U.S. Indicts Six Russian Officers Tied to One of the World’s Most Destructive Hacking Groups

The U.S. unsealed charges today against six Russian intelligence officers who are allegedly members of the elite Russian hacking organization known as Sandworm—a group believed to be behind some of the most destructive cyberattacks in history.

The charges come weeks after several indictments targeting Chinese and Iranian hackers and just 15 days before the U.S. presidential election. They're the latest in a series of DoJ efforts to expose widespread hacking efforts directed by Moscow against Russia’s adversaries.

“As this case shows, no country has weaponized its cyber capabilities as maliciously and irresponsibly as russia, wantonly causing unprecedented collateral damage to pursue small tactical advantages and satisfy fits of spite,” said Assistant Attorney General for National Security John Demers at a press conference announcing the charges.

Although DoJ officials said they were making no election-related allegations with the charges, they could be seen as a warning shot to state-sponsored hackers engaging in election interference, considering the close timing.

"We’ve had a policy of bringing these cases for years, and we’ll bring as many as we can when the work is done and we’re ready to charge it.”

Adam Hickey, Deputy Assistant Attorney General of the DoJ’s National Security Division, in a recent interview with The Record

The six Russian nationals named in the charges are officers in Unit 74455 of the Russian Main Intelligence Directorate, or the GRU. One of the defendants was also named in a 2018 indictment against 12 GRU hackers who allegedly interfered in the 2016 U.S. election.

Sandworm, the subject of a recent book by Wired journalist Andy Greenberg, made a name for itself about five years ago for launching cyberattacks that caused multiple blackouts in Ukraine. Since then, the group has continued its campaign of aggressive hacks, including a cyberattack that temporarily disrupted the 2018 Winter Olympics in South Korea.

But perhaps the most notable incident attributed to Sandworm was the 2017 NotPetya attack, which is considered by many to be the most costly cyberattack in history. What started in June that year as a series of cyberattacks targeting Ukraine rapidly spread to companies around the globe. Although the attack masqueraded as ransomware, it gave victims no way to retrieve their data, crippling operations for months. Several large public companies disclosed in securities filings that the attack cost them hundreds of millions of dollars in lost business and recovery efforts.

The charges are the latest in a series of high-profile actions taken by the DoJ against international hackers in recent months. In September, five alleged members of Chinese hacking group APT41 were indicted for their roles in attempts to compromise more than 100 U.S. companies, and three Iranians were charged in a separate indictment for allegedly hacking on behalf of Iran’s Islamic Revolutionary Guard Corps. In August, the DoJ filed a civil forfeiture complaint related to the North Korean government’s hacking of two cryptocurrency exchanges that resulted in the theft of millions of dollars.

In an interview with The Record last week, Adam Hickey, the Deputy Assistant Attorney General of the DoJ’s National Security Division, said the spike in hacking-related indictments is not part of an orchestrated effort to deter nation states ahead of the U.S. presidential election. Rather, they are the result of years of work from the Department and other government agencies.

“A number of investigations have come to completion—the honest truth is we’re going to charge the case when it’s ready to be charged, when we’ve been able to line up what we need to operationally, allowing for things like engaging foreign partners and trying to rally like-minded nations to join us,” Hickey said. “We’ve had a policy of bringing these cases for years, and we’ll bring as many as we can when the work is done and we’re ready to charge it.”

But the charges against members of Sandworm, which come about two weeks before election day, might be interpreted as a warning shot to state-sponsored hackers engaging in election interference.

The six defendants named in today’s indictments—Yuriy Sergeyevich Andrienko, 32, Sergey Vladimirovich Detistov, 35, Pavel Valeryevich Frolov, 28, Anatoliy Sergeyevich Kovalev, 29, Artem Valeryevich Ochichenko, 27, and Petr Nikolayevich Pliskin, 32—were charged with conspiracy to conduct computer fraud and abuse, conspiracy to commit wire fraud, wire fraud, damaging protected computers, and aggravated identity theft, according to the DoJ.

Like many U.S. indictments against foreign hackers, the charges announced today came with no arrests, meaning that the accused could still potentially engage in cyberattacks. Hickey said that announcing charges in these cases can still disrupt hacking efforts, because groups are forced to retool and those named in indictments won’t be able to travel outside of their home countries without fear of arrest and extradition.

“Even when someone can’t be arrested, there is a consequence to them of being outed publicly,” he said.