officials said the six conducted "destructive" cyber-attacks on behalf and under orders of the Russian government with the intent to destabilize other countries, interfere in their internal politics, and cause havoc and monetary losses.
Their attacks span the last decade and include some of the biggest cyber-attacks known to date:
But these are only the attacks documented in the DOJ indictment [PDF] unsealed today. They represent only a fraction of the group's vast cyber-operations, which go back as far as 2010.
To read more on the group's history, reports from the cyber-security industry are also available here, with the group also being referenced as Telebots, BlackEnergy, Voodoo Bear, and under other codenames.
But above all, the group is universally known as Sandworm. However, the six nationals indicted today are only the Sandworm members who could individually be linked to past Sandworm attacks. The group is believed to be made up of many more other GRU officers.
The six GRU officers charged today, and their respective crimes, are listed below:
Defendant | Summary of Overt Acts |
Yuriy Sergeyevich Andrienko | · Developed components of the NotPetya and Olympic Destroyer malware. |
Sergey Vladimirovich Detistov | · Developed components of the NotPetya malware; and · Prepared spearphishing campaigns targeting the 2018 PyeongChang Winter Olympic Games. |
Pavel Valeryevich Frolov | · Developed components of the KillDisk and NotPetya malware. |
Anatoliy Sergeyevich Kovalev | · Developed spearphishing techniques and messages used to target: - En Marche! officials; - employees of the DSTL; - members of the IOC and Olympic athletes; and - employees of a Georgian media entity. |
Artem Valeryevich Ochichenko | · Participated in spearphishing campaigns targeting 2018 PyeongChang Winter Olympic Games partners; and · Conducted technical reconnaissance of the Parliament of Georgia official domain and attempted to gain unauthorized access to its network. |
Petr Nikolayevich Pliskin | · Developed components of the NotPetya and Olympic Destroyer malware. |
The six supects are still at large in Russia. If they are apprehended and trialed in the US, all six would face sentences of tens of years in prison, each.
But today's case is also an oddity in the cyber-security industry. International norms exempt cyber-espionage operations from international prosecution, as cyber-espionage is considered an arm of normal intelligence gathering operations.
But speaking at a press conference today, US officials said Sandworm's cyber-attacks often relied on the indiscriminate use of malware with destructive capabilities that caused not only financial losses to thousands of companies but also put human life at risk, showing a disregard for regular cyber-norms.
"As this case shows, no country has weaponized its cyber capabilities as maliciously and irresponsibly as Russia, wantonly causing unprecedented collateral damage to pursue small tactical advantages and to satisfy fits of spite," said Assistant Attorney General for National Security John C. Demers, referring to attacks like BlackEnergy, NotPetya, and OlympicDestroyer, all of which were not aimed at intelligence gathering but were clear destructive attacks intent on sabotage.
US Attorney Scott W. Brady, one of the US prosecutors, said the US has been working on a case against Sandworm operators for more than two years, as part of the aftermath of the NotPetya ransomware outbreak.
"The crimes committed by Russian government officials were against real victims who suffered real harm," Brady said in a prepared statement. "We have an obligation to hold accountable those who commit crimes – no matter where they reside and no matter for whom they work – in order to seek justice on behalf of these victim."
Shortly after the indictments were announced, the UK government also formally accused Russia's Sandworm group of attempts to disrupt this year's Tokyo Olympics before the event was moved to next year due to COVID-19. The UK also showed support for the US legal case.