Six men accused of carrying out some of the world’s most destructive hacks—including the NotPetya disk wiper and power grid attacks that knocked out electricity for hundreds of thousands of Ukrainians—have been indicted in US federal court.
The indictment said that all six men are officers in a brazen hacker group best known as Sandworm, which works on behalf of Unit 74455 of the Russian Main Intelligence Directorate, abbreviated from Russian as GRU. The officers are behind the “most disruptive and destructive series of computer attacks ever attributed to a single group,” prosecutors said. The alleged goal: to destabilize foreign nations, interfere with their internal politics, and cause monetary losses.
Among the hacks is NotPetya, the 2017 disk-wiping worm that shut down the operations of thousands of companies and government agencies around the world. Disguised as ransomware, NotPetya was in fact malware that permanently destroyed petabytes of data. The result, among other things, was hospitals that turned away patients, shipping companies that were paralyzed for days or weeks, and transportation infrastructure that failed to function.
Those hit by the attack included hospitals and other medical facilities in the Heritage Valley Health System (“Heritage Valley”) in Pennsylvania; a FedEx Corporation subsidiary, TNT Express BV; and a large US pharmaceutical manufacturer, which together suffered nearly $1 billion in losses from the attacks. US intelligence long ago determined the GRU was behind the attack, but Monday is the first time charges have been filed in connection with it.
Other hacks called out in the indictments included:
- Ukrainian Government & Critical Infrastructure: December 2015 through December 2016 destructive malware attacks against Ukraine’s electric power grid, Ministry of Finance, and State Treasury Service, using malware known as BlackEnergy, Industroyer, and KillDisk
- French Elections: April and May 2017 spear-phishing campaigns and related hack-and-leak efforts targeting French President Emmanuel Macron’s “La République En Marche!” (“En Marche!”) political party, French politicians, and local French governments prior to the 2017 French elections
- PyeongChang Winter Olympics Hosts, Participants, Partners, and Attendees: December 2017 through February 2018 spear-phishing campaigns and malicious mobile applications targeting South Korean citizens and officials, Olympic athletes, partners, and visitors, and International Olympic Committee (“IOC”) officials
- PyeongChang Winter Olympics IT Systems (Olympic Destroyer): December 2017 through February 2018 intrusions into computers supporting the 2018 PyeongChang Winter Olympic Games, which culminated in the February 9, 2018 destructive malware attack against the opening ceremony, using malware known as Olympic Destroyer
- Novichok Poisoning Investigations: April 2018 spear-phishing campaigns targeting investigations by the Organisation for the Prohibition of Chemical Weapons (“OPCW”) and the United Kingdom’s Defence Science and Technology Laboratory’s (“DSTL”) into the nerve agent poisoning of Sergei Skripal, his daughter, and several UK citizens
- Georgian Companies and Government Entities: a 2018 spear-phishing campaign targeting a major media company, 2019 efforts to compromise the network of Parliament, and a wide-ranging website defacement campaign in 2019
Defendants named in the indictment included:
|Defendant||Summary of Overt Acts|
|Yuriy Sergeyevich Andrienko||· Developed components of the NotPetya and Olympic Destroyer malware|
|Sergey Vladimirovich Detistov||· Developed components of the NotPetya malware
· Prepared spear-phishing campaigns targeting the 2018 PyeongChang Winter Olympic Games
|Pavel Valeryevich Frolov||· Developed components of the KillDisk and NotPetya malware|
|Anatoliy Sergeyevich Kovalev||· Developed spear-phishing techniques and messages used to target:
– En Marche! officials
– employees of the DSTL
– members of the IOC and Olympic athletes
– employees of a Georgian media entity
|Artem Valeryevich Ochichenko||· Participated in spear-phishing campaigns targeting 2018 PyeongChang Winter Olympic Games partners
· Conducted technical reconnaissance of the Parliament of Georgia official domain and attempted to gain unauthorized access to its network
|Petr Nikolayevich Pliskin||· Developed components of the NotPetya and Olympic Destroyer malware|
All six men are each charged with seven counts of conspiracy to conduct computer fraud and abuse, conspiracy to commit wire fraud, wire fraud, damaging protected computers, and aggravated identity theft.
“The object of the conspiracy was to deploy destructive malware and take other disruptive actions, for the strategic benefit of Russia, through unauthorized access (‘hacking’) of victim computers,” prosecutors wrote in the indictment. “In furtherance of the conspiracy, Andrienko, Detistov, Frolov, Kovalev, Ochichenko, Pliskin, and others known and unknown to the grand jury procured, maintained, and utilized servers, email accounts, malicious mobile applications, and related hacking infrastructure to engage in spearphishing campaigns and other network intrusion methods against computers used by the victims.”
The prosecutors also said that four of the men developed and deployed destructive malware used around the world.