Six men accused of carrying out some of the world's most destructive hacks – including the NotPetya windshield wiper and power grid attacks that left hundreds of thousands of Ukrainians out of power – have been indicted in a U.S. federal court.
The indictment stated that all six men are officers of a brazen hacking group best known as Sandworm, working on behalf of Unit 74455 of Russia's General Intelligence Directorate, abbreviated as GRU. The officials are behind "the most disruptive and destructive series of computer attacks ever attributed to any group," according to prosecutors. The alleged goal: to destabilize foreign nations, intervene in their domestic politics and cause monetary losses.
The hacks include NotPetya, the 2017 disk erasure worm that has ceased operations for thousands of businesses and government agencies around the world. NotPetya, disguised as ransomware, was actually malware that permanently destroyed petabytes of data. The results included hospitals that turned away patients, shipping companies that were paralyzed for days or weeks, and a transport infrastructure that wasn't working.
Those affected by the attack included hospitals and other medical facilities in the Heritage Valley Health System ("Heritage Valley") in Pennsylvania. a subsidiary of FedEx Corporation, TNT Express BV; and a major US pharmaceutical company that suffered combined losses of nearly $ 1 billion in the attacks. US intelligence long ago determined that the GRU was behind the attack, but Monday marks the first time any charges have been brought about it.
Other hacks named in the charges included:
- Ukrainian Government and Critical Infrastructure: From December 2015 to December 2016, destructive malware attacks on the Ukrainian power grid, Ministry of Finance and State Treasury Service using malware called BlackEnergy, Industroyer and KillDisk
- French elections: spear phishing campaigns in April and May 2017 and related hack-and-leak efforts against "La République En Marche!" French President Emmanuel Macron! ("En Marche!") Political party, French politicians and local French governments ahead of the 2017 French elections
- PyeongChang Winter Olympics hosts, participants, partners and participants: spear phishing campaigns and malicious mobile applications from December 2017 to February 2018 for South Korean citizens and officials, Olympic athletes, partners and visitors, and officials of the International Olympic Committee ("IOC") )
- IT systems for the PyeongChang Winter Olympics (Olympic Destroyer): Intrusion from December 2017 to February 2018 into computers supporting the PyeongChang 2018 Winter Olympics, which culminated in a destructive malware attack against the opening ceremony on February 9, 2018, which used malware called Olympic Destroyer
- Novichok Poisoning Investigations: Spear-Phishing Campaigns in April 2018 following investigations by the Organization for the Prohibition of Chemical Weapons ("OPCW") and the UK Defense Science and Technology Laboratory ("DSTL") into nerve agent poisoning by Sergei Skripal is aimed at a daughter and several British citizens
- Georgian Corporations and Government Agencies: a 2018 spear phishing campaign targeting a major media company, efforts to compromise Parliament's network in 2019, and a full-scale website defacing campaign in 2019
Defendants named in the indictment were:
|defendant||Summary of open actions|
|Yuriy Sergeyevich Andrienko||· Developed components of the malware NotPetya and Olympic Destroyer|
|Sergey Vladimirovich Detistov||· Developed components of NotPetya malware
Prepared spear phishing campaigns for the 2018 Winter Olympics in PyeongChang
|Pavel Valeryevich Frolov||· Developed components of the KillDisk and NotPetya malware|
|Anatoliy Sergeyevich Kovalev||Developed spear phishing techniques and messages used to target:
– En Marche! Officer
– Employees of the DSTL
– IOC members and Olympic athletes
– Employee of a Georgian media company
|Artem Valeryevich Ochichenko||Participation in spear phishing campaigns for partners of the 2018 Winter Olympics in PyeongChang
· Conducted technical clearance on the official Georgia Parliament domain and attempted to gain unauthorized access to its network
|Petr Nikolayevich Pliskin||· Developed components of the malware NotPetya and Olympic Destroyer|
All six men are charged with seven conspiracies of computer fraud and abuse, conspiracy over cable fraud, cable fraud, damage to protected computers and aggravated identity theft.