Six members of Russia’s military intelligence unit have been accused of being behind some of the biggest known cyberattacks, including the NotPetya wiper, which caused over $1 billion in losses around the world, and malware that twice knocked out power to large parts of Ukraine.
The U.S. Justice Department said Monday that a federal grand jury in Pittsburg returned an indictment accusing the hackers and their co-conspirators of conspiracy, computer hacking, wire fraud, aggravated identity theft, and false registration of a domain name.
The alleged purpose of the attacks was to support Russian government efforts to undermine, retaliate against, or destabilize:
- The neighbouring countries of Ukraine and Georgia;
- The 2017 elections in France. It’s alleged the conspiracy included spearphishing campaigns and related hack-and-leak efforts targeting French President Macron’s “La République En Marche!” (En Marche!) political party, French politicians, and local French governments;
- Efforts to hold Russia accountable for its use of a weapons-grade nerve agent, Novichok, in the U.K. This relates to April 2018 spearphishing campaigns targeting investigations by the Organisation for the Prohibition of Chemical Weapons (OPCW) and the United Kingdom’s Defence Science and Technology Laboratory (DSTL) into the nerve agent poisoning of Sergei Skripal, his daughter, and several U.K. citizens;
- The 2018 PyeongChang Winter Olympic Games in South Korea after Russian athletes were banned from participating under their nation’s flag as a consequence of Russian government-sponsored doping effort. This refers to cyberattacks, which culminated in the Feb. 9, 2018, destructive malware attack against the opening ceremony, spearphishing campaigns and malicious mobile applications targeting South Korean citizens and officials, Olympic athletes, and partners and visitors, and International Olympic Committee (IOC) officials.
The New York Times quoted the Russian Embassy in Washington as strongly denying the allegations. “It is absolutely obvious that such news breaks have no bearing on reality and are aimed at whipping up Russophobic sentiments in American society, at launching a ‘witch hunt’ and spy mania, which have been a distinctive feature of the political life in Washington for several years,” the embassy’s press office said.
The six allegedly were behind the KillDisk and Industroyer malware, which caused blackouts in Ukraine in December 2015 and December 2016; the NotPetya wiper worm, which caused nearly $1 billion in losses to three companies along; and Olympic Destroyer, which disrupted thousands of computers used to support the 2018 PyeongChang Winter Olympics.
All are alleged to be officers in Unit 74455 of the Russian Main Intelligence Directorate of the Russian army (GRU). They are believed to be in Russia and unlikely to ever face trial in the U.S.
Released in 2017, NotPetya is believed to have been originally aimed at people in Ukraine because those behind it began by compromising the update mechanism for a Ukrainian tax software called MEDoc. But experts believe it escaped to infect computers in 65 countries that hadn’t installed a Windows patch Microsoft had recently released. That led to many infosec pros arguing that good patch management could have stopped the spread of the worm.
Among the companies whose IT systems were badly battered by the worm were shipping company Maersk, FedEx’s TNT division in Europe and pharmaceuticals manufacturer Merck. Merck was quoted as initially estimating recovery costs would hit US$175 million, plus another $135 million in lost sales. FedEx initially claimed it lost US$400 million due to lost business.
Merck made a cyber insurance claim for US$1.3 billion to cover restoring or replacing servers and PCs and loss of business. However, its insurers have refused to pay, arguing the incident was an act of war. The dispute is still before U.S. courts.
Less than a year later, U.K. government cyber analysts pointed the finger at Russia, a conclusion Canada agreed with.
Cybersecurity researchers have the gang behind these attacks by various names, including “Sandworm Team,” “Telebots,” “Voodoo Bear,” and “Iron Viking.”
“No country has weaponized its cyber capabilities as maliciously or irresponsibly as Russia, wantonly causing unprecedented damage to pursue small tactical advantages and to satisfy fits of spite,” National Security Assistant Attorney General John Demers said in a statement. “Today the department has charged these Russian officers with conducting the most disruptive and destructive series of computer attacks ever attributed to a single group, including by unleashing the NotPetya malware. No nation will recapture greatness while behaving in this way.”
“The FBI has repeatedly warned that Russia is a highly capable cyber adversary, and the information revealed in this indictment illustrates how pervasive and destructive Russia’s cyber activities truly are,” said FBI deputy director David Bowdich. “But this indictment also highlights the FBI’s capabilities. We have the tools to investigate these malicious malware attacks, identify the perpetrators, and then impose risks and consequences on them. As demonstrated today, we will relentlessly pursue those who threaten the United States and its citizens.”
U.S. authorities thanked the governments of the U.K., Ukraine, Georgia, New Zealand and South Korea for their help, as well as Google, Cisco Systems, Facebook and Twitter.