Almost five years ago, the Russian hackers known as Sandworm hit western Ukraine with the first-ever cyberattack to cause a blackout. A never-before-seen act of cyber warfare that turned out the lights for over 250,000 Ukrainians. Since then, Sandworm has perpetrated countless destructive attacks; another blackout on the Ukrainian capital of Kyiv, the release of the NotPetya worm in 2017 that spread globally and eventually caused $10 billion in damage, and an attack that temporarily crippled the IT backend of the 2018 Winter Olympics in South Korea, among others.
Despite years of attacks on critical infrastructure, Sandworm’s members have never been charged, until now. On Monday, October 19, the US Department of Justice unsealed charges including fraud and conspiracy against six of the hackers who make up Sandworm and formally confirmed that these actors work in Unit 74455 of Russia’s GRU military intelligence agency based in a Moscow suburb. The indictment names all six Russian men, who are in their late twenties to early thirties: Yuriy Sergeyevich Andrienko, Sergey Vladimirovich Detistov, Pavel Valeryevich Frolov, Artem Valeryevich Ochichenko, and Petr Nikolayevich Pliskin, as well as Anatoliy Sergeyevich Kovalev, who was previously indicted two years ago for his allegedly role into hacking US States' Boards of Election in 2016.
Despite US and EU sanctions against Russia for NotPetya, no hackers were criminally charged with the global cyberattack, or even named as individually responsible for it, until now. That apparent inaction led many in the cybersecurity world to marvel for years at Western governments' failure to hold Sandworm accountable. Belatedly, that accountability has arrived for Sandworm's hackers. But as with so many indictments of foreign, state-sponsored hackers, the defendants will likely never see the inside of a US courtroom, given their protection by the Russian government. Nonetheless, indictments against foreign hackers limit their ability to use the Western financial system or to travel to any country that may have an extradition agreement with the US.
The defendants and their co-conspirators caused damage and disruption to computer networks worldwide, including in France, Georgia, the Netherlands, Republic of Korea, Ukraine, the United Kingdom, and the United States.
The conspiracy to commit computer fraud and abuse carries a maximum sentence of five years in prison; conspiracy to commit wire fraud carries a maximum sentence of 20 years in prison; the two counts of wire fraud carry a maximum sentence of 20 years in prison; intentional damage to a protected computer carries a maximum sentence of 10 years in prison; and the two counts of aggravated identity theft carry a mandatory sentence of two years in prison. The indictment also alleges false registration of domain names, which would increase the maximum sentence of imprisonment for wire fraud to 27 years in prison; the maximum sentence of imprisonment for intentional damage to a protected computer to 17 years in prison; and the mandatory sentence of imprisonment for aggravated identity theft to four years in prison.
The good news is if any of these persons are caught outside of Russia in a western nation, on any charge, they can be brought back to the USA and face these charges.
Red Sky Alliance has been has analyzing and documenting cyber threats for 9 years and maintains a resource library of malware and cyber actor reports.
The installation, updating and monitoring of firewalls, cyber security and proper employee training are keys to blocking attacks. Please feel free to contact our analyst team for research assistance and Cyber Threat Analysis on your organization.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the lab directly at 1-844-492-7225, or feedback@wapacklabs.com.
Reporting: https://www.redskyalliance.org/
Website: https://www.wapacklabs.com/
LinkedIn: https://www.linkedin.com/company/wapacklabs/
Twitter: https://twitter.com/wapacklabs?lang=en
Weekly Cyber Intelligence Briefings:
https://attendee.gotowebinar.com/register/8782169210544615949
Comments