By Masood Farivar
U.S. prosecutors on Monday announced charges against six Russian military intelligence officers in connection with a global computer hacking campaign that targeted the 2017 French presidential election and the 2018 Winter Olympics in South Korea, and carried out other high-profile cyberattacks.
The campaign, spanning from 2015 to 2020, was the “most disruptive and destructive” carried out by a single group of cyber intruders, law enforcement officials said.
The six hackers, all officers of the Russian military intelligence service known as GRU, “engaged in computer intrusions and attacks intended to support Russian government efforts to undermine, retaliate against, or otherwise destabilize” entities and institutions seen as anti-Russia, the Justice Department said.
The same unit, known to cybersecurity researchers as the “Sandworm” team, was allegedly behind the hacking of Democratic computer networks as part of Russia’s interference in the 2016 U.S. presidential election.
One of the six hackers charged in a new 50-page indictment, Anatoliy Sergeyevich Kovalev, had been indicted along with 11 other GRU officers in 2018 in connection with the 2016 election interference.
Russian President Vladimir Putin recently called for a cyber reset between Russia and the United States.
John Demers, head of the Justice Department’s national security division, said the indictment underscores why Russia’s proposed reset “is nothing more than dishonest rhetoric and cynical and cheap propaganda.”
The indictment “lays bare Russia’s use of its cyber capabilities to destabilize and interfere with the domestic political and economic systems of other countries,” Demers said at a virtual press conference at the Justice Department.
The five others were identified as Yuriy Sergeyevich Andrienko, Sergey Vladimirovich Detistov, Pavel Valeryevich Frolov, Pavel Valeryevich Frolov and Petr Nikolayevich Pliskin. They face charges of conspiracy, computer hacking, wire fraud, aggravated identity theft and false registration of a domain name. All six remain at large.
The Russian Embassy in Washington did not respond to a request for comment.
The charges, which come two weeks before another contentious U.S. presidential election, do not allege election interference, Demers said.
“Rather, today’s charges illustrate how Unit 74455’s election activities were but one part of the work of a persistent, sophisticated hacking group busy sabotaging perceived enemies or detractors of the Russian Federation, regardless of the consequences to innocent bystanders or their destabilizing effect,” Demers said.
In recent months, the Justice Department has announced a series of indictments charging hackers working for China, Iran and North Korea.
Asked if the indictment was meant to be a warning to U.S. adversaries seeking to disrupt the U.S. elections, a Justice Department official said, “I would say that generally, it is a warning, a warning to these countries and the actors that are working for them, these activities are not quite as deniable as they might have hoped they were originally.”
The official spoke during a press call and asked not to be identified.
The GRU hackers’ targets included Ukrainian government and critical infrastructure; Georgian companies and government entities; the elections in France; an investigation into Russia’s poisoning of former spy Sergei Skripal in Britain; the Winter Olympics in Pyeongchang; and several U.S. corporations.
During their yearslong campaign, the hackers used “some of the world’s most destructive malware” to strike targets on three continents, according to the Justice Department.
In Ukraine, using malware known as BlackEnergy, Industroyer, and KillDisk, the hackers attacked the country’s electric power grid, Ministry of Finance, and State Treasury Service from December 2015 through December 2016.
Ahead of the 2017 presidential election in France, the GRU officers allegedly carried out spear-phishing and hack-and-leak operations targeting President Emmanuel Macron’s party, French politicians and local French governments.
In June 2017, the hackers deployed malware known as NotPetya to infect computers around the world, targeting the networks of hospitals and medical facilities in the Heritage Valley Health System in Pennsylvania; a FedEx subsidiary; and an unidentified U.S. pharmaceutical manufacturer. Masquerading as ransomware, NotPetya was capable of bringing down entire computer networks within seconds, officials said. At Heritage, patient lists, patient history, physical examination files, and laboratory records were wiped out. In all, the attacks resulted in losses of nearly $1 billion to the companies.
During the Winter Olympic Games, the hackers used malware known as Olympic Destroyer to knock the games’ official website offline and prevented attendees from gaining their tickets. The attack came within hours of the Olympic Committee’s decision to disqualify Russian athletes over doping.
In Georgia, with which Russia has tense relations, the hackers targeted a major media company in 2018 and defaced about 15,000 websites in 2019.
“They replaced the homepages of those websites with an image of a former Georgian president known for his efforts to counter Russian influence in Georgia with the caption, ‘I’ll be back,'” said a Justice Department official.
John Hultquist, senior director of analysis for cybersecurity firm FireEye, said the indictment “reads like a laundry list of many of the most important cyberattack incidents we have ever witnessed.”
“Sandworm has been involved in many of the most aggressive cyberattacks and information operations ever seen,” Hultquist said in a statement.
Separately, the Justice Department unsealed charges against 10 alleged members of an international smuggling ring for trafficking more than $50 million worth of electronic devices, from the United States to Russia. The defendants, eight of whom have been arrested, allegedly used employees of Russia’s Aeroflot Airlines as couriers to smuggle Apple products and other electronics to Russia.