US indicts six alleged Sandworm hackers.
The US Justice Department announced on Monday the unsealing of an indictment against six Russian GRU officers belonging to unit 74455, a group known to the industry as Sandworm. The indictment alleges a wide-ranging conspiracy that wanders from Ukraine’s power grid, through NotPetya, to the Winter Olympics in South Korea, and all the way to elections in France and other countries:
"The defendants, Yuriy Sergeyevich Andrienko (Юрий Сергеевич Андриенко), 32; Sergey Vladimirovich Detistov (Сергей Владимирович Детистов), 35; Pavel Valeryevich Frolov (Павел Валерьевич Фролов), 28; Anatoliy Sergeyevich Kovalev (Анатолий Сергеевич Ковалев), 29; Artem Valeryevich Ochichenko (Артем Валерьевич Очиченко), 27; and Petr Nikolayevich Pliskin (Петр Николаевич Плискин), 32, are all charged in seven counts: conspiracy to conduct computer fraud and abuse, conspiracy to commit wire fraud, wire fraud, damaging protected computers, and aggravated identity theft. Each defendant is charged in every count."
In the present indictment, the Justice Department notes that, while it previously indicted members of the Sandworm unit for election-related attacks, in this case they're being called out for actions related to the disruption of Ukraine’s power grid and the subsequent NotPetya destructive attack that spilled far beyond Ukraine. NotPetya had worldwide effects, "shutting down companies and causing immense harm." The Justice announcement points out that for three US victims, damages exceeded a billion dollars, and that, globally, the transportation and healthcare sectors were especially targeted. The indictment, Justice says, "lays bare Russia’s activities to disrupt the internal politics of other countries."
Justice is particularly hard on the Sandworm team, and calls the conspirators' actions on the part of the Russian government as "irresponsible," more like the activities of "a petulant child" than a responsible government. Bellingcat's Aric Toler points out that three of the six defendants had registered their cars to their GRU unit's physical address, which BankInfoSecurity calls "an epic OPSEC problem." Interestingly, the indictment also highlights how some of the defendants engaged in cybercriminal activity for personal profit.
Cisco’s Talos Group, Facebook, Twitter, and Google were thanked for their cooperation in the investigation, as were "Ukrainian authorities, the Governments of the Republic of Korea and New Zealand, Georgian authorities, and the United Kingdom’s intelligence services, as well as many of the FBI’s Legal Attachés and other foreign authorities around the world."