Sandworm

The U.S. Department of Justice has charged six Russian intelligence operatives for hacking operations related to the Pyeongchang Winter Olympics, the 2017 French elections, and the notorious NotPetya ransomware attack.

Believed to be part of the elite Russian hacking group known as "Sandworm", the indictment states that all six individuals are part of the Russian Main Intelligence Directorate known as GRU.

“No country has weaponized its cyber capabilities as maliciously or irresponsibly as Russia, wantonly causing unprecedented damage to pursue small tactical advantages and to satisfy fits of spite,” said Assistant Attorney General for National Security John C. Demers.

The US indicted Yuriy Sergeyevich Andrienko, 32; Sergey Vladimirovich Detistov, 35; Pavel Valeryevich Frolov, 28; Anatoliy Sergeyevich Kovalev, 29; Artem Valeryevich Ochichenko , 27; and Petr Nikolayevich Pliskin, 32.

They are all charged with conspiracy to conduct computer fraud and abuse, conspiracy to commit wire fraud, wire fraud, damaging protected computers, and aggravated identity theft.

FBI GRU

The hacking activities they were indicted for include:

  • Ukrainian Government & Critical Infrastructure: December 2015 through December 2016 destructive malware attacks against Ukraine’s electric power grid, Ministry of Finance, and State Treasury Service, using malware known as BlackEnergy, Industroyer, and KillDisk;
  • French Elections: April and May 2017 spearphishing campaigns and related hack-and-leak efforts targeting French President Macron’s “La République En Marche!” (En Marche!) political party, French politicians, and local French governments prior to the 2017 French elections;
  • Worldwide Businesses and Critical Infrastructure (NotPetya): June 27, 2017 destructive malware attacks that infected computers worldwide using malware known as NotPetya, including hospitals and other medical facilities in the Heritage Valley Health System (Heritage Valley) in the Western District of Pennsylvania; a FedEx Corporation subsidiary, TNT Express B.V.; and a large U.S. pharmaceutical manufacturer, which together suffered nearly $1 billion in losses from the attacks;
    NotPetya attack
    NotPetya attack
  • PyeongChang Winter Olympics Hosts, Participants, Partners, and Attendees: December 2017 through February 2018 spearphishing campaigns and malicious mobile applications targeting South Korean citizens and officials, Olympic athletes, partners, and visitors, and International Olympic Committee (IOC) officials;
    PyeongChang Winter Olympics spearphishing example
    PyeongChang Winter Olympics spearphishing example
    Source: Indictment
  • PyeongChang Winter Olympics IT Systems (Olympic Destroyer): December 2017 through February 2018 intrusions into computers supporting the 2018 PyeongChang Winter Olympic Games, which culminated in the Feb. 9, 2018, destructive malware attack against the opening ceremony, using malware known as Olympic Destroyer;
  • Novichok Poisoning Investigations: April 2018 spearphishing campaigns targeting investigations by the Organisation for the Prohibition of Chemical Weapons (OPCW) and the United Kingdom’s Defence Science and Technology Laboratory (DSTL) into the nerve agent poisoning of Sergei Skripal, his daughter, and several U.K. citizens; and
  • Georgian Companies and Government Entities: a 2018 spearphishing campaign targeting a major media company, 2019 efforts to compromise the network of Parliament, and a wide-ranging website defacement campaign in 2019.

In rare detail, the Department of Justice has detailed each charged person with the specific activity and operations that they were involved in.

Defendant

Summary of Overt Acts

Yuriy Sergeyevich Andrienko

· Developed components of the NotPetya and Olympic Destroyer malware.

Sergey Vladimirovich Detistov

· Developed components of the NotPetya malware; and

· Prepared spearphishing campaigns targeting the 2018 PyeongChang Winter Olympic Games.

Pavel Valeryevich Frolov

· Developed components of the KillDisk and NotPetya malware.

Anatoliy Sergeyevich Kovalev

· Developed spearphishing techniques and messages used to target:

- En Marche! officials;

- employees of the DSTL;

- members of the IOC and Olympic athletes; and

- employees of a Georgian media entity.

Artem Valeryevich Ochichenko

· Participated in spearphishing campaigns targeting 2018 PyeongChang Winter Olympic Games partners; and

· Conducted technical reconnaissance of the Parliament of Georgia official domain and attempted to gain unauthorized access to its network.

Petr Nikolayevich Pliskin

· Developed components of the NotPetya and Olympic Destroyer malware.

One of the indicted people, Anatoliy Sergeyevich Kovalev, was previously charged in 2018 for hacking the DNC and running the DCLeaks site.

NotPetya has previously been attributed to the Sandworm group, also known as BlackEnergy and TeleBots. They were also tied to the KillDisk wiper attacks targeting Ukrainian banks and sea transportation companies.

The cyberattacks targeting the 2017 French election were previously attributed to another state-sponsored Russian hacking group known as Fancy Bear.

Related Articles:

U.S. indicts Russian GRU hacker, offers $10 million reward

NATO and EU condemn Russia's cyberattacks against Germany, Czechia

TeamViewer links corporate cyberattack to Russian state hackers

US sanctions 12 Kaspersky Lab execs for working in Russian tech sector

Biden bans Kaspersky antivirus software in US over security concerns