• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to secondary sidebar

Alston & Bird Privacy Blog

  • Home
  • Services
  • Events
  • Contacts

DOJ Announces Indictment of Russian Hackers for Destructive Cyber-Attacks, Including Deployment of NotPetya and Olympic Destroyer Malware

October 21, 2020 By Emily Poole

On October 19, 2020, the Department of Justice (DOJ) announced that six Russian GRU officers had been charged in connection with a series of destructive cyber-attacks that affected victims around the globe and caused billions of dollars of damage.

The Russian hackers are alleged to be a part of the group known as Sandworm, which is believed to operate as part of Russia’s Main Intelligence Directorate (GRU), a military intelligence agency of the General Staff of the Armed Forces. The indictment alleges that the GRU hackers engaged in “computer intrusions and attacks intended to support Russian government efforts to undermine, retaliate against, or otherwise destabilize: (1) Ukraine; (2) Georgia; (3) elections in France; (4) efforts to hold Russia accountable for its use of a weapons-grade nerve agent, Novichok, on foreign soil; and (5) the 2018 PyeongChang Winter Olympic Games after Russian athletes were banned from participating under their nation’s flag, as a consequence of Russian government-sponsored doping effort.”

According to the announcement, the indictment marks the end of a multi-year effort by the FBI and DOJ to expose the efforts of these Russian GRU Officers in connection with some of the most destructive cyber-attacks of the past decade. Notably, the investigation also involved significant cooperation and assistance provided by authorities of other countries, including Ukraine, Korea, New Zealand, Georgia, and the United Kingdom.

Additional details regarding each of these attacks are included below.

(1) Ukraine and the NotPetya Malware

Between December 2015 and December 2016, Sandworm is alleged to have launched a series of devastating cyberattacks against Ukraine’s Ministry of Finance, State Treasury Service, and the Ukrainian power grid, at various times temporarily disabling the Ministry of Finance’s telecommunication infrastructure and leaving a quarter of a million Ukrainians without power.

The following year, in 2017, Sandworm allegedly executed a series of malware attacks against Ukrainian organizations, including banks and electricity companies. The malware, known as NotPetya, was designed to spread automatically to other victims, and as a result, the attacks ended up causing billions of dollars of damage on a global scale, including compromising systems at companies such as Merck and FedEx, as well as two hospitals and 60 physician offices in the U.S.

(2) Georgia

The indictment alleges that similar to the attacks on Ukraine since 2015, the hackers engaged in a cyber campaign against public and private entities in the country of Georgia in order to “undermine confidence in and otherwise destabilize Georgia.” The attacks included the defacement of approximately 15,000 websites.

(3) 2017 Elections in France

The indictment alleges that in early May 2017, the hackers conducted spearphishing campaigns against more than 100 politicians and high-profile individuals in France, with topics ranging from public security announcements regarding terrorist attacks to software updates for voting machines.

(4) Efforts to hold Russia accountable for use of weapons-grade nerve agent

In 2018, the OPCW, the body that implements the Chemical Weapons Convention of 1997, released findings from an investigation into the poisoning of a former GRU officer with a nerve agent earlier that year. In response to the OPCW’s investigation, the hackers allegedly conducted spearphishing campaigns against the agencies involved in the investigation.

(5) 2018 Winter Olympic Games

In December 2017, the International Olympic Committee prohibited Russian athletes from participating in the 2018 Winter Olympics after concluding that there was a systematic doping scheme involving Russian athletes and Russia’s Ministry of Sport. In response to this decision, the indictment alleges that the hackers designed a multi-faceted campaign to attack and disrupt the Olympics by conducting computer intrusions against Olympic partners and athletes, including information technology providers supporting the Olympic Games. The campaign allegedly began with a series of highly tailored spearphishing emails in various languages (examples are included in the indictment) and included the development of fake malicious apps (e.g., “Seoul Bus Tracker”) and the deployment of malware referred to as “Olympic Destroyer,” which compromised thousands of computers and ultimately caused disruptions during the opening ceremony of the Olympics.

The indictment presents very detailed information on the mechanics of the attacks, including examples of phishing emails used by the attackers and details regarding the tactics used by the hackers to compromise systems and avoid attribution (including by crafting the malware’s computer code to appear to stem from the Lazarus Group in North Korea).

Filed Under: Cybercrime, Cybersecurity, Digital Crimes, Enforcement, National Security Tagged With: Department of Justice (DOJ), Federal Bureau of Investigation (FBI), GRU, indictment, Olympic Destroyer, Russia, Sandworm

About Emily Poole

Emily Poole is an associate on Alston & Bird’s Privacy & Data Security and Cybersecurity Preparedness & Response teams. She focuses her practice on cybersecurity and privacy compliance and enforcement, as well as emerging technology issues.

[Read Bio]

Primary Sidebar

This blog is a service of Alston & Bird’s Privacy & Data Security team and focuses on key data privacy and data security issues.


Receive email notifications when new posts are added.

Receive email notifications when new posts are added.


THE DIGITAL DOWNLOAD
Click here to see the editions

PRIVACY & CYBER EVENTS
Click here to see upcoming and past events

PRIVACY & CYBER MAILINGS
Click here to sign up

@ALSTONPRIVACY
Click here to follow us on Twitter

Secondary Sidebar

Categories

Recent Posts

  • Federal Court Rules Cyber Forensic Report Is Not Protected Under Attorney-Client Privilege Or Work Product Doctrine
  • Financial Regulatory Agencies Announce Proposed Rule Requiring Notice of Computer Security Incidents
  • Brexit Trade Agreement Provides a Temporary Solution for Companies Transferring Personal Data from the EEA to the UK
  • UK ICO Publishes New Data Sharing Code
  • SolarWinds Hack: Unparalleled Supply Chain Attack Results in Potential Compromise of Private and Public Sector Organizations
Copyright © 2021 · Alston & Bird · All Rights Reserved. Privacy.
This website uses cookies to improve functionality and performance. By continuing to browse this site, you are consenting to the use of cookies on this website. OkCookie policy