The US has charged six Russian military officers for unleashing the 2017 NotPetya ransomware and launching attacks to shut down Ukrainian power plants and disrupt the 2018 Winter Olympics in South Korea.
The six military officers are allegedly members of “Sandworm,” which security researchers suspect work as a secret unit inside Russia’s military intelligence agency, the GRU. On Monday, the US Justice Department unsealed an indictment against the officers, naming each of them and placing them on the FBI’s most wanted list.
The Sandworm group is particularly notorious for committing cyberwar, including attacks capable of rendering computers useless. This occurred in 2017 with NotPetya, a worm-like attack that cost billions of dollars in damages by permanently corrupting Windows machines largely based in Ukraine.
Security researchers have also blamed Sandworm for launching BlackEnergy, KillDisk, and Industroyer, malware strains designed to infect industrial systems. The attacks, which took place from December 2015 through December 2016, disrupted the electric grid in Ukraine, temporarily shutting them down for affected residents in the country.
The group allegedly struck again at the 2018 Winter Olympics in PyeongChang; a Windows-based malware strain dubbed Olympics Destroyer managed to briefly take down the event’s IT infrastructure by bricking the computers.
For years now, Sandworm has been operating in the shadows. But now US federal investigators say they’ve managed to unmask at least some of the members behind the Russian hacking group. “Today the department has charged these Russian officers with conducting the most disruptive and destructive series of computer attacks ever attributed to a single group,” said US Assistant Attorney General for National Security John Demers.
The defendants include Yuriy Sergeyevich Andrienko, aged 32; Sergey Vladimirovich Detistov, 35; Pavel Valeryevich Frolov, 28; Anatoliy Sergeyevich Kovalev, 29; Artem Valeryevich Ochichenko, 27; and Petr Nikolayevich Pliskin, 32. US officials are blaming the suspects for developing malware strains tied to Sandworm and for sending spearphishing emails to targets.
According to federal investigators, all six suspects have been residents of Russia. So today’s indictment is more about sending a warning to the country's state-sponsored hackers that their identities won’t stay hidden forever.
How the US identified the suspects wasn't clearly said in today's announcement. But the FBI worked with law enforcement agencies abroad, including the UK's intelligence services, and with security researchers at Cisco and Google to uncover the group's activities.
"This indictment also highlights the FBI’s capabilities. We have the tools to investigate these malicious malware attacks, identify the perpetrators, and then impose risks and consequences on them," said FBI Deputy Director David Bowdich.
The US has charged the six military officers with computer hacking crimes, wire fraud and aggravated identity theft. If they’re ever extradited to the US, they could face several decades in prison time.