U.S. Department of Justice presented accusations six Russian citizens believed to be members of the Sandworm group (aka Telebots, BlackEnergy, Voodoo Bear, and so on), one of the most famous government-sponsored hacker groups.
The American authorities claim that all the defendants serve in unit 74455 of the Main Intelligence Directorate of Russia (Unit 74455) and, on the orders of the Russian government, have carried out cyberattacks with the aim of destabilizing other countries, interfering in their domestic politics, causing damage and monetary losses.
Specifically, the DOJ links the Sandworm group to the following known incidents:
- attacks on the government and critical infrastructure of Ukraine: from December 2015 to December 2016, attacks were carried out on the power system of Ukraine, the Ministry of Finance and the State Treasury Service using the BlackEnergy, Industroyer and KillDisk malware;
- elections in france: In April-May 2017, prior to the French elections, targeted phishing attacks and related hacking attempts were recorded targeting the political party La République En Marche! French President Macron, other French politicians and local authorities of the country;
- business and critical infrastructure worldwide (NotPetya): On June 27, 2017, massive NotPetya attacks began, affecting computers around the world, including Heritage healthcare facilities in Pennsylvania, a subsidiary of FedEx Corporation, TNT Express BV, and a major US pharmaceutical manufacturer that ultimately suffered billions of dollars in losses dollars;
- organizers, participants, partners and visitors of the Winter Olympic Games in Pyongyang: From December 2017 to February 2018, phishing campaigns and malicious mobile apps attacked citizens and officials from South Korea, Olympic athletes, partners and visitors to the Olympic Games, and officials from the International Olympic Committee.
- Pyongyang Winter Olympics IT Systems (Olympic Destroyer): From December 2017 to February 2018, attacks were recorded on systems serving the Pyongyang Winter Olympics. It culminated in a devastating attack on the opening ceremony of the Olympic Games on February 9, 2018, using the Olympic Destroyer malware;
- investigation into poisoning by Novichok: In April 2018, targeted phishing campaigns were spotted to investigate the Organization for the Prohibition of Chemical Weapons (OPCW) and the United Kingdom's Defense Science and Technology Laboratory (DSTL) into the poisoning of Sergei Skripal, his daughter and several UK citizens nervously -paralytic substance;
- attack on state institutions of Georgia: A spear-phishing campaign targeting a major media company was spotted in 2018, an attempt was made to compromise the parliamentary network in 2019, and large-scale deface attacks on a variety of websites were noticed in 2019.
According to court documents, the six GRU officers charged are responsible for the following crimes:
|Yuri Sergeevich Andrienko||Development of NotPetya and Olympic Destroyer malware components.|
|Sergey Vladimirovich Detistov||Development of NotPetya malware components, as well as preparation of phishing campaigns aimed at the Winter Olympics in Pyongyang.|
|Pavel Valerievich Frolov||Development of the KillDisk and NotPetya malware components.|
|Anatoly Sergeevich Kovalev||Designing phishing campaigns targeting: members of La République En Marche !; DSTL employees; IOC members and Olympic athletes; employees of the Georgian media.|
|Artem Valerievich Ochichenko||Participation in phishing campaigns against partners of the 2018 Winter Olympics in Pyongyang; Technical intelligence in relation to the official domain of the Parliament of Georgia and an attempt to gain unauthorized access to its network.|
|Petr Nikolaevich Pliskin||Development of NotPetya and Olympic Destroyer malware components.|
At a press conference, US officials said that the group's attacks were often based on the indiscriminate use of destructive malware, which not only led to financial losses among thousands of companies, but also put human lives at risk, demonstrating disregard for any rules and regulations.
“This case demonstrates that no country in the world has used its cyber potential as maliciously and irresponsibly as Russia, which has purposely inflicted unprecedented collateral damage in order to achieve small tactical advantages and satisfy its bouts of aggression,” said Assistant Attorney General for National Security John Demers. John Demers), referring to the attack on the infrastructure of the Olympic Games that occurred after the Russian athletes were banned from participating in the Olympics, as well as the NotPetya ransomware, which was originally aimed at Ukraine, but the group lost control, causing damage to companies around the world.
For example, the NotPetya malware prevented Heritage Valley from providing critical health care to the citizens of the Western District of Pennsylvania and affected two hospitals, 60 offices and 18 ancillary facilities, the US Department of Justice said in a statement. – Due to the attack, patient lists, medical records, medical examination files and laboratory records were not available.
Heritage Valley lost access to its critical computer systems (such as those related to cardiology, nuclear medicine, radiology and surgery) for about a week and its administrative systems for almost a month, posing a threat to public health and safety. "
All six accused are currently at large in Russia. If they are detained and brought to an American court, each of them faces a sentence of several decades in prison.