Cyberwarfare / Nation-State Attacks , Forensics , Fraud Management & Cybercrime

6 Takeaways: Russian Spies Accused of Destructive Hacking

Experts Say Day of Reckoning Overdue; How Might Moscow Respond?
6 Takeaways: Russian Spies Accused of Destructive Hacking
Assistant Attorney General for National Security John C. Demers announces the unsealing of an indictment charging six Russian intelligence agents with hacking.

Crashing part of Ukraine's power grid in the dead of winter. Building malware to make it look like it was designed by North Korea. Targeting investigations into a Moscow-ordered nerve gas attack that injured numerous Brits. Recoding leaked National Security Agency "implants." Unleashing destructive NotPetya malware via Ukrainian accountancy software vendor M.E. Doc, which ultimately infected hundreds of organizations and caused $10 billion in damages.

See Also: Splunk Named a 10-Time Leader in Gartner® Magic Quadrant™ for SIEM

These are just some of the charges included in the indictment unsealed Monday by the U.S. Department of Justice charging six Russian military intelligence agents with the above crimes. The indictment also accuses them of other attacks, including trying to interfere in U.S. and French elections, disrupt the 2018 Winter Olympics in South Korea and disrupt this year's Summer Olympics in Tokyo, which has been rescheduled to next year.

Here are six takeaways from the indictment, including what it might portend.

1. Moscow: 'Malicious' and 'Irresponsible'

The indictment stands as a shot across the bow in the face of persistent online attack campaigns that Western governments say trace to Russia's Main Intelligence Directorate, also known as the GRU.

“No country has weaponized its cyber capabilities as maliciously or irresponsibly as Russia, wantonly causing unprecedented damage to pursue small tactical advantages and to satisfy fits of spite,” says John C. Demers, the assistant attorney general for national security. "No nation will recapture greatness while behaving in this way.”

All six suspects are allegedly members of GRU Unit 74455, which security researchers also refer to as Sandworm, Telebots, Voodoo Bear and Iron Viking.

The alleged Russian GRU agents who have been charged (left to right, top row first): Yuriy Andrienko, Sergey Detistov, Pavel Frolov, Anatoliy Kovalev, Artem Ochichenko and Petr Pliskin. (Source: U.S. Justice Department)

All have been placed on the FBI’s most-wanted list. Kovalev was previously charged in an indictment filed by former special counsel Robert Mueller in 2018, which accused the Russian of attempting to hack into state systems and interfere in U.S. elections in 2016.

2. Western Intelligence: 'Stunning Visibility'

Thomas Rid, a professor of strategic studies at Johns Hopkins University and author of "Active Measures," says the indictment reveals the extent to which Western intelligence agencies - including the Five Eyes alliance comprising Australia, Canada, New Zealand, the U.K. and U.S. - appear to have penetrated Russian military networks.

"Today's GRU indictment is an incredible document," Rid tweeted on Monday. "The Five Eyes intelligence communities, I would suspect, must have stunning visibility into Russian military intelligence operations if today's disclosures are considered dispensable."

3. Day of Reckoning

Some officials and experts say a day of reckoning over these attacks was overdue.

“From NotPetya to the 2018 Winter Olympic Games, Russian hackers working directly for the Russian government have wreaked havoc on systems around the world causing billions of dollars in damage and destabilizing the cyber ecosystem," says Rep. Jim Langevin, D-R.I., who's a member of the bipartisan Congressional Cyberspace Solarium Commission (see: $28 Billion for State Security, IT Upgrades Proposed).

NotPetya outbreak ground zero: Kiev-based servers hosting M.E. Doc software updates (Source: Ukrainian police)

"The Cyberspace Solarium Commission has made it clear that countries must follow norms of responsible state behavior or pay the price. We must continue to ramp up the pressure on Russia to rein in their disruptive actions and hold them accountable," he says.

Chester Wisniewski, principal research scientist at U.K.-based security firm Sophos, says the indictment is just the latest attempt by Western governments to blunt Moscow's appetite for chaotic and destructive online attacks.

"Sandworm has operated for more than 10 years and has played nearly every card in the attacker playbook. They are accused of having used spear phishing, document exploits, password stealers, living-off-the-land tools, supply chain hijacking and destructive wipers and have even pretended to be ransomware in efforts to create false flags for investigators," he says. "They have been a noisy operation, and many of us have been expecting this day to come for some time."

4. Attribution: Why Now?

Security experts have long cautioned that any time a government attributes an attack, there will typically be a political, diplomatic or defensive goal in mind. Last year, for example, U.S. and U.K. intelligence agencies warned that Russians had hijacked Iranian attack infrastructure and malware and were using it to launch attacks. At the time, officials said the public warning was designed to make launching these types of attacks more time-consuming and costly for adversaries.

At a Monday press conference, U.S. officials said Russia's intelligence agencies had overstepped the mark. "This activity went well beyond traditional intelligence collection," said David Bowdich, FBI deputy director. "The GRU targeted the global energy sector, the international political groups, hospitals and even the Olympics. Time and again, Russia has made it clear they will not abide by accepted norms, and instead they intend to continue their destructive and destabilizing cyber behavior."

But why was the indictment against the six alleged GRU hackers only filed on Thursday? Attacks described in the indictment unsealed Monday date from up to five years ago.

"Why now? Why did we wait so long? There are so many different pieces in the indictment, so many different cyberattacks. I have a hard time believing that the attribution, the evidence ... wasn't done until just now to be able to go ahead and unseal the indictment," says Jake Williams, president of cybersecurity consultancy Rendition Infosec in Georgia and a former member of the U.S. National Security Agency's elite hacking team. "I guess maybe another way to put it is: The Obama administration already called out some of these attacks as being directed by Russia."

5. Russia Denies Hack Attacks

Officials in Moscow have dismissed the charges as being empty propaganda backed by no hard evidence.

“The new allegations of cyberattacks aimed at interfering are another step to discredit Moscow,” Leonid Slutsky, chairman of the Committee for Foreign Affairs in the Duma - Russia's lower house of parliament - told Russia's Interfax news agency. “Such statements have never been accompanied by strong evidence - it’s all in the category of ‘highly likely.’”

6. Potential for Repercussions

Might Russia respond to the indictment with online attacks?

"It is high time for these indictments," says Tom Kellermann, the head of cybersecurity strategy at VMware who served as a cybersecurity adviser to former President Barack Obama. But he notes that Moscow could opt to retaliate during this already chaotic U.S. election season.

"The Russian regime launches destructive cyberattacks as a response to geopolitical tension," Kellermann says. "I am concerned that we will endure numerous destructive attacks against our critical infrastructure this November."

News Desk Managing Editor Scott Ferguson contributed to this report.

About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.