Summary: Justice Department Charges Six Russian GRU Officers

On Oct. 15, 2020, federal prosecutors indicted six officers in Unit 74455 of the Russian Main Intelligence Directorate (GRU)—Russia’s military intelligence organization—for hacking campaigns designed to advance Russia’s strategic interests by disrupting and destabilizing the Ukrainian government and critical infrastructure, the Georgian government and media outlets, worldwide businesses and infrastructure, elections in France, the 2018 PyeongChang Winter Olympic Games and efforts to hold Russia accountable for the use of a nerve agent to poison a former Russian spy on foreign soil.

The U.S. Attorney’s Office for the Western District of Pennsylvania and the Counterintelligence and Export Control Section of the Justice Department’s National Security Division have charged each defendant with seven counts: conspiracy to conduct computer fraud and abuse, conspiracy to commit wire fraud, wire fraud, damaging protected computers and aggravated identity theft. Each defendant is charged with every count. The defendants are Yuriy Sergeyevich Andrienko, Sergey Vladimirovich Detistov, Pavel Valeryevich Frolov, Anatoliy Sergeyevich Kovalev, Artem Valeryevich Ochichenko and Petr Nikolayevich Pliskin.

The indictment details a series of attacks that occurred between November 2015 through October 2019. The attacks allegedly used highly destructive malware to cause electrical blackouts and disrupt business and government operations in several countries for the strategic benefit of Russia. U.S. Attorney Scott W. Brady described this hacking campaign as constituting “the most destructive and costly cyber-attacks in history.” The allegations in the indictment are described below.

Ukrainian Government & Critical Infrastructure

The GRU hackers targeted Ukraine’s electric power grid, the Ministry of Finance and State Treasury using malware known as BlackEnergy, Industroyer and KillDisk. In the spring of 2015, the GRU used spear-phishing emails to obtain access to the computer systems of three Ukrainian energy companies. The hackers then stole user credentials using “BlackEnergy” to access the companies’ Supervisory Control and Data Acquisition networks. On Dec. 23, 2015, they used this access to disrupt electricity supply to over 225,000 Ukrainians. After the attacks, they employed “KillDisk” to delete computer event logs and render the infected computers inoperable.

Additionally, beginning in April 2016, the GRU gained access to the computer network of a Ukrainian electric company and used “Industroyer,”—malware specifically designed to attack power grids—in order to gain control of electrical substation switches and circuit breakers. On Dec. 17, 2016, they attacked the company’s grid, deleting key system files and disrupting electricity supply in the Ukrainian capital city, Kyiv, for about an hour.

Beginning in October 2016, the hackers coordinated spear-phishing emails at the Ukrainian State Treasury Service’s system administrators—quickly gaining access when a system administrator opened an attached malware-infected Microsoft Excel file that established covert, encrypted communication between the computer and the hackers. Using this network, the GRU then obtained access to the Ministry of Finance’s computer network. On Dec. 6, 2016, as the Ukrainian government was preparing for end-of-year pension payments, the hackers disconnected regional subdivisions of the State Treasury Service from the automated pension payment system, a move which blocked about 150,000 electronic transactions and temporarily disabled the Ministry of Finance’s information and telecommunication infrastructure. Again, the GRU used KillDisk to delete the computers’ event logs and all files of a particular targeted file extension, rendering the infected computers inoperable by overwriting portions of the hard drives. This updated version of KillDisk included references to the television show “Mr. Robot.” For example, one of its three methods of deployment created an image of a hacker group’s symbol from the show to appear on the infected computer’s screen in real time. The indictment specifically alleges that Pavel Valeryevich Frolov participated in the design of the KillDisk malware.

French Elections

In the lead-up to the 2017 presidential election in France, the hackers conducted seven spear-phishing campaigns against over 100 members of President Emmanuel Macron’s “La République En Marche!” (En Marche!) political party, other French politicians and high profile individuals and local governments. Anatoliy Sergeyevich Kovalev is specifically alleged to have developed and tested a spear-phishing technique using Google Docs in April of 2017. Using an email account imitating Macron’s press secretary, the hackers sent a malware-infected document titled “Qui_peut_parler_aux_journalists.docx,” referring to a list of which staff members could talk to journalists about the previous day’s terrorist attack in Paris. Between April 12 and April 26, 2017, a GRU-controlled social media account communicated with several French individuals and offered to provide them with internal En Marche! documents. Then, in early May 2017, unidentified individuals began leaking documents allegedly originating from email accounts of the En Marche! campaign.

Worldwide Businesses and Critical Infrastructure (NotPetya)

The hackers executed a series of malware attacks against several Ukrainian organizations, including banks, newspapers and electricity companies, on June 27, 2017—the day before Ukraine’s Constitution Day, which commemorates Ukraine’s formation after departing from the Soviet Union. The malware used, NotPetya, was designed to spread to connected networks and ultimately rendered inoperable computer systems belonging to these organizations and victims in other countries. Computer systems attacked as part of the operation included two hospitals and 78 other medical facilities in the Heritage Valley Health System in the Western District of Pennsylvania, a FedEx Corporation subsidiary and a large U.S. pharmaceutical manufacturer.

NotPetya was designed to imitate an earlier ransomware known as Petya—however, unlike Petya, this new malware irreversibly encrypted the computers to the extent that not even the hackers could restore the contents if they wanted to. The hackers spread the malware by rerouting internet traffic from computers attempting to update M.E.Doc software—a popular Ukrainian accounting program used to send tax information to the government—to a France-based server controlled by the hackers. The GRU took advantage of how computers with M.E.Doc software periodically connect to the software’s Update Service to check for updates, accessing the software code for a M.E.Doc update and adding malicious code to the files on three dates in April, May and June. Computers performing M.E.Doc updates downloaded the malicious files, which allowed the hackers to collect a list of all EDRPOU numbers (similar to a tax identification number) associated with those computers and their usernames.

The NotPetya malware file was then pushed to these computers using a malicious software update on June 27, 2017. Once the malicious “Update File” was downloaded, the infected computers could remotely receive and execute direction from the hackers, allowing them to obtain system information and access, modify or create files. Additionally, the malware attempted to escalate its privileges in order to locate and compromise other computers in the same network in an effort to execute credential-stealing programs and identify antivirus processes.

If the malware file’s two initial methods of execution failed, it would spread to other victim computers using either EternalBlue or EternalRomance—both exploits developed by the NSA and leaked by the Shadow Brokers hacking group, though the indictment does not identify them as such. After attempting this lateral network movement, the malware would search for files with particular file extensions, encrypt them and create a text file inside every folder with the encrypted files and the NotPetya ransom note. The ransom note was later displayed on the victim computer, demanding $300 worth of Bitcoin and providing instructions for the transfer. Additionally, the hackers programmed the malware to restart the compromised computer after encrypting the files and to try various methods to prevent forensic investigators from obtaining evidence, including deleting logs. The indictment specifically alleges that Pavel Valeryevich Frolov and Sergey Vladimirovich Detistov were involved in programming the malware. Additionally, the indictment notes that after the software deployed, Yuriy Sergeyevich Andrienko and Petr Nikolayevich Pliskin celebrated the attack.

The indictment includes particular detail of the attack on the Heritage Valley Health System. At 7:23 a.m. Eastern time on June 27, 2017, the first computer in the Heritage Valley computer network became infected with NotPetya. The malware stole user credentials and, over the next several hours, spread to other computers in the network—encrypting hard drives, locking work stations and preventing doctors from accessing important files such as patient lists, medical histories and lab records. For over a week, Heritage Valley was unable to access its mission-critical computer systems, including those relating to cardiology, nuclear medicine, radiology and surgery. Other administrative computer systems were inaccessible for almost a month. The disruption cost Heritage Valley over $2 million in response and recovery costs.

Heritage Valley was just one of many victims of the June 27, 2017 NotPetya attacks. FedEx Corporation spent about $400 million after its subsidiary TNT Express B.V. was hit by the malware attack and a large U.S. pharmaceutical manufacturer spent over $500 million in response to the attack on its computer system.

PyeongChang Winter Olympics Hosts, Participants, Partners and Attendees

Leading up to the 2018 Winter Olympics in PyeongChang, South Korea, GRU hackers sent spear-phishing emails and malicious mobile applications targeting South Korean citizens and officials, Olympic athletes, partners, visitors and International Olympic Committee (IOC) officials.

According to the indictment, preparations for cyberattacks against organizers and affiliates of the 2018 Winter Olympics began about one month before the IOC suspended the Russian Olympic Committee and its president, which occurred on Dec. 4, 2017. From November through December 2017, hackers sent spear-phishing emails to multiple email addresses associated with Olympics organizers, using the fake address olympicgameinfo@gmail.com. The emails contained .zip files containing malware, and purported to be sent by the Vice President of the IOC, offering help to organizers or prospects and future cooperation.

In the beginning of December, the GRU sent 78 spear-phishing emails to Korean Olympics organizers and affiliates, using the email address alert.safekorea@gmail.com and purporting to be from the Korean “Ministry of Public Safety and Security.” These emails, whose subject line read: “Breaking News - Earthquake,” included .zip files laced with malware. Shortly thereafter, the hackers sent another 98 emails to Korean Olympics organizers and affiliates from the same account.

The GRU utilized an online platform—labeled in the indictment only as “the Email Service”—that allowed them to send mass emails to recipients from emails with recognizable domain names. For example, defendant Anatoliy Kovalev used the Email Service to send an email from info@nctc.go.kr—the official domain address of the Korean Counterterrorism Center—which contained a malware-laced document that, when opened, established an encrypted channel from the recipient’s computer to the hackers’ “command and control server.” The GRU sent these emails from December 2017 through February 2018.

The hackers also targeted the 2018 Olympics Timekeeping partners. In January 2018, after months of research and preparation, hackers sent three spear-phishing emails to the Olympic Timekeeping Service Company purporting to contain a resume for someone applying to the position of “Field Operations Developer.” When opened, the resume prompted the user to enable a feature to see the document—which, when enabled, would in turn begin the download of malware to the computer. In February, Artem Ochichienko created email accounts that had usernames reflecting the name of the CEO of the timekeeping company. He then used one of the addresses to send a spear-phishing email to 13 email addresses at the company, including a link to a file entitled “Bonuses.xls.”

Finally, the conspirators targeted the general public by placing a malware-laced application on an online app store. While the app store removed most of the conspirators’ apps before anyone could download them, one such app, named “Hmail-App Naver Mail, Hanmail, Daum”—which mimicked the name of a real Korean email service—remained online long enough for 47 accounts to download it.

PyeongChang Winter Olympics IT Systems (Olympic Destroyer)

The day before the IOC suspended the Russian Olympic Committee and its president, GRU hackers designed a massive malware attack on computers connected to the 2018 Winter Olympics with the goal of rendering inoperable thousands of Olympic and Olympic IT support computers. Cybersecurity researchers later labeled this attack: “Olympic Destroyer.”

To disrupt the Olympics, the hackers first compromised the network of the IT company hired for Olympic technical assistance. Then, the hackers used that network to gain login credentials for IT services provided for the Winter Olympics. They soon gained access to an Olympics IT administrator account and from there were able to spread their malware across the entire “Olympic Environment”—the IT company computers supporting the Winter Olympics.

“Olympics Destroyer” compromised thousands of computers used by the Olympics IT company and 30 computers used by the Olympics Organizing Committee itself. As the indictment describes, the malware “would delete files from hard drives, force shut downs” and “impede rebooting and recovery” rendering infected computers essentially inoperable. And as news of the attack emerged, the hackers worked to stymie investigator efforts to identify their identity. They created fake malware that looked like it came from North Korea, obscured third-party ability to trace the actual hacker malware and established a hard-to-find server pathway that limited efforts to trace the attack back to them.

Finally, in addition to destroying computers, the malware also enabled the hackers to conduct reconnaissance of infected computers and access confidential files.

Novichok Poisoning Investigations

In April 2018, the GRU sent spear-phishing emails that targeted, as the indictment puts it, “investigations by the Organisation for the Prohibition of Chemical Weapons (OPCW) and the United Kingdom’s Defence Science and Technology Laboratory (DSTL) into the nerve agent poisoning of Sergei Skripal, his daughter, and several U.K. citizens.” Sergei Skripal was a former Russian spy who had been living in England when he and his daughter were poisoned by a nerve agent (Novichok). The attack hospitalized the Skripals, and has been widely attributed to Russian government actors.

The spear-phishing emails were sent to parties at both the DSTL and the OPCW, purportedly by German or British journalists with information to share about the “Incident in Salisbury” or “Salisbury Spy Poisoning Investigation.”

Kovalev also used the mass email service that enables sending emails from domain names recognizable to recipients to send emails to DSTL addresses that appeared to be from a legitimate DSTL email address. Malware was attached to the emails.

Georgian Companies and Government Entities

Finally, the indictment describes how the hackers designed and carried out a 2018 spear-phishing campaign to destabilize the country of Georgia.

They first targeted a Georgian media outlet with eight malware-laced spear-phishing emails in 2018. Kovalev sent the emails from an address with a username emulating that of the media company’s. In July 2019, the GRU began reconnaissance of and attempted to gain unauthorized access into the network of the Georgian Parliament. In October of that year, the hackers engaged in a wide-ranging cyberattack of entities throughout Georgia, including some affiliated with the Georgian government. They defaced around 15,000 websites and disrupted and compromised many computer networks. In many cases, conspirators replaced websites with an image of a former Georgian president, famous for what the indictment characterizes as his “efforts to counter Russian influence in Georgia,” with a caption: “I’ll be back.”