• United States



Contributing Writer

US DOJ indictments might force Russian hacker group Sandworm to retool

News Analysis
Oct 20, 20207 mins
Critical InfrastructureHackingSecurity

Experts hope that indictments against six Russian military intelligence agents will make Russia rethink plans to disrupt the US election.

Russian hammer and sickle / binary code
Credit: Zmeel / Getty Images

The US Department of Justice (DOJ) unsealed charges against six hackers who allegedly are part of Sandworm, a Russian military intelligence group responsible for a string of damaging and unprecedented acts of malicious digital activity. The breadth of crimes that DOJ accuses the hackers of committing is extensive, from shutting down Ukraine’s power grid — twice — to the launch of faux ransomware NotPetya, which caused billions of dollars in damages globally, to devastating cyberattacks on the 2018 Olympics in South Korea.

The indictment spells out multiple computer fraud and conspiracy charges against each defendant and is the first time Russia has been identified as the culprit behind the Olympic attacks. In those incidents, attackers deployed destructive malware called Olympic Destroyer to disrupt the 2018 games. The Russian hackers had attempted to blame North Korea, China and other adversaries as the culprit of those assaults through a series of false flags implanted in the malware that were designed to throw investigators off track.

The DOJ further alleges that the hackers and their co-conspirators helped Russia retaliate against former Russian spy Sergei Skripal by poisoning him, along with his daughter, with a weapons-grade nerve agent, Novichok. Other crimes outlined in the indictment are a series of spear phishing attacks against the country of Georgia and Georgian non-government organizations in January 2018 and a cyberattack in Georgia around October 2019 that defaced approximately 15,000 websites and disrupted service to them.

What is Sandworm?

“No country has weaponized its cyber capabilities as maliciously or irresponsibly as Russia, wantonly causing unprecedented damage to pursue small tactical advantages and to satisfy fits of spite,” Assistant Attorney General for National Security John C. Demers said in a statement. “Today the department has charged these Russian officers with conducting the most disruptive and destructive series of computer attacks ever attributed to a single group, including by unleashing the NotPetya malware.”

Sandworm, also known as Telebots, Voodoo Bear, and Hades, was confirmed earlier this year to work in Unit 74455 of Russia’s GRU military intelligence agency, operating out of a building known as the Tower in a Moscow suburb. The six hackers charged are Yuriy Sergeyevich Andrienko, Sergey Vladimirovich Detistov, Pavel Valeryevich Frolov, Artem Valeryevich Ochichenko, and Petr Nikolayevich Pliskin, as well as Anatoliy Sergeyevich Kovalev. Kovalev was previously indicted two years ago for his alleged role in hacking the US presidential election in 2016.

Google, Cisco Talos, Facebook and Twitter helped

The Justice Department said it was able to identify the hackers through unspecified efforts put forth by tech companies. The DOJ’s press release offered little insight into what the tech companies did but said the Department is “grateful” to Google, through its Threat Analysis Group, Cisco, through its Talos Intelligence Group and Facebook and Twitter for the assistance they provided. Other unnamed “private sector companies independently disabled numerous accounts for violations of the companies’ terms of service,” DOJ said.

“This is a really complex investigation,” Matt Olney, director of threat intelligence and interdiction at Cisco Talos, tells CSO.  “There are many different viewpoints that have to come together to give this kind of insight into what’s going on. Cisco played a small part in providing our view of the world and the view of some of the work we have done.”

Of the seven or so different events that DOJ laid out in the indictment, Cisco played a role in three of them, Olney says. “The assistance we provide comes in different ways,” Olney says. “We have an extremely competent team that is constantly publishing their findings of timely events. For NotPetya, for instance, we actually published two blogs in the immediate aftermath of [the worm’s propagation].

“Based on those two blogs we were invited to brief the FBI on our findings.” Olney says that Cisco Talos was also invited to provide evidence to the grand jury in Pennsylvania that agreed to bring the charges.

Are the indictments tied to the US election?

Justice Department officials wouldn’t address whether the timing of the announcement so close to the election was intended as a warning that Russia should back off from any plans it might have to cause trouble before election day. Demers said during DOJ’s press briefing that the Justice Department brings charges when its investigations are ripe enough to do so.

Many experts on Russia’s interference in the 2016 election have feared that this specific Russian group, Sandworm, would a launch a last-minute hack-and-leak operation against candidate Joe Biden akin to the one  it launched against French President Emmanuel Macron in 2017. The so-called MacronLeaks incident is yet another crime against the six Russians that the DOJ has included in the indictment.

GRU targeted 2020 Olympic Games, too

Separately, British intelligence officials said that GRU hackers had also conducted “cyber reconnaissance” operations against the organizers of the 2020 Tokyo Games, which were cancelled due to the coronavirus. Russia had been banned from the 2020 Olympics over a widespread doping scandal that dates back to 2015.

In a statement, Britain’s foreign ministry said, “The attacks on the 2020 Summer Games are the latest in a campaign of Russian malicious activity against the Olympic and Paralympic Games. The UK is confirming for the first time today the extent of GRU targeting of the 2018 Winter Olympic and Paralympic Games in PyeongChang, Republic of Korea.”

Impact on Russia’s operation not clear

It’s not clear how DOJ’s announcement will affect Russia’s behavior going forward, but experts seem to think the indictments will have a positive impact, even if there’s almost no chance of authorities arresting any of the GRU’s hackers. Cisco-Talos’s Olney thinks the indictments raise the opportunity to have a serious conversation about how Russia has been behaving.

The indictment is a “comprehensive greatest hits list for Sandworm,” Olney says. “One of the hallmarks of this kind of approach that Russia has taken here is to kind of lean on implausible denial. I think the response here from the Department of Justice is to put together ‘no, seriously, listen, you’re not wiggling out of it, this is what happened’ kind of approach and start to lay the foundation for a broader international conversation on how entities have to act on the internet.”

“I certainly think that by exposing who the actors were in the indictments, that will force [Russia] to reconcile how good of a potential countersurveillance operation” they’re facing in the US, Chris Kennedy, CISO and vice president of cybersecurity company AttackIQ, tells CSO. “The fact that we were able to pin this on them credibly and we feel strongly enough about it that the DOJ did what it actually did is very powerful.”

“I think it’s going to force [Russia] to retool,” Kennedy says. “The assumptions they’ve made about our ability to actually attribute [acts] to them will warrant an additional reckoning.” The downside of course is that the US might have to change up, too, because Russia now knows more about our capabilities,” Kennedy adds.

It’s not likely that any retooling by Russia could be completed by November 3. “Any form of retooling they would take to defend themselves from the level of attribution we have in this indictment would take some time,” Kennedy says.

Russia could have a “cyber nuclear weapon” that they’ve kept in storage until it’s needed, Kennedy says. “They’ve got to unlock some cyber nuclear weapon and get it out of some mothballs within the next two weeks. Or, hopefully, this will be a longstanding retooling.”