Six Russians charged over NotPetya and other attacks

Six intelligence officers at Russia’s GRU’s Main Centre for Special Technologies (GTsST), known variously as Sandworm, Telebots, Voodoo Bear or Iron Viking, have been indicted in the US over a series of destructive cyber attacks conducted on behalf of the Russian state.

The advanced persistent threat (APT) group was active from around November 2015 to October 2019 and during that time is accused of conducting an extensive campaign of cyber attacks designed to advance Russia’s strategic interests, and undermine and destabilise various targets.

These included the governments of Georgia and Ukraine, the spring 2017 French election, the 2018 Winter Olympic Games in Pyeongchang, South Korea, and investigations into Russia’s use of the chemical weapon Novichok in an attack on the UK, which killed one person.

The group used some of the most destructive strains of malware yet seen, including KillDisk and Industroyer, which were both used in attacks on the Ukrainian energy grid; Olympic Destrroyer, which disrupted the Olympics; and NotPetya, which caused nearly $1bn in losses at high-profile victims, including logistics giant Maersk.

The indictment charges them with conspiracy, computer hacking, wire fraud, aggravated identity theft, and false registration of a domain name. The six are named as Yuriy Andrienko, Sergey Detistov, Pavel Frolov, Anatoliy Kovalev, Artem Ochichenko and Petr Pliskin.

“No country has weaponised its cyber capabilities as maliciously or irresponsibly as Russia, wantonly causing unprecedented damage to pursue small tactical advantages and to satisfy fits of spite,” said John Denvers, assistant attorney general for national security.

“Today the department has charged these Russian officers with conducting the most disruptive and destructive series of computer attacks ever attributed to a single group, including by unleashing the NotPetya malware. No nation will recapture greatness while behaving in this way.”

The US investigation was assisted by multiple partners, including cyber security firms and allied government agencies, including the UK’s National Cyber Security Centre (NCSC), which provided vital intelligence on the Olympic cyber attacks.

Foreign secretary Dominic Raab said: “The GRU’s actions against the Olympic and Paralympic Games are cynical and reckless. We condemn them in the strongest possible terms. The UK will continue to work with our allies to call out and counter future malicious cyber attacks.”

NCSC operations director Paul Chichester added: “We condemn these attacks carried out by the GRU and fully support the criminal charges announced today by the US Department of Justice.

“These attacks have had very real consequences around the world – both to national economies and the everyday lives of people.

“We will continue to work with our allies to ensure that we are the hardest possible target for those that seek to cause disruption and harm in cyber space.”

The UK has already acted against the GTsST by imposing asset freezes and travel bans, alongside partners in the EU, and had previously attributed spear phishing attacks on the Defence Science and Technology Laboratory’s Novichok investigation to Russian intelligence.

Sophos principal research scientist Chester Wisniewski said that over the years, Sandworm had played “nearly every card” in the cyber criminal playbook, including spear phishing, document exploits, credential stealing, living-off-the-land tools, supply chain attacks, destructive wipers and even using ransomware as a false flag to throw off investigators.

“They have been a noisy operation and many of us have been expecting this day to come for some time,” he said.

“Another result of this noisiness is they have inadvertently popularised sophisticated nation-state-level tactics to be copied by everyday criminals. While they did not pioneer all these methods, they certainly perfected them and exposed their usefulness in breaching organisations’ defences.”

Wisniewski said it was unlikely that any of the six men indicted would ever be arrested or extradited. Indeed, their indictment might embolden them further.

“We are no safer than we were yesterday, and we need to continue to bolster our defences to be prepared for Sandworm or any of the garden variety criminals they have inspired,” he said.

Even so, said Sam Curry, chief security officer at Cybereason, the virtual impossibility of actually trying any of the accused in a US court did not mean publicising the indictments was all for nothing.

“While no court can extradite or try the accused, these charges will limit freedom of movement and travel in various parts of the world,” he said. “Either a dramatic change in the US or Russian regimes might change the status quo, but it is important to call out criminals and set the groundwork for future diplomats, trade, foreign policy and justice to finish the work.

“Finding a new geopolitical cyber norm is a multi-year and possibly multi-generational goal. It is hard to believe that this behaviour will lead to meaningful changes in Russian foreign policy, just as it hasn’t with APT 10 and Chinese foreign policy. But the goal isn’t just bringing the perpetrators to justice. The goal is to lay the building blocks for future work and a more peaceful, democratic, collaborative physical and cyber world one day.”