On October 19, 2020, the Department of Justice (DOJ) announced that six Russian GRU officers had been charged in connection with a series of destructive cyber-attacks that affected victims around the globe and caused billions of dollars of damage.
The Russian hackers are alleged to be a part of the group known as Sandworm, which is believed to operate as part of Russia’s Main Intelligence Directorate (GRU), a military intelligence agency of the General Staff of the Armed Forces. The indictment alleges that the GRU hackers engaged in “computer intrusions and attacks intended to support Russian government efforts to undermine, retaliate against, or otherwise destabilize: (1) Ukraine; (2) Georgia; (3) elections in France; (4) efforts to hold Russia accountable for its use of a weapons-grade nerve agent, Novichok, on foreign soil; and (5) the 2018 PyeongChang Winter Olympic Games after Russian athletes were banned from participating under their nation’s flag, as a consequence of Russian government-sponsored doping effort.”
According to the announcement, the indictment marks the end of a multi-year effort by the FBI and DOJ to expose the efforts of these Russian GRU Officers in connection with some of the most destructive cyber-attacks of the past decade. Notably, the investigation also involved significant cooperation and assistance provided by authorities of other countries, including Ukraine, Korea, New Zealand, Georgia, and the United Kingdom.
Additional details regarding each of these attacks are included below.
(1) Ukraine and the NotPetya Malware
Between December 2015 and December 2016, Sandworm is alleged to have launched a series of devastating cyberattacks against Ukraine’s Ministry of Finance, State Treasury Service, and the Ukrainian power grid, at various times temporarily disabling the Ministry of Finance’s telecommunication infrastructure and leaving a quarter of a million Ukrainians without power.
The following year, in 2017, Sandworm allegedly executed a series of malware attacks against Ukrainian organizations, including banks and electricity companies. The malware, known as NotPetya, was designed to spread automatically to other victims, and as a result, the attacks ended up causing billions of dollars of damage on a global scale, including compromising systems at companies such as Merck and FedEx, as well as two hospitals and 60 physician offices in the U.S.
The indictment alleges that similar to the attacks on Ukraine since 2015, the hackers engaged in a cyber campaign against public and private entities in the country of Georgia in order to “undermine confidence in and otherwise destabilize Georgia.” The attacks included the defacement of approximately 15,000 websites.
(3) 2017 Elections in France
The indictment alleges that in early May 2017, the hackers conducted spearphishing campaigns against more than 100 politicians and high-profile individuals in France, with topics ranging from public security announcements regarding terrorist attacks to software updates for voting machines.
(4) Efforts to hold Russia accountable for use of weapons-grade nerve agent
In 2018, the OPCW, the body that implements the Chemical Weapons Convention of 1997, released findings from an investigation into the poisoning of a former GRU officer with a nerve agent earlier that year. In response to the OPCW’s investigation, the hackers allegedly conducted spearphishing campaigns against the agencies involved in the investigation.
(5) 2018 Winter Olympic Games
In December 2017, the International Olympic Committee prohibited Russian athletes from participating in the 2018 Winter Olympics after concluding that there was a systematic doping scheme involving Russian athletes and Russia’s Ministry of Sport. In response to this decision, the indictment alleges that the hackers designed a multi-faceted campaign to attack and disrupt the Olympics by conducting computer intrusions against Olympic partners and athletes, including information technology providers supporting the Olympic Games. The campaign allegedly began with a series of highly tailored spearphishing emails in various languages (examples are included in the indictment) and included the development of fake malicious apps (e.g., “Seoul Bus Tracker”) and the deployment of malware referred to as “Olympic Destroyer,” which compromised thousands of computers and ultimately caused disruptions during the opening ceremony of the Olympics.
The indictment presents very detailed information on the mechanics of the attacks, including examples of phishing emails used by the attackers and details regarding the tactics used by the hackers to compromise systems and avoid attribution (including by crafting the malware’s computer code to appear to stem from the Lazarus Group in North Korea).