US charges Russian hackers behind NotPetya, KillDisk, OlympicDestroyer attacks

The US Department of Justice has unsealed today charges against six GRU officers believed to be members of Sandworm, one of today's most advanced state-sponsored hacking groups.
Written by Catalin Cimpanu, Contributor
Image: Warner Bros

The US Department of Justice has unsealed charges today against six Russian nationals believed to be members of one of Russia's elite hacking and cyberwar units — known as Sandworm.

In court documents today, US officials said all six suspects are officers in Unit 74455 of the Russian Main Intelligence Directorate (GRU), a military intelligence agency part of the Russian Army.

As part of this unit, US officials said the six conducted "destructive" cyber-attacks on behalf and under orders of the Russian government with the intent to destabilize other countries, interfere in their internal politics, and cause havoc and monetary losses.

Their attacks span the last decade and include some of the biggest cyber-attacks known to date: 

  1. Ukrainian Government & Critical Infrastructure: From December 2015 through December 2016, the group orchestrated destructive malware attacks against Ukraine's electric power grid, the Ukraine Ministry of Finance, and the Ukraine State Treasury Service, using malware that altered industrial equipment (BlackEnergy in 2015 and Industroyer in 2016) or wiped hard drives (KillDisk).
  2. French Elections: In April and May 2017, Sandworm orchestrated spearphishing campaigns and related hack-and-leak efforts targeting French President Macron's "La République En Marche!" ("En Marche!") political party, French politicians, and local French governments prior to the 2017 French elections.
  3. The NotPetya Ransomware Outbreak: On June 27, 2017, Sandworm released the NotPetya ransomware. Initially aimed at Ukrainian companies, the ransomware quickly spread and impacted companies all over the world, causing damages of more than $1 billion to its victims.
  4. PyeongChang Winter Olympics Hosts, Participants, Partners, and Attendees: Between December 2017 through February 2018, Sandworm launched spearphishing campaigns and malicious mobile applications targeting South Korean citizens and officials, Olympic athletes, partners, and visitors, and International Olympic Committee ("IOC") officials. The attacks took place after Russian athletes were banned from the sporting event due to a state-sponsored doping scheme.
  5. PyeongChang Winter Olympics IT Systems (Olympic Destroyer): From December 2017 through February 2018, Sandworm orchestrated intrusions into computers supporting the 2018 PyeongChang Winter Olympic Games, which culminated in the February 9, 2018, with the release of Olympic Destroyer, a destructive malware strain that attempted to wipe crucial servers during the opening ceremony.
  6. Novichok Poisoning Investigations: In April 2018, the Sandworm group orchestrated spearphishing campaigns targeting investigations by the Organisation for the Prohibition of Chemical Weapons ("OPCW") and the United Kingdom's Defence Science and Technology Laboratory's ("DSTL") into the nerve agent poisoning of Sergei Skripal, his daughter, and several UK citizens.
  7. Georgian Companies and Government Entities: In 2018, Sandworm carried out spearphishing campaigns targeting a major media company in the country of Georgia. These attacks were followed in 2019 by efforts to compromise the network of Georgian Parliament, and a mass website defacement campaign in 2019.

But these are only the attacks documented in the DOJ indictment [PDF] unsealed today. They represent only a fraction of the group's vast cyber-operations, which go back as far as 2010.

To read more on the group's history, reports from the cyber-security industry are also available here, with the group also being referenced as Telebots, BlackEnergy, Voodoo Bear, and under other codenames.

But above all, the group is universally known as Sandworm. However, the six nationals indicted today are only the Sandworm members who could individually be linked to past Sandworm attacks. The group is believed to be made up of many more other GRU officers.

The six GRU officers charged today, and their respective crimes, are listed below:


Summary of Overt Acts

Yuriy Sergeyevich Andrienko

·         Developed components of the NotPetya and Olympic Destroyer malware.

Sergey Vladimirovich Detistov

·         Developed components of the NotPetya malware; and

·         Prepared spearphishing campaigns targeting the 2018 PyeongChang Winter Olympic Games. 

Pavel Valeryevich Frolov

·         Developed components of the KillDisk and NotPetya malware.

Anatoliy Sergeyevich Kovalev

·         Developed spearphishing techniques and messages used to target:

-          En Marche! officials;

-          employees of the DSTL;

-          members of the IOC and Olympic athletes; and

-          employees of a Georgian media entity.

Artem Valeryevich Ochichenko

·         Participated in spearphishing campaigns targeting 2018 PyeongChang Winter Olympic Games partners; and

·         Conducted technical reconnaissance of the Parliament of Georgia official domain and attempted to gain unauthorized access to its network.

Petr Nikolayevich Pliskin

·         Developed components of the NotPetya and Olympic Destroyer malware.

Image: FBI

The six supects are still at large in Russia. If they are apprehended and trialed in the US, all six would face sentences of tens of years in prison, each.

Irresponsible use of destructive malware

But today's case is also an oddity in the cyber-security industry. International norms exempt cyber-espionage operations from international prosecution, as cyber-espionage is considered an arm of normal intelligence gathering operations.

But speaking at a press conference today, US officials said Sandworm's cyber-attacks often relied on the indiscriminate use of malware with destructive capabilities that caused not only financial losses to thousands of companies but also put human life at risk, showing a disregard for regular cyber-norms.

"As this case shows, no country has weaponized its cyber capabilities as maliciously and irresponsibly as Russia, wantonly causing unprecedented collateral damage to pursue small tactical advantages and to satisfy fits of spite," said Assistant Attorney General for National Security John C. Demers, referring to attacks like BlackEnergy, NotPetya, and OlympicDestroyer, all of which were not aimed at intelligence gathering but were clear destructive attacks intent on sabotage.

US Attorney Scott W. Brady, one of the US prosecutors, said the US has been working on a case against Sandworm operators for more than two years, as part of the aftermath of the NotPetya ransomware outbreak.

"The crimes committed by Russian government officials were against real victims who suffered real harm," Brady said in a prepared statement. "We have an obligation to hold accountable those who commit crimes – no matter where they reside and no matter for whom they work – in order to seek justice on behalf of these victim."

Shortly after the indictments were announced, the UK government also formally accused Russia's Sandworm group of attempts to disrupt this year's Tokyo Olympics before the event was moved to next year due to COVID-19. The UK also showed support for the US legal case.

The world's most famous and dangerous APT (state-developed) malware

Editorial standards