Elite Russian Sandworm Hackers' Epic OPSEC ProblemUS Indictment Airs Russian Military and Operators' Dirty Laundry
Although Russia's elite nation-state hackers are capable of waging destructive attacks, the GRU military intelligence Sandworm operators have not been able to remain in the shadows, a U.S. federal grand jury indictment suggests (see: 6 Takeaways: Russian Spies Accused of Destructive Hacking).
The indictment demonstrates the degree to which Western intelligence agencies have apparently been able to infiltrate the Russian intelligence apparatus to trace attacks back to specific agencies - and specific operators.
"Of the six indicted hackers, three registered their cars to their military unit's address in Moscow."
In attributing the 2017 NotPetya fake ransomware attack, attempts to disrupt the 2018 Winter Olympics and 2020 Summer Olympics and attacks against organizations investigating Russia's 2018 Novichok attack on British soil, the U.S. Department of Justice didn't just name and shame the GRU's Main Center for Specialist Technologies - aka GRU Unit 74455, which security researchers refer to as Sandworm, TeleBots, Voodoo Bear and Iron Viking.
The Justice Department also named six hackers that it said were behind the keyboard during the attacks, released their photographs and added them to the FBI's list of most wanted fugitives. All are believed to be in or around Moscow. And because Russia has no extradition treaty with the U.S., they're unlikely to ever see the inside of an American courtroom.
"The Five Eyes intelligence communities ... must have stunning visibility into Russian military intelligence operations," cybersecurity expert Thomas Rid, a professor of strategic studies at Johns Hopkins University and author of "Active Measures," said on Twitter.
Not So Shadowy
The sources and methods - that's intelligence-speak for the practice of gathering and analyzing evidence - used to identify who was behind the keyboards for these attacks aren't clear. But, from an operational security standpoint, the GRU unit does not appear to have practiced exemplary OPSEC.
Aric Toler, a researcher with investigative journalism website Bellingcat, notes that, of the six men indicted, three had registered their car to Svobody 21B in Moscow - the physical address of their GRU unit. Presumably, they did this to avoid getting traffic tickets.
An example of how bumbling the Russian state is: of the six indicted hackers, three registered their cars to their military unit's address in Moscow. If you search for all of the people registering their cars to this address, you get 47 results - all probably GRU hackers. pic.twitter.com/G8SKJQ2WFT— Aric Toler (@AricToler) October 19, 2020
Toler says FBI investigators likely used a tool called FindClone - a Russian facial recognition site - or something similar to help identify the suspects. He notes that photographs of the suspects released by the Justice Department include images taken from now-deleted pages on VK - a Russian online social media and social networking service, akin to Facebook, on which the suspects appeared to have registered accounts using pseudonyms. These accounts had been cached by FindClone.
Yes, the FBI 100% used Findclone. This photo they use for Petr is from a deleted VK account that he used, but with the photo cached on Findclone.— Aric Toler (@AricToler) October 19, 2020
Another pic from him that should be easy to geolocate (overseeing the Hotel Ukraina, not the main MGU building as I first thought) pic.twitter.com/5PL4SdP0cD
Blending: Cybercrime and Nation-State Attacks
Intelligence officials say that, for several years, it has been growing more difficult to distinguish between nation-state attacks and cybercrime campaigns because the same hackers may work for intelligence agencies during office hours and practice freelance hacking in their spare time.
An example of that appears in the indictment, as Rid has noted.
Defendant Kovalev is having a bad day today pic.twitter.com/kD9H8pxIcC— Thomas Rid (@RidT) October 19, 2020
One suspect - Anatoliy Kovalev - has also been accused of engaging "in spear-phishing campaigns for apparent personal profit, including campaigns targeting large Russian real estate companies, auto dealers and cryptocurrency miners, as well as cryptocurrency exchanges located outside of Russia."
Rules for Russian Hackers
Russia's computer crime laws make it difficult to prosecute citizens, so long as they've only defrauded foreigners, or at least anyone outside the Commonwealth of Independent States, which comprises former republics of the Soviet Union (see: Russia's Cybercrime Rule Reminder: Never Hack Russians.)
Security experts say Russian intelligence agencies have long turned a blind eye to cybercrime, provided criminals steer clear of targeting Russia and its neighbors and occasionally do favors for the government's spies. Kovalev, however, is allegedly a Russian military intelligence officer. Before being indicted last week by a federal grand jury, he - along with 11 other officers - was indicted by a separate grand jury in July 2018 for his alleged role in interfering with the 2016 U.S. elections. Kovalev and another GRU officer were also charged with a separate conspiracy to hack into state election infrastructure and software providers' systems.
Whether his GRU superiors were aware of his alleged extracurricular activities isn't known. But thanks to the U.S. indictment, his apparent penchant for hacking for profit - including pwning other Russians - in his spare time is just part of the dirty laundry being aired by the federal government as it attempts to hold Moscow to account for its hacking activities.