US charges Russian hackers behind NotPetya, KillDisk, OlympicDestroyer attacks

The US Department of Justice has unsealed charges today against six Russian nationals believed to be part of one of Russia’s most elite and secretive hacking groups, universally known as Sandworm.

US officials said all six nationals are officers in Unit 74455 of the Russian Main Intelligence Directorate (GRU), a military intelligence agency of the Russian Army, DOJ officials said today.

Under orders from the Russian government, US officials said the six (believed to be part of a much larger group) conducted cyber-attacks on behalf of the Russian government with the intent to destabilize other countries, interfere in their internal politics, and cause havoc and monetary losses.

Their attacks span the last decade and include some of the biggest cyber-attacks known to date:

1. Ukrainian Government & Critical Infrastructure: December 2015 through December 2016 destructive malware attacks against Ukraine’s electric power grid, Ministry of Finance, and State Treasury Service, using malware known as BlackEnergy, Industroyer, and KillDisk; 
2. French Elections: April and May 2017 spearphishing campaigns and related hack-and-leak efforts targeting French President Macron’s “La République En Marche!” (“En Marche!”) political party, French politicians, and local French governments prior to the 2017 French elections; 
3. Worldwide Businesses and Critical Infrastructure (NotPetya): June 27, 2017, destructive malware attacks that infected computers worldwide using malware known as NotPetya, including hospitals and other medical facilities in the Heritage Valley Health System (“Heritage Valley”) in the Western District of Pennsylvania; a FedEx Corporation subsidiary, TNT Express BV; and a large US pharmaceutical manufacturer, which together suffered nearly $1 billion in losses from the attacks; 
4. PyeongChang Winter Olympics Hosts, Participants, Partners, and Attendees: December 2017 through February 2018 spearphishing campaigns and malicious mobile applications targeting South Korean citizens and officials, Olympic athletes, partners, and visitors, and International Olympic Committee (“IOC”) officials;  
5. PyeongChang Winter Olympics IT Systems (Olympic Destroyer): December 2017 through February 2018 intrusions into computers supporting the 2018 PyeongChang Winter Olympic Games, which culminated in the February 9, 2018, destructive malware attack against the opening ceremony, using malware known as Olympic Destroyer;
6. Novichok Poisoning Investigations: April 2018 spearphishing campaigns targeting investigations by the Organisation for the Prohibition of Chemical Weapons (“OPCW”) and the United Kingdom’s Defence Science and Technology Laboratory’s (“DSTL”) into the nerve agent poisoning of Sergei Skripal, his daughter, and several UK citizens; and 
7. Georgian Companies and Government Entities: a 2018 spearphishing campaign targeting a major media company, 2019 efforts to compromise the network of Parliament, and a wide-ranging website defacement campaign in 2019.

The group’s activities have not gone undetected.

Many of these cyber-attacks have been documented by the cyber-security industry in reports published since at least 2010.

The group’s activities and malware have been often referenced under codenames like Telebots, BlackEnergy, Voodoo Bear, but above all Sandworm — now, the universal name under which the group is mostly referred to.

According to court documents, the six GRU officers charged today, and their respective crimes, are listed below:

The six supects are still at large in Russia. If they are apprehended and trialed in the US, all six risk sentences of tens of years in prison, each.

Irresponsible use of destructive malware

But today’s case is also a rarity. International norms exempt espionage operations from international prosecution.

But in a press conference today, US officials said the group’s cyber-attacks often relied on the indiscriminate use of malware with destructive capabilities that caused not only financial losses to thousands of companies but also put human life at risk, showing a disregard for norms.

“As this case shows, no country has weaponized its cyber capabilities as maliciously and irresponsibly as Russia, wantonly causing unprecedented collateral damage to pursue small tactical advantages and to satisfy fits of spite,” said Assistant Attorney General for National Security John C. Demers, referring to the attacks against Olympic Games infrastructure (a non-espionage target) after Russian athletes where banned from participating, and the NotPetya ransomware, which Sandworm initially targeted only at Ukraine but over which they quickly lost control, damaging companies worldwide.

Because of this “irresponsible” use of destructive malware, US officials claim Sandworm caused damages of over $1 billion to victims worlwide.

US Attorney Scott W. Brady said the US has been working for the past two years on a case against Sandworm operators.

“The crimes committed by Russian government officials were against real victims who suffered real harm,” Brady said in a prepared statement. “We have an obligation to hold accountable those who commit crimes – no matter where they reside and no matter for whom they work – in order to seek justice on behalf of these victim.”