The US Department of Justice has charged six Russian officers of the notorious Russian Main Intelligence Directorate (GRU) for attempting to undermine 2017 French elections, hacking the 2018 Winter Olympics, and hacking critical infrastructure in Ukraine and Georgia, among other things. The six officers belong to the hacking group infamously known as “Sandworm Team” that has previously been accused by the US of hacking Hilary Clinton’s emails.
The British National Cyber Security Centre also announced that the GRU was planning to attack the 2020 Tokyo Olympics as well. The GRU had already conducted cyber reconnaissance against officials and organisations involved with the 2020 Olympic and Paralympic Games that were postponed due to the COVID-19 pandemic. It also said that the GRU unit disguised itself as North Korean and Chinese hackers when it attacked the 2018 Winter Olympics.
GRU is Russia’s foreign military intelligence, housed within the Russian army. Sandworm Team, or Unit 74455, is a unit within the GRU whose members were previously indicted for hacking and leaking emails of Hilary Clinton and the Democratic National Committee in the run up to the 2016 US Presidential elections. These emails were published on a website called DCLeaks. Microsoft had said that the Sandworm Team had also targeted at least three campaigns during the 2018 midterm elections in the US.
The US alleges that these cyber-attacks were carried out “for the strategic benefit of Russia”. In its investigation, the FBI was assisted by Google and its Threat Analysis Group (TAG), Cisco and its Talos Inelligence Group, Facebook and Twitter. Other unnamed private companies disabled accounts for biolating the companies’ terms of services.
What are the six Russians accused of?
The DOJ has charged the six officers with the following acts:
- Attack on 2017 French elections: The group allegedly used spear phishing campaigns to hack and leak emails from French President Emmanuel Macron’s political party between April and May 2017.
- NotPetya attacks: The group was allegedly behind attacks on businesses and critical infrastructure worldwide in June 2017 using the malware NotPetya. The group developed the malware. Although the indictment only mentions Ukraine-based companies, US-based medical facilities, a FedEx subsidiary and an unnamed American pharmaceutical manufacturer (a probable reference to Merck), news reports from the time show that NotPetya brought down networks of Danish shipping company Maersk, Russian oil company Rosneft, multiple organisations in Ukraine among many others in India, Spain, France, the UK and elsewhere. Interestingly, the DOJ’s suit doesn’t mention that NotPetya exploited EternalBlue, a tool created by US National Security Agency to exploit a vulnerability in Windows systems.
- 2018 Winter Olympics held in South Korea: Between December 2017 and February 2018, the group allegedly hacked into computers that supported the Olympic Games and launched a malware, Olympic Destroyer, on February 9, 2018 against the opening ceremony. The British government said that the unit disguised itself as North Korean and Chinese hackers for this attack.
- Attack on Ukraine’s government and critical infrastructure: Between December 2015 and 2016, the group targeted Ukraine’s electric power grid, Ministry of Finance, and State Treasury Service using malware BlackEnergy, Industroyer and KillDisk. This, the DOJ, alleged happened because the International Olympic Committee had prohibited Russian athletes from participating in the 2018 Winter Olympics due to charges of widespread doping amongst Russian athletes.
- Attack on Georgia’s government and companies: The DOJ has linked a 2018 spear phishing campaign against a Georgian media company, 2019 attacks against Parliament network, and an October 2019 website defacement campaign against more than 15,000 Georgian websites to Team Sandworm. The UK’s National Cyber Security Centre had already attributed the defacement to Team Sandworm.
- Spear phishing campaign against British government lab to derail investigation: Team Sandworm allegedly targeted the Organisation for the Prohibition of Chemical Weapons (OPCW) and UK’s Defence Science and Technology Laboratory (DSTL) that were investigating the poisoning of Sergei Skripal, his daughter and multiple other British citizens.
Team Sandworm’s modus operandi
As per the indictment, the Sandworm Team hacked into computers to plant “destructive malware” such as KillDisk, Industroyer, NotPetya and Olympic Destroyer between November 2015 and October 2019.
- Recon: They probed the victim computer networks to look for weaknesses. They also looked up the biographical information of the victims to target them with spear phishing campaigns.
- Spear phishing campaigns: They sent emails, meant to resemble trustworthy senders, and lured victims into clicking malicious links. These links would either lure victims into giving away their login credentials and other sensitive data, or open and execute malware in their computers.
- Masquerade as genuine sites: They registered malicious websites and domains with legitimate-sounding names.
- Developed own malware, mimicked malware used by other hacking groups: Usually they developed their own malware to hack into victim computers and maintain control over them or to render them inoperable. For this, they customised publicly available malware and hacking tools. In some cases, they deliberately mimicked malware of other hacking groups’ — such as North Korean, state-sponsored Lazarus Group’s — to plant false flags. Lazarus Group is the group behind the Dtrack malware that was used to target ATMs and financial institutions in India. The malware that infected Kudankulam Nuclear Power Plant’s network in 2019 bore resemblance to it. Lazarus was also suspected in the cyber heist against Pune-based Cosmos Bank.
- Reuse infrastructure: They also reused their infrastructure to target multiple victims.
- Procuring infrastructure: They paid for servers, domain names and other infrastructure using cryptocurrency and would lease infrastructure from resellers instead of from the hosting companies directly. They used fictitious names to purchase/lease.
Russia rejects this ‘speculation’
As expected, the Russian government has rejected “this kind of speculation”. In a statement, Foreign Ministry Spokesperson Maria Zakharova denied the involvement of Russian state agencies in “any malicious activity on the internet”. She instead called the charges an “opportunistic political consideration” meant to keep the “ ‘Russian threat’ theme afloat in the midst of the US presidential election campaign”. She further raised doubts over whether the six Russian nationals are actually employed by Russian special services. She instead cited Russian President Vladimir Putin’s September 2020 statement calling for greater cooperation between the US and Russia on international information security.