January 25, 2022

News

News Network

Six Russian GRU Officers Charged in Connection with Worldwide Deployment of Destructive Malware and Other Disruptive Actions in Cyberspace

24 min read

Defendants’ Malware Attacks Caused Nearly One Billion USD in Losses to Three Victims Alone; Also Sought to Disrupt the 2017 French Elections and the 2018 Winter Olympic Games

On Oct. 15, 2020, a federal grand jury in Pittsburgh returned an indictment charging six computer hackers, all of whom were residents and nationals of the Russian Federation (Russia) and officers in Unit 74455 of the Russian Main Intelligence Directorate (GRU), a military intelligence agency of the General Staff of the Armed Forces. 

These GRU hackers and their co-conspirators engaged in computer intrusions and attacks intended to support Russian government efforts to undermine, retaliate against, or otherwise destabilize: (1) Ukraine; (2) Georgia; (3) elections in France; (4) efforts to hold Russia accountable for its use of a weapons-grade nerve agent, Novichok, on foreign soil; and (5) the 2018 PyeongChang Winter Olympic Games after Russian athletes were banned from participating under their nation’s flag, as a consequence of Russian government-sponsored doping effort. 

Their computer attacks used some of the world’s most destructive malware to date, including: KillDisk and Industroyer, which each caused blackouts in Ukraine; NotPetya, which caused nearly $1 billion in losses to the three victims identified in the indictment alone; and Olympic Destroyer, which disrupted thousands of computers used to support the 2018 PyeongChang Winter Olympics.  The indictment charges the defendants with conspiracy, computer hacking, wire fraud, aggravated identity theft, and false registration of a domain name.

According to the indictment, beginning in or around November 2015 and continuing until at least in or around October 2019, the defendants and their co-conspirators deployed destructive malware and took other disruptive actions, for the strategic benefit of Russia, through unauthorized access  to victim computers (hacking).  As alleged, the conspiracy was responsible for the following destructive, disruptive, or otherwise destabilizing computer intrusions and attacks:

  • Ukrainian Government & Critical Infrastructure: December 2015 through December 2016 destructive malware attacks against Ukraine’s electric power grid, Ministry of Finance, and State Treasury Service, using malware known as BlackEnergy, Industroyer, and KillDisk;
  • French Elections: April and May 2017 spearphishing campaigns and related hack-and-leak efforts targeting French President Macron’s “La République En Marche!” (En Marche!) political party, French politicians, and local French governments prior to the 2017 French elections;
  • Worldwide Businesses and Critical Infrastructure (NotPetya): June 27, 2017 destructive malware attacks that infected computers worldwide using malware known as NotPetya, including hospitals and other medical facilities in the Heritage Valley Health System (Heritage Valley) in the Western District of Pennsylvania; a FedEx Corporation subsidiary, TNT Express B.V.; and a large U.S. pharmaceutical manufacturer, which together suffered nearly $1 billion in losses from the attacks;
  • PyeongChang Winter Olympics Hosts, Participants, Partners, and Attendees: December 2017 through February 2018 spearphishing campaigns and malicious mobile applications targeting South Korean citizens and officials, Olympic athletes, partners, and visitors, and International Olympic Committee (IOC) officials;
  • PyeongChang Winter Olympics IT Systems (Olympic Destroyer): December 2017 through February 2018 intrusions into computers supporting the 2018 PyeongChang Winter Olympic Games, which culminated in the Feb. 9, 2018, destructive malware attack against the opening ceremony, using malware known as Olympic Destroyer;
  • Novichok Poisoning Investigations: April 2018 spearphishing campaigns targeting investigations by the Organisation for the Prohibition of Chemical Weapons (OPCW) and the United Kingdom’s Defence Science and Technology Laboratory (DSTL) into the nerve agent poisoning of Sergei Skripal, his daughter, and several U.K. citizens; and
  • Georgian Companies and Government Entities: a 2018 spearphishing campaign targeting a major media company, 2019 efforts to compromise the network of Parliament, and a wide-ranging website defacement campaign in 2019.

Cybersecurity researchers have tracked the Conspirators and their malicious activity using the labels “Sandworm Team,” “Telebots,” “Voodoo Bear,” and “Iron Viking.”

The charges were announced by Assistant Attorney General John C. Demers; FBI Deputy Director David Bowdich; U.S. Attorney for the Western District of Pennsylvania Scott W. Brady; and Special Agents in Charge of the FBI’s Atlanta, Oklahoma City, and Pittsburgh Field Offices, J.C. “Chris” Hacker, Melissa R. Godbold, and Michael A. Christman, respectively.

“No country has weaponized its cyber capabilities as maliciously or irresponsibly as Russia, wantonly causing unprecedented damage to pursue small tactical advantages and to satisfy fits of spite,” said Assistant Attorney General for National Security John C. Demers.  “Today the department has charged these Russian officers with conducting the most disruptive and destructive series of computer attacks ever attributed to a single group, including by unleashing the NotPetya malware.  No nation will recapture greatness while behaving in this way.”

“The FBI has repeatedly warned that Russia is a highly capable cyber adversary, and the information revealed in this indictment illustrates how pervasive and destructive Russia’s cyber activities truly are,” said FBI Deputy Director David Bowdich.  “But this indictment also highlights the FBI’s capabilities.  We have the tools to investigate these malicious malware attacks, identify the perpetrators, and then impose risks and consequences on them.  As demonstrated today, we will relentlessly pursue those who threaten the United States and its citizens.”

“For more than two years we have worked tirelessly to expose these Russian GRU Officers who engaged in a global campaign of hacking, disruption and destabilization, representing the most destructive and costly cyber-attacks in history,” said U.S. Attorney Scott W. Brady for the Western District of Pennsylvania.  “The crimes committed by Russian government officials were against real victims who suffered real harm.  We have an obligation to hold accountable those who commit crimes – no matter where they reside and no matter for whom they work – in order to seek justice on behalf of these victims.” 

“The exceptional talent and dedication of our teams in Pittsburgh, Atlanta and Oklahoma City who spent years tracking these members of the GRU is unmatched,” said FBI Pittsburgh Special Agent in Charge Michael A. Christman.  “These criminals underestimated the power of shared intelligence, resources and expertise through law enforcement, private sector and international partnerships.”

The defendants, Yuriy Sergeyevich Andrienko (Юрий Сергеевич Андриенко), 32; Sergey Vladimirovich Detistov (Сергей Владимирович Детистов), 35; Pavel Valeryevich Frolov (Павел Валерьевич Фролов), 28; Anatoliy Sergeyevich Kovalev (Анатолий Сергеевич Ковалев), 29; Artem Valeryevich Ochichenko (Артем Валерьевич Очиченко), 27; and Petr Nikolayevich Pliskin (Петр Николаевич Плискин), 32, are all charged in seven counts: conspiracy to conduct computer fraud and abuse, conspiracy to commit wire fraud, wire fraud, damaging protected computers, and aggravated identity theft.  Each defendant is charged in every count.  The charges contained in the indictment are merely accusations, however, and the defendants are presumed innocent unless and until proven guilty beyond a reasonable doubt.

The indictment accuses each defendant of committing the following overt acts in furtherance of the charged crimes:

Defendant

Summary of Overt Acts

Yuriy Sergeyevich Andrienko

·      Developed components of the NotPetya and Olympic Destroyer malware.

Sergey Vladimirovich Detistov

·      Developed components of the NotPetya malware; and

·      Prepared spearphishing campaigns targeting the 2018 PyeongChang Winter Olympic Games. 

Pavel Valeryevich Frolov

·       Developed components of the KillDisk and NotPetya malware.

Anatoliy Sergeyevich Kovalev

·       Developed spearphishing techniques and messages used to target:

–       En Marche! officials;

–       employees of the DSTL;

–       members of the IOC and Olympic athletes; and

–       employees of a Georgian media entity.

Artem Valeryevich Ochichenko

·       Participated in spearphishing campaigns targeting 2018 PyeongChang Winter Olympic Games partners; and

·       Conducted technical reconnaissance of the Parliament of Georgia official domain and attempted to gain unauthorized access to its network.

Petr Nikolayevich Pliskin

·       Developed components of the NotPetya and Olympic Destroyer malware. 

The defendants and their co-conspirators caused damage and disruption to computer networks worldwide, including in France, Georgia, the Netherlands, Republic of Korea, Ukraine, the United Kingdom, and the United States. 

The NotPetya malware, for example, spread worldwide, damaged computers used in critical infrastructure, and caused enormous financial losses.  Those losses were only part of the harm, however.  For example, the NotPetya malware impaired Heritage Valley’s provision of critical medical services to citizens of the Western District of Pennsylvania through its two hospitals, 60 offices, and 18 community satellite facilities.  The attack caused the unavailability of patient lists, patient history, physical examination files, and laboratory records.  Heritage Valley lost access to its mission-critical computer systems (such as those relating to cardiology, nuclear medicine, radiology, and surgery) for approximately one week and administrative computer systems for almost one month, thereby causing a threat to public health and safety.

The conspiracy to commit computer fraud and abuse carries a maximum sentence of five years in prison; conspiracy to commit wire fraud carries a maximum sentence of 20 years in prison; the two counts of wire fraud carry a maximum sentence of 20 years in prison; intentional damage to a protected computer carries a maximum sentence of 10 years in prison; and the two counts of aggravated identity theft carry a mandatory sentence of two years in prison.  The indictment also alleges false registration of domain names, which would increase the maximum sentence of imprisonment for wire fraud to 27 years in prison; the maximum sentence of imprisonment for intentional damage to a protected computer to 17 years in prison; and the mandatory sentence of imprisonment for aggravated identity theft to four years in prison.  These maximum potential sentences are prescribed by Congress, however, and are provided here for informational purposes only, as the assigned judge will determine any sentence of a defendant.

Defendant Kovalev was previously charged in federal indictment number CR 18-215, in the District of Columbia, with conspiring to gain unauthorized access into the computers of U.S. persons and entities involved in the administration of the 2016 U.S. elections.

Trial Attorney Heather Alpino and Deputy Chief Sean Newell of the National Security Division’s Counterintelligence and Export Control Section and Assistant U.S. Attorneys Charles Eberle and Jessica Smolar of the U.S. Attorney’s Office for the Western District of Pennsylvania are prosecuting this case.  The FBI’s Atlanta, Oklahoma City, and Pittsburgh field offices conducted the investigation, with the assistance of the FBI’s Cyber Division.

The Criminal Division’s Office of International Affairs provided critical assistance in this case.  The department also appreciates the significant cooperation and assistance provided by Ukrainian authorities, the Governments of the Republic of Korea and New Zealand, Georgian authorities, and the United Kingdom’s intelligence services, as well as many of the FBI’s Legal Attachés and other foreign authorities around the world.  Numerous victims cooperated and provided valuable assistance in the investigation.

The department is also grateful to Google, including its Threat Analysis Group (TAG); Cisco, including its Talos Intelligence Group; Facebook; and Twitter, for the assistance they provided in this investigation.  Some private sector companies independently disabled numerous accounts for violations of the companies’ terms of service.

News Network

  • Under Secretary for Arms Control and International Security Bonnie Jenkins to Participate in the IAEA General Conference (September 20-21) and UN General Assembly (September 23)
    In Crime Control and Security News
    Office of the [Read More…]
  • Sudan National Day Statement
    In Crime Control and Security News
    Antony J. Blinken, [Read More…]
  • Senate Disbursing Office: Procedures Related to 2021 Cash Count
    In U.S GAO News
    What GAO Found GAO performed agreed-upon procedures at the Senate Disbursing Office (SDO) consisting of (1) identifying the authorized and reported amount of cash accountability for the Secretary of the Senate, (2) counting all cash items that support the cash accountability level of the SDO, (3) counting all noncash items that support the cash accountability level of the SDO, and (4) agreeing the total amount counted to the authorized amount and reported amount of cash accountability. The total value of cash and noncash items counted on August 10, 2021, agreed to the cash accountability level that the SDO authorized and reported, except for a difference of $3.06, which SDO officials stated is a known overage that has accumulated over time. The Secretary of the Senate is responsible for the sufficiency of these agreed-upon procedures to meet the SDO's objectives, and GAO makes no representation in that respect. The report provides the details on the agreed-upon procedures and the results of performing each of the procedures. The Secretary of the Senate in an email response stated that she had no comments on the draft report. Why GAO Did This Study The Chairwoman and Ranking Member of the Senate Committee on Rules and Administration requested that GAO perform procedures on the cash accountability level that the SDO authorized and reported. The cash accountability level represents the value of cash and noncash items for which the Secretary of the Senate, as disbursing officer for the U.S. Senate, is responsible. For more information, contact Hannah Padilla at (202) 512-5683 or padillah@gao.gov.
    [Read More…]
  • Three New Views of Mars’ Moon Phobos
    In Space
    Taken with the infrared [Read More…]
  • Justice Department Files Complaint Against Professional Compounding Centers of America Inc. for Reporting Fraudulent Pricing Information for Ingredients Sold to Pharmacies
    In Crime News
    The Justice Department has filed a complaint under the False Claims Act against Professional Compounding Centers of America Inc. (PCCA), a Houston-based company that sells active pharmaceutical ingredients and other products and services to compounding pharmacies.
    [Read More…]
  • Rule of Law Assistance: State and USAID Could Improve Monitoring Efforts
    In U.S GAO News
    The Department of State (State) Bureau of International Narcotics and Law Enforcement Affairs (State/INL) and the U.S. Agency for International Development (USAID) provided sufficient documentation for GAO to conclude that they followed most key practices for monitoring rule of law assistance for the awards we reviewed from selected countries. However, the agencies did not provide sufficient documentation demonstrating that they followed other key practices. Overall, State/INL followed these practices in most cases and USAID did so in almost all cases. Specifically, GAO's review of 19 State/INL and USAID projects found that USAID in all cases, and State/INL in most cases, followed key practices for planning a monitoring approach, such as developing project goals, objectives, and performance indicators. However, State/INL did not consistently demonstrate that project representatives included project goals and objectives in monitoring plans, and did not consistently identify risks in those plans (see fig.). Furthermore, neither agency could demonstrate that project representatives consistently assessed and approved monitoring reports from implementing partners. Following key monitoring practices helps to ensure that agencies stay well-informed of project performance and take corrective action when necessary, and that projects achieve their intended results. Without complete documentation, management cannot be sure that these practices are being followed. State/INL and USAID Alignment with Key Practices for Monitoring Rule of Law Assistance State and USAID have various processes to conduct, share, and use rule of law project evaluations to improve future efforts. Both agencies disseminate evaluations through online systems, briefings, and presentations, and have established approaches to track the implementation of evaluation recommendations, such as through spreadsheets or other documentation. The agencies use these evaluations in various ways to inform project design and strategic planning. Rule of law strengthens protection of fundamental rights and serves as a foundation for democratic governance and economic growth. According to State, strengthening judicial and legal systems in certain countries is vital to U.S. national security interests. State and USAID allocated over $2.7 billion for rule of law assistance overseas from fiscal years 2014 through 2018. GAO was asked to review monitoring and evaluation of U.S. rule of law assistance around the world. This report examines, among other objectives, the extent to which the agencies followed key practices for monitoring rule of law projects in selected countries, and processes agencies have in place to use evaluations to inform future rule of law assistance. GAO analyzed relevant laws and agency policies and other documents, and interviewed officials in Washington, D.C., and four countries—Colombia, Kosovo, Liberia, and the Philippines—selected based on funding amounts and other factors. GAO recommends that State/INL establish procedures to ensure project goals, objectives, and risks are identified in monitoring plans. GAO also recommends that State/INL establish and USAID enhance procedures to ensure project staff assess and approve monitoring reports. State and USAID concurred with GAO's recommendations. For more information, contact Chelsa Kenney Gurkin at (202) 512-2964 or gurkinc@gao.gov.
    [Read More…]
  • On Transgender Day of Remembrance
    In Crime Control and Security News
    Antony J. Blinken, [Read More…]
  • CBP Mobile Passport Control (MPC) Mobile Application Privacy Policy
    In Travel
    Thank you for [Read More…]
  • Department Press Briefing – September 15, 2021
    In Crime Control and Security News
    Ned Price, Department [Read More…]
  • Florida Man Pleads Guilty to Payment Processing Fraud Scheme
    In Crime News
    A Florida man pleaded guilty today in the U.S. District Court for the District of Massachusetts to conspiracy to commit wire fraud in connection with a scheme to deceive banks and credit card companies into processing credit and debit card payments on behalf of merchants involved in prohibited and high-risk businesses, including online gambling, debt collection, payday lending, and prescription drugs.
    [Read More…]
  • The President’s National Space Policy
    In Crime Control and Security News
    Michael R. Pompeo, [Read More…]
  • Secretary Blinken’s Call with Tanzanian President Hassan
    In Crime Control and Security News
    Office of the [Read More…]
  • Sam’s Test Record for Drupal Testing
    In U.S GAO News
    This is Sam's Test Record for Drupal Testing.
    [Read More…]
  • Secretary Blinken’s Call with NATO Secretary General Stoltenberg
    In Crime Control and Security News
    Office of the [Read More…]
  • Panamanian Intermediary Extradited to the United States Pleads Guilty to International Bribery and Money Laundering Scheme
    In Crime News
    Ricardo Alberto Martinelli Linares (Ricardo Martinelli Linares), 42, a citizen of Panama and Italy, pleaded guilty today in the Eastern District of New York before U.S. District Judge Raymond J. Dearie for laundering $28 million in a massive bribery and money laundering scheme involving Odebrecht S.A. (Odebrecht), a Brazil-based global construction conglomerate. 
    [Read More…]
  • Navy Ships: Timely Actions Needed to Improve Planning and Develop Capabilities for Battle Damage Repair
    In U.S GAO News
    What GAO Found The Navy has identified several challenges with using its regular maintenance capability (which restores ships to fully operational status) to provide battle damage repairs during a great power conflict. Challenges include—the lack of established doctrine for battle damage repair, unclear command and control roles, and a shortage of repair capacity. The Navy Process for Repairing Ships Damaged in Battle The Navy is in the early stages of determining how it will provide battle damage repair during a great power conflict. Eight organizations are responsible for the Navy's 15 battle damage repair planning efforts, however the Navy has not designated an organization to lead and oversee these efforts. Without designated leadership, the Navy may be hindered in its efforts to address the many challenges it faces in sustaining its ships during a great power conflict. The Navy develops ship vulnerability models during a ship's acquisition to estimate damage during a conflict. These models are also used to inform war games that refine operational approaches and train leaders on decision-making. However, the Navy does not update these models over a ship's decades-long service life to reflect changes to key systems that could affect model accuracy. As a result, it lacks quality data on ship mission-critical failure points to inform its analysis of battle damage repair needs. Without periodically assessing and updating its models to accurately reflect the ship's mission-critical systems, the Navy has limited its ability to assess and develop battle damage repair capabilities necessary to sustain ships in a conflict with a great power competitor. Why GAO Did This Study The ability to repair and maintain ships plays a critical role in sustaining Navy readiness. After the Cold War, the Navy divested many wartime ship repair capabilities. With the rise of great power competitors capable of producing high-end threats in warfare, the Navy must now be prepared to quickly salvage and repair damage to a modern fleet. House Report 116-120, accompanying a bill for the National Defense Authorization Act for Fiscal Year 2020, included a provision for GAO to assess the Navy's efforts to identify and mitigate challenges in repairing battle-damaged ships during a great power conflict. GAO's report (1) discusses the challenges the Navy has identified in using its regular maintenance capability for battle damage repair, and (2) evaluates the extent to which the Navy has begun developing the battle damage repair capability it requires to prevail in a great power conflict. GAO reviewed relevant guidance and assessed reports on naval war games and other documentation to identify challenges that may impede the planning and repair of battle-damaged ships and efforts to improve the repair capability for a great power conflict.
    [Read More…]
  • Assistant Attorney General Beth A. Williams Delivers Remarks to the National Association of Attorneys General on Responsible Encryption and Lawful Access
    In Crime News
    Good afternoon, everyone.  First, I would like to thank Amie Ely and the wonderful team at NAAG for all of their amazing work, and for hosting this event on such an important topic.  Thank you as well to everyone in the audience for taking the time to join virtually for what should be a truly interesting conversation.  Perhaps it’s fitting that we are having a discussion — via webcam — that highlights the importance of digital evidence.
    [Read More…]
  • Briefing with Senior State Department Official On Ongoing Efforts to Facilitate the Departure of U.S. Citizens, Lawful Permanent Residents, and Other Priority Groups from Afghanistan
    In Crime Control and Security News
    Office of the [Read More…]
  • Drug trafficker sentenced for meth and cocaine conspiracy
    In Justice News
    A 45-year-old Laredo [Read More…]
  • Acting Assistant Attorney General Brian M. Boynton Delivers Remarks at the Cybersecurity and Infrastructure Security Agency (CISA) Fourth Annual National Cybersecurity Summit
    In Crime News
    Good afternoon. My name is Brian Boynton and I am the Acting Assistant Attorney General for the Civil Division at the Department of Justice. 
    [Read More…]

Crime

Network News © 2005 Area.Control.Network™ All rights reserved.