The Department of Justice announced today that it indicted six computer hackers – all of them Russian nationals and officers in Unit 74455 of the Russian Main Intelligence Directorate (GRU) – for their alleged roles in a wide range of government-sponsored cyber attacks.
“For more than two years we have worked tirelessly to expose these Russian GRU Officers who engaged in a global campaign of hacking, disruption, and destabilization, representing the most destructive and costly cyber-attacks in history,” said Scott W. Brady, U.S. Attorney for the Western District of Pennsylvania. “The crimes committed by Russian government officials were against real victims who suffered real harm. We have an obligation to hold accountable those who commit crimes – no matter where they reside and no matter for whom they work – in order to seek justice on behalf of these victims.”
The GRU hackers – Yuriy Sergeyevich Andrienko, Sergey Vladimirovich Detistov, Pavel Valeryevich Frolov, Anatoliy Sergeyevich Kovalev, Artem Valeryevich Ochichenko, and Petr Nikolayevich Pliskin – engaged in computer intrusions and attacks that caused nearly $1 billion in damages to just three of their victims, the U.S. alleges.
The DoJ said the attackers’ goals were to “support Russian government efforts to undermine, retaliate against, or otherwise destabilize: (1) Ukraine; (2) Georgia; (3) elections in France; (4) efforts to hold Russia accountable for its use of a weapons-grade nerve agent, Novichok, on foreign soil; and (5) the 2018 PyeongChang Winter Olympic Games after Russian athletes were banned from participating under their nation’s flag, as a consequence of Russian government-sponsored doping effort.”
“No country has weaponized its cyber capabilities as maliciously or irresponsibly as Russia, wantonly causing unprecedented damage to pursue small tactical advantages and to satisfy fits of spite,” said Assistant Attorney General for National Security John C. Demers. “Today the department has charged these Russian officers with conducting the most disruptive and destructive series of computer attacks ever attributed to a single group, including by unleashing the NotPetya malware.”
In a press release, the DoJ noted that the attackers utilized “some of the world’s most destructive malware to date.” The hackers are charged with conspiracy, computer hacking, wire fraud, aggravated identity theft, and false registration of a domain name. In the indictment, the DoJ alleges that the hackers and their co-conspirators were involved in seven specific intrusions and attacks:
- “Ukrainian Government & Critical Infrastructure: December 2015 through December 2016 destructive malware attacks against Ukraine’s electric power grid, Ministry of Finance, and State Treasury Service, using malware known as BlackEnergy, Industroyer, and KillDisk;
- French Elections: April and May 2017 spearphishing campaigns and related hack-and-leak efforts targeting French President Macron’s “La République En Marche!” (En Marche!) political party, French politicians, and local French governments prior to the 2017 French elections;
- Worldwide Businesses and Critical Infrastructure (NotPetya): June 27, 2017 destructive malware attacks that infected computers worldwide using malware known as NotPetya, including hospitals and other medical facilities in the Heritage Valley Health System (Heritage Valley) in the Western District of Pennsylvania; a FedEx Corporation subsidiary, TNT Express B.V.; and a large U.S. pharmaceutical manufacturer, which together suffered nearly $1 billion in losses from the attacks;
- PyeongChang Winter Olympics Hosts, Participants, Partners, and Attendees: December 2017 through February 2018 spearphishing campaigns and malicious mobile applications targeting South Korean citizens and officials, Olympic athletes, partners, and visitors, and International Olympic Committee (IOC) officials;
- PyeongChang Winter Olympics IT Systems (Olympic Destroyer): December 2017 through February 2018 intrusions into computers supporting the 2018 PyeongChang Winter Olympic Games, which culminated in the Feb. 9, 2018, destructive malware attack against the opening ceremony, using malware known as Olympic Destroyer;
- Novichok Poisoning Investigations: April 2018 spearphishing campaigns targeting investigations by the Organisation for the Prohibition of Chemical Weapons (OPCW) and the United Kingdom’s Defence Science and Technology Laboratory (DSTL) into the nerve agent poisoning of Sergei Skripal, his daughter, and several U.K. citizens; and
- Georgian Companies and Government Entities: a 2018 spearphishing campaign targeting a major media company, 2019 efforts to compromise the network of Parliament, and a wide-ranging website defacement campaign in 2019.”