Six members of a Russian military malware and cybercrime group have been indicted by the US Department of Justice. The indictment stops short of calling them a cyber warfare group but does out them as offices in unit 7455 of Russia’s GRU, a military intelligence group. It accuses them of being involved in numerous cyberattacks around the world.
Assistant Attorney General for National Security John C. Demers said: “No country has weaponized its cyber capabilities as maliciously or irresponsibly as Russia, wantonly causing unprecedented damage to pursue small tactical advantages and to satisfy fits of spite.
“Today the department has charged these Russian officers with conducting the most disruptive and destructive series of computer attacks ever attributed to a single group, including by unleashing the NotPetya malware. No nation will recapture greatness while behaving in this way.”
Cisco, Facebook, Twitter and Google have all been singled out for the technical assistance they provided to the FBI and the DoJ in this case.
What are the Russian intelligence officers accused of?
The indictment reads like a hackers roll of honour. The malware listed includes NotPetya, KillDisk, Olympic Destroyer and BlackEnergy. More importantly, it also accuses them of attacking organisations investigating the use of the Novichok nerve agent to silence critics. This latter charge is important as it breaks with statements from parts of the US Government that suggest there is no evidence Novichok was used in the alleged attacks.
The full list of attacks includes attacks against:
- Ukrainian Government & Critical Infrastructure: Ukraine’s electric power grid, Ministry of Finance, and State Treasury Service, using BlackEnergy, Industroyer, and KillDisk.
- French Elections: Spearphishing campaigns and hack-and-leak efforts targeting French President Macron, his party and other political leaders.
- Worldwide Businesses and Critical Infrastructure (NotPetya): An attack that ripped around the world. The FBI believes that the collective losses to healthcare and other companies in the US amounts to around $1 billion.
- PyeongChang Winter Olympics Hosts, Participants, Partners, and Attendees: Spearphishing campaigns and malicious mobile applications. While South Korea was a target, so were other athletes. China and North Korea were originally blamed for these attacks.
- PyeongChang Winter Olympics IT Systems (Olympic Destroyer): Numerous attacks culminating in the use of Olympic Destroyer to disrupt the opening ceremony
- Novichok Poisoning Investigations: Attacks against the Organisation for the Prohibition of Chemical Weapons (OPCW) and the UK DSTL who were investigating the use of Novichok against Sergei Skripal and others.
- Georgian Companies and Government Entities: Spearphishing campaign against media and the Georgian Parliament.
Who are the GRU Six?
The indictment names the six GRU officers and their overt acts as:
Defendant | Summary of Overt Acts |
Yuriy Sergeyevich Andrienko | · Developed components of the NotPetya and Olympic Destroyer malware. |
Sergey Vladimirovich Detistov | · Developed components of the NotPetya malware; and
· Prepared spearphishing campaigns targeting the 2018 PyeongChang Winter Olympic Games. |
Pavel Valeryevich Frolov | · Developed components of the KillDisk and NotPetya malware. |
Anatoliy Sergeyevich Kovalev | · Developed spearphishing techniques and messages used to target:
· En Marche! officials; · employees of the DSTL; · members of the IOC and Olympic athletes; and · employees of a Georgian media entity. |
Artem Valeryevich Ochichenko | · Participated in spearphishing campaigns targeting 2018 PyeongChang Winter Olympic Games partners; and
· Conducted technical reconnaissance of the Parliament of Georgia official domain and attempted to gain unauthorized access to its network. |
Petr Nikolayevich Pliskin | · Developed components of the NotPetya and Olympic Destroyer malware. |
UK backs up US claims
The UK National Cyber Security Centre has also weighed in on the charges. It said that those charged by the DoJ are also guilty of attempting to attack the 2020 Olympic and Paralympic Games before they were postponed. It released its press statement soon after the US DoJ charged the GRU Six.
Paul Chichester, the NCSC’s Director of Operations, said: “We condemn these attacks carried out by the GRU and fully support the criminal charges announced today by the US Department of Justice.
“These attacks have had very real consequences around the world – both to national economies and the everyday lives of people.
“We will continue to work with our allies to ensure that we are the hardest possible target for those that seek to cause disruption and harm in cyberspace.”
Importantly, the NCSC statement also made it clear that the GRU Six attempted to disguise its attacks as coming from North Korean and Chinese groups. It shows how difficult it can be to attribute attacks soon after an attack. Cybersecurity companies often rush to attribute blame as soon as an attack becomes public. Sandworm has shown how easy it is to use misdirection in the early phases of an attack.
Industry response
Industry response to the DoJ announcement was quick and plentiful. Here are some of the reactions:
John Hultquist, Senior Director of Analysis, Mandiant Threat Intelligence: “Today’s indictments of GRU officers, reads like a laundry list of many of the most important cyberattack incidents we have ever witnessed. Sandworm has been involved in many of the most aggressive cyberattacks and information operations ever seen, including repeated successful attacks on the Ukrainian grid, the economically devastating NotPetya fake ransomware attacks, the hack and leak operation targeting the 2017 French Elections, and the attack on the Pyeongchang Olympic Games.
“Sandworm was also involved in 2016 US election interference, managing the leak portion of the hack and leak operations as well as carrying out intrusions into election infrastructure.”
Chester Wisniewski, principal research scientist, Sophos: “The indictment of the Russian GRU hackers related to the attacks referred to collectively as “Sandworm” is an interesting development in attempts by Western governments to rein in foreign adversary attacks. Sandworm has operated for more than 10 years and has played nearly every card in the attacker playbook.
“They are accused of having used spear phishing, document exploits, password stealers, living-off-the-land tools, supply chain hijacking, destructive wipers and have even pretended to be ransomware in efforts to create false flags for investigators. They have been a noisy operation, and many of us have been expecting this day to come for some time.”
Enterprise Times: What does this mean
There is little likelihood of anyone being arrested, making this more about political theatre than criminal prosecution. Wisniewski also points out that as GRU officers, they will have protected status inside Russia. This means they won’t stand trial in the US.
More importantly, he goes on to say: “We’re no safer than we were yesterday, and we need to continue to bolster our defences to be prepared for Sandworm or any of the garden variety criminals they have inspired. Were they to be arrested their replacements are already in training and the relentless thirst of nation-states to compromise and interfere with their adversaries goes undeterred.”
It is that last statement from Wisniewski that needs to be read carefully. For all the column inches this indictment will generate, nothing will change. The GRU Six will be fêted internally and see this announcement as something to be proud of. While it will limit the ability for them to be deployed in the field, the techniques they use are already in widespread use by other nation-state groups.
Despite this, the US DoJ has pushed ahead with the indictment to send a message. That message is best summed up by the comment from FBI Pittsburgh Special Agent in Charge Michael A. Christman. “The exceptional talent and dedication of our teams in Pittsburgh, Atlanta and Oklahoma City who spent years tracking these members of the GRU is unmatched
“These criminals underestimated the power of shared intelligence, resources and expertise through law enforcement, private sector and international partnerships.”