U.S. charges Russian hackers with sweeping campaign of cyberattacks
A federal grand jury has charged six Russian nationals with a wide-ranging campaign of cyberattacks — including a highly destructive global malware rampage and a 2018 attack on the Winter Olympic Games — that reflects the scope and intensity of Russia’s digital aggression.
As officers of Russia's GRU military intelligence agency, the six defendants launched a June 2017 malware campaign known as NotPetya, hacked the Ukrainian power grid in 2015 and 2016, and conducted the hack-and-leak operations that targeted the 2017 French elections, according to a newly unsealed indictment.
NotPetya, which began in Ukraine, quickly escaped, causing devastating losses for companies around the world. The shipping giant Maersk saw its entire operation temporarily collapse as the malware locked up its computer systems. A White House report estimated the malware’s total damages at $10 billion, according to Wired. It was the most destructive and widespread malware outbreak in history.
“No country has weaponized its cyber capabilities as maliciously and irresponsibly as Russia, wantonly causing unprecedented collateral damage to pursue small tactical advantages and fits of spite,” John Demers, the head of the Justice Department's National Security Division, said at a news conference.
The six Russians also conducted so-called spearphishing attacks — which use malicious emails to dupe victims into exposing their private information — against British and international experts investigating the poisoning of former Russian intelligence officer Sergei Skripal, the indictment said. Experts later attributed the poisoning to the Kremlin.
The hacking campaign included other attacks that furthered Russia’s strategic interests, the U.S. charged, including spearphishing and mobile malware campaigns targeting athletes and other people involved in the 2018 Winter Olympics in PyeongChang, South Korea, from which Russian athletes were banned due to a doping scandal. Those attacks culminated with malware that disrupted the Olympics’ opening ceremonies.
According to the indictment, the men also conducted widespread digital attacks on companies and government agencies in Georgia, the former Soviet republic where Russia has increasingly asserted itself since a short 2008 war.
The campaign also allegedly included the 2015 and 2016 breaches of Ukrainian energy utilities, which caused a series of blackouts and represented the first known instance of a cyberattack disrupting a power grid. Cyber experts have described Ukraine as Russia’s test bed for future cyberattacks on other adversaries.
Russia’s April and May 2017 cyberattacks on the French presidential election represented Moscow’s first major election interference operation since its higher-profile intervention in the 2016 U.S. presidential campaign.
The French attack fizzled due to a media blackout in the final weekend of the race, but it still raised alarms across Europe about the need to prepare for future attacks.
“Today's allegations in their entirety provide a useful lens for evaluating Russia's offer two weeks ago for a reset in cyber relations between the Russia and the United States,” said Demers, referring to recent comments by Russian President Vladimir Putin.
Putin’s proposal, Demers said, “is nothing more than dishonest rhetoric and cynical and cheap propaganda.”
The six Russian men — Yuriy Sergeyevich Andrienko, Sergey Vladimirovich Detistov, Pavel Valeryevich Frolov, Anatoliy Sergeyevich Kovalev, Artem Valeryevich Ochichenko and Petr Nikolayevich Pliskin — face seven counts, including charges of aggravated identity theft and conspiracy to conduct computer fraud and abuse.
Monday’s announcement is notable more for its symbolism — a forceful rebuke of Russian aggression from an administration led by President Donald Trump, who routinely downplays it — than for its factual revelations. Experts had already linked all of the cyber campaigns described in the indictment to Moscow’s digital army.
Officials stressed that the defendants’ alleged activities were far more dangerous than mere espionage.
“The victims who suffered real harm as a result of these crimes are often ordinary citizens and businesses around the world,” said Scott Brady, the U.S. attorney for the Western District of Pennsylvania.
In addition, Brady said, the countries primarily targeted in these attacks have something in common: their respect for Western democratic norms and ideals.
“For these reasons,” he said, “they also share a common threat: Russia, a country that will stop at nothing to destroy those ideals and instill a sense of instability in its adversaries.”
While the attacks are old news, the indictment describes their perpetrators in some detail. All six men are members of the GRU’s Military Unit 74455, prosecutors said.
“This is a rather aggressive group that is called upon repeatedly to punish or otherwise retaliate against detractors of the Russian Federation,” said a Justice Department official who briefed reporters on the condition of anonymity.
Andrienko and Pliskin “developed components” of the “Olympic Destroyer” malware that sabotaged the games’ opening ceremony, according to the indictment, while Frolov helped develop NotPetya and Kovalev participated in the French spearphishing attacks.
For the 2015 Ukrainian power grid attack, the hackers used malware dubbed “BlackEnergy” to steal user credentials for the industrial control systems that ran the grid. They then deployed malware known as “KillDisk” to wipe utility computers’ logs and cripple their operating systems. In 2016, they returned with even more sophisticated malware, dubbed “Industroyer,” which was specifically designed to hunt for and disrupt power grid control systems.
The 2015 hack cut electricity to more than 225,000 people, while the 2016 attack disrupted the supply of power to the capital of Kyiv for roughly an hour, according to the indictment.
To undermine the 2017 presidential candidacy of France’s Emmanuel Macron, a harsh critic of Russia, the defendants set to work sending spearphishing emails to members of Macron’s party, En Marche!, along with other high-profile targets and several local governments. The emails contained terrorist attack bulletins, purported voting machine software update announcements and “journalist scoops on political scandals,” prosecutors said.
After successfully compromising some victims, according to the indictment, the Russians used a social media account to offer alleged En Marche! documents to “various French individuals,” in an echo of their 2016 tactics.
The June 2017 NotPetya attack illustrated how a targeted cyber campaign can spiral out of control in a networked world. It began with intrusions into Ukrainian companies through compromised tax software, but it quickly escaped Ukraine and spread far and wide.
Heritage Valley Health System, a Pennsylvania healthcare company, discovered infections at “two hospitals, 60 physician offices, and 18 community satellite facilities,” according to the indictment.
NotPetya, which used leaked NSA hacking code, posed as ransomware, a variant of malware that encrypts victims’ files and forces them to pay a ransom to decrypt them. But this was a ruse, experts quickly concluded, since the code lacked an actual decryption mechanism.
NotPetya caused $1 billion in damage alone at just three of its targets, according to the indictment: Heritage Valley Health System, FedEx subsidiary TNT Express and an unnamed major American pharmaceutical company. The latter firm spent $500 million containing and recovering from the attack, according to the indictment. Pharma titan Merck reportedly spent $1.3 billion as part of its recovery operation.
In an illustration of the hackers’ indifference to the suffering of their victims — as well as an indicator of the breadth of evidence that prosecutors assembled — the indictment reports that Andrienko, Pliskin and other participants “celebrated” NotPetya’s global domination as it unfolded in late June.
The attacks against the 2018 Winter Olympics took place in three stages, according to prosecutors.
The first effort involved spearphishing attacks against athletes, the South Korean government and the International Olympic Committee. One spearphishing email allegedly spoofed a communique from South Korea’s counterterrorism agency to deploy malware that used a technique called steganography to hide malicious instructions in a seemingly benign image file.
During the second phase, the hackers used fake email apps to spy on South Korean nationals and foreign visitors in the lead-up to the games.
The third phase was the loudest and most significant. According to the indictment, throughout December 2017 and January 2018, the defendants poked through the network of a company providing IT services to the IOC. Later, the hackers jumped from the network of a second IT firm into the network of the organizing committee, using this access to launch an attack that grabbed headlines. The malware responsible for this attack, fittingly named “Olympic Destroyer,” wiped and crippled thousands of computers.
Several months later, Russia retaliated against the Organisation for the Prevention of Chemical Weapons and the U.K.’s Defence Science and Technology Laboratory for their reports about the poisoning of Skripal, the ex-Russian agent. The hackers used spearphishing messages impersonating British and German journalists to breach the two organizations.
Later in 2018 and throughout 2019, the defendants used their skills to sow chaos in Georgia, which has struggled to escape from Moscow’s shadow in the decades since it gained independence. One of the hackers’ operations, in October 2019, defaced roughly 15,000 Georgian government, private-sector and non-governmental organization websites. This attack also disrupted access to some of the sites by compromising a web-hosting company.
At Monday’s news conference, officials described the new indictment as a testament to collaboration among U.S. and international agencies.
Michael Christman, the special agent in charge of the FBI’s Pittsburgh field office, thanked agents in Atlanta who lent their expertise to the Ukrainian grid and NotPetya portions of the investigation, as well as the Oklahoma City agents who provided insight into the GRU.
“The cyber threat continues to be daunting,” said FBI Deputy Director David Bowdich, “but when we bring the right people, the right tools, and the right authorities, our adversaries, we believe, are no match to what we can accomplish together.”
