6 Russians Indicted for Destructive NotPeyta AttacksDOJ: Russian GRU Officers Targeted 2018 Olympics, French Elections and More
The U.S. Department of Justice unsealed indictments against six Russian military officers on Monday, alleging that they carried out a series of major hacking operations, including deploying destructive NotPetya malware - tied to more than $10 billion in damages - and attacking the 2018 Olympics.
See Also: Threat Briefing: Ransomware
All six suspects are allegedly members of Russia's Main Intelligence Directorate, also known as the GRU, and specifically part of GRU Unit 74455, which many security researchers refer to as Sandworm.
At a Monday press conference to announce the indictments, the U.S. Attorney for the Western District of Pennsylvania, Scott Brady, said investigators suspect that GRU Unit 74455 was integral to Russia's attempts to interfere in the 2016 U.S. election.
"The crimes committed by these defendants and Unit 74455 are truly breathtaking in their scope, scale and impact,” Brady says. "These are not acts of traditional spying against governments. Instead, these are crimes committed by Russian government officials against real victims who suffered real harm."
Authorities have named the six alleged suspects: Yuriy Sergeyevich Andrienko, Sergey Vladimirovich Detistov, Pavel Valeryevich Frolov, Anatoliy Sergeyevich Kovalev, Artem Valeryevich Ochichenko and Petr Nikolayevich Pliskin. They have been charged with seven counts each: conspiracy to commit computer fraud and abuse; two counts of conspiracy to commit wire fraud; intentional damage to a protected computer; and two counts of aggravated identity theft.
All of the men remain in Russia, which has no extradition treaty with the U.S., meaning it's unlikely they would ever appear in an American courtroom.
Series of Attacks
The DOJ alleges that the Russian group masterminded numerous cyberattacks over a wide-ranging timeframe, including:
- December 2015 through December 2016: Ukrainian government and critical infrastructure attacks using malware known as BlackEnergy, Industroyer and KillDisk, which disrupted parts of Ukraine's power grid in the middle of winter;
- April to May 2017: French election-related spear-phishing campaigns and related hack-and-leak efforts targeting French President Macron’s "La République En Marche!" political party;
- June 2017: NotPetya destructive malware attacks that compromised hundreds of organizations, including Danish shipping giant Maersk, the Heritage Valley Health System in Pennsylvania, FedEx's TNT Express and a large U.S. pharmaceutical manufacturer;
- December 2017 through February 2018: Attacks against the Winter Olympics - including hosts, participants, partners and attendees - as well as the Winter Olympics’ systems themselves, using Olympic Destroyer malware;
- April 2018: Spear-phishing campaigns targeting investigations being conducted by both the Organization for the Prohibition of Chemical Weapons and the U.K.'s Defense Science and Technology Laboratory into the Novichok nerve agent poisoning of Sergei Skripal, his daughter and several U.K. citizens;
- 2018: Attacks against Georgian companies and government entities.
Authorities say the attacks caused billions in damage. "NotPetya was the most destructive cyberattack in history, with approximately $10 billion in damages and over 300 victims worldwide," said Michael Christman, special agent in charge of the FBI's Pittsburgh office (see: NotPetya: From Russian Intelligence, With Love).
Following the Justice Department announcement, the Russian embassy in Washington issued a statement denying any involvement in these attacks. "Russia does not and did not have intentions to engage in any kind of destabilizing operations around the world. This does not correspond to our foreign policy, national interests or our understanding of how relations between states are built. Russia respects the sovereignty of other countries and does not interfere in their affairs," an embassy spokesperson said.
Expect Russia to Respond
Expect Russia to respond following these indictments being unveiled in such a high-profile manner, says Tom Kellermann, the head of cybersecurity strategy at VMware, who also praises the DOJ's efforts, including the indictments.
"The Russian regime launches destructive cyberattacks as a response to geopolitical tension," says Kellermann, who served as a cybersecurity adviser to former President Barack Obama. "I am concerned that we will endure numerous destructive attacks against our critical infrastructure this November."
Jake Williams, president of cybersecurity consultancy Rendition Infosec and a former member of the U.S. National Security Agency's elite hacking team, says the timing of the indictments being announced only about two weeks before the U.S. election is suspect. He also says that Russia is likely to retaliate in some way.
"It's a dangerous precedent because if we're going to do this to them, they are going to do this to us," Williams says of bringing criminal charges against operators - aka government hackers. "The looser and looser we get with who can be charged, the more dangerous it becomes. Are we going to charge the guy who has his hands on the keyboard? Are we going to charge the person that oversees this or registers the domain?"
Authorities say the investigation into the GRU unit's activities drew on numerous organizations and resources, including the FBI’s Atlanta, Oklahoma City and Pittsburgh field offices; the U.S. Attorney’s Office for the Western District of Pennsylvania; Google's Threat Analysis Group; Cisco's Talos Intelligence Group; plus Facebook and Twitter.
Authorities in Ukraine, South Korea, New Zealand, Georgia and the United Kingdom’s also shared information and intelligence.
On Monday, Britain's National Cyber Security Center, part of intelligence agency GCHQ, separately issued a statement condemning a string of Russian government hack attacks, noting the group had also begun to target the 2020 Olympics in Tokyo before the event was canceled.
6 GRU Hacker Suspects
The court documents unsealed Monday accuse the six GRU officers of having developed, procured, maintained and utilized servers, email accounts, malicious mobile applications and hacking infrastructure to conduct spear-phishing campaigns and gain access to victims' networks. The suspects are also accused of developing and deploying such malware as NotPetya, KillDisk and Olympic Destroyer, as well as using Industroyer malware.
"To craft their malware, the conspirators customized publicly available malware and hacking [tools] and, in some instances, purposefully attempted to mimic the malware of other hacking groups - including Lazarus Group, a state-sponsored hacking team in the Democratic People's Republic of Korea - as part of a false flag operation," according to the court documents (see: Visual Journal: Black Hat Europe 2019).
The GRU officers allegedly also used a variety of fake names and regularly leased computer infrastructure from resellers located outside Russia - paying with cryptocurrency to help obfuscate their attack strategy and mask their Moscow affiliation, according to the indictment.
The Justice Department says that the GRU officers were extremely thorough and conducted extensive research on targeted organizations and computer networks, gathering technical and non-technical data - including biographical information - to support later intrusion efforts. Such information was allegedly used by the GRU team to craft spear-phishing emails that helped them gain initial access to targeted networks.
NotPetya and Olympic Destroyer
Cisco Talos says its researchers contributed information that touched on both the NotPetya and Olympic Destroyer malware attacks to both the FBI and the grand jury.
The NotPetya attack targeted a widely used Ukrainian tax-filing software firm. Matt Olney, director of threat intelligence and interdiction with Cisco Talos, says his firm's incident response team was part of the group dispatched to Ukraine in 2017 to help with the investigation. He adds that in this case, the attackers moved away from using disk-wiper malware to NotPetya as their main means of damaging the infrastructure, showing just how destructive this ransomware-like code could be.
"[NotPetya] is possibly the best, highest-performing, scariest piece of malware that I have ever seen," Olney tells Information Security Media Group. "It was like the Ferrari of malware. It hit exactly what they wanted to hit and it moved laterally very fast and you were completely unable to recover from it."
Olney notes that NotPetya could move laterally through a system and steal credentials in an unusually efficient way. But while the malware could take advantage of exploits such as EternalBlue and EternalRomance - both developed by the U.S. National Security Agency and later leaked by the Shadow Brokers hacker group - it only did so sparingly, he says. In addition, he says, the GRU hackers re-engineered the NSA's leaked DoublePulsar backdoor to ensure that after it was deployed only the GRU hackers could use it to gain remote access to a network (see: DoublePulsar Pwnage: Attackers Tap Equation Group Exploit ).
Regarding the Olympic Destroyer malware, meanwhile, Craig Williams, director of outreach at Cisco Talos, notes that when his team first analyzed the malicious code, they found inside it pieces of other malware, including EternalBlue and code previously used by hacking groups in China and North Korea. Very quickly, researchers determined that whoever built the malware had been trying to trick malicious code analysts.
"And so it was an intentional series of techniques that they used to ... cast doubt when it came to attribution," Williams says. In the online attack realm, "this was really the first 'false flag' operation."