DOJ Announces Indictment of Russian Hackers for Destructive Cyber-Attacks, Including Deployment of NotPetya and Olympic Destroyer Malware

Alston & Bird
Contact

On October 19, 2020, the Department of Justice (DOJ) announced that six Russian GRU officers had been charged in connection with a series of destructive cyber-attacks that affected victims around the globe and caused billions of dollars of damage.

The Russian hackers are alleged to be a part of the group known as Sandworm, which is believed to operate as part of Russia’s Main Intelligence Directorate (GRU), a military intelligence agency of the General Staff of the Armed Forces. The indictment alleges that the GRU hackers engaged in “computer intrusions and attacks intended to support Russian government efforts to undermine, retaliate against, or otherwise destabilize: (1) Ukraine; (2) Georgia; (3) elections in France; (4) efforts to hold Russia accountable for its use of a weapons-grade nerve agent, Novichok, on foreign soil; and (5) the 2018 PyeongChang Winter Olympic Games after Russian athletes were banned from participating under their nation’s flag, as a consequence of Russian government-sponsored doping effort.”

According to the announcement, the indictment marks the end of a multi-year effort by the FBI and DOJ to expose the efforts of these Russian GRU Officers in connection with some of the most destructive cyber-attacks of the past decade. Notably, the investigation also involved significant cooperation and assistance provided by authorities of other countries, including Ukraine, Korea, New Zealand, Georgia, and the United Kingdom.

Additional details regarding each of these attacks are included below.

(1) Ukraine and the NotPetya Malware

Between December 2015 and December 2016, Sandworm is alleged to have launched a series of devastating cyberattacks against Ukraine’s Ministry of Finance, State Treasury Service, and the Ukrainian power grid, at various times temporarily disabling the Ministry of Finance’s telecommunication infrastructure and leaving a quarter of a million Ukrainians without power.

The following year, in 2017, Sandworm allegedly executed a series of malware attacks against Ukrainian organizations, including banks and electricity companies. The malware, known as NotPetya, was designed to spread automatically to other victims, and as a result, the attacks ended up causing billions of dollars of damage on a global scale, including compromising systems at companies such as Merck and FedEx, as well as two hospitals and 60 physician offices in the U.S.

(2) Georgia

The indictment alleges that similar to the attacks on Ukraine since 2015, the hackers engaged in a cyber campaign against public and private entities in the country of Georgia in order to “undermine confidence in and otherwise destabilize Georgia.” The attacks included the defacement of approximately 15,000 websites.

(3) 2017 Elections in France

The indictment alleges that in early May 2017, the hackers conducted spearphishing campaigns against more than 100 politicians and high-profile individuals in France, with topics ranging from public security announcements regarding terrorist attacks to software updates for voting machines.

(4) Efforts to hold Russia accountable for use of weapons-grade nerve agent

In 2018, the OPCW, the body that implements the Chemical Weapons Convention of 1997, released findings from an investigation into the poisoning of a former GRU officer with a nerve agent earlier that year. In response to the OPCW’s investigation, the hackers allegedly conducted spearphishing campaigns against the agencies involved in the investigation.

(5) 2018 Winter Olympic Games

In December 2017, the International Olympic Committee prohibited Russian athletes from participating in the 2018 Winter Olympics after concluding that there was a systematic doping scheme involving Russian athletes and Russia’s Ministry of Sport. In response to this decision, the indictment alleges that the hackers designed a multi-faceted campaign to attack and disrupt the Olympics by conducting computer intrusions against Olympic partners and athletes, including information technology providers supporting the Olympic Games. The campaign allegedly began with a series of highly tailored spearphishing emails in various languages (examples are included in the indictment) and included the development of fake malicious apps (e.g., “Seoul Bus Tracker”) and the deployment of malware referred to as “Olympic Destroyer,” which compromised thousands of computers and ultimately caused disruptions during the opening ceremony of the Olympics.

The indictment presents very detailed information on the mechanics of the attacks, including examples of phishing emails used by the attackers and details regarding the tactics used by the hackers to compromise systems and avoid attribution (including by crafting the malware’s computer code to appear to stem from the Lazarus Group in North Korea).

[View source.]

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Alston & Bird | Attorney Advertising

Written by:

Alston & Bird
Contact
more
less

Alston & Bird on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.