The Sandworm Conspiracy
- October 31, 2020
- Clayton Rice, K.C.
On October 15, 2020, a federal grand jury in Pittsburgh, Pennsylvania, indicted six military officers in Unit 74455 of the Russian Main Intelligence Directorate (GRU) for worldwide hacking campaigns designed to advance Russia’s strategic interests. The hacker team, known as Sandworm and operating out of a building simply called “the Tower” in the Moscow suburb of Khimki, had never been officially named until the U.S. Department of Justice unsealed the indictment on October 19, 2020. “No country has weaponized its cyber capabilities as maliciously or irresponsibly as Russia, wantonly causing unprecedented damage to pursue small tactical advantages and to satisfy fits of spite,” said John C. Demers, the Assistant Attorney General for National Security.
1. The Hackers and the Charges
The defendants, Yuriy Sergeyevich Andrienko, Sergey Vladimirovich Detistov, Pavel Valeryevich Frolov, Anatoliy Sergeyevich Kovalev, Artem Valeryevich Ochichenko and Petr Nikolayevich Pliskin are all charged in seven counts: conspiracy to conduct computer fraud and abuse, conspiracy to commit wire fraud, wire fraud, damaging protected computers and aggravated identity theft. (here) They are alleged to have engaged in computer intrusions and attacks designed to destabilize the Ukrainian government and critical infrastructure; the Georgian government and media outlets; worldwide businesses and infrastructure; elections in France; the 2018 PyeongChang Winter Olympic Games; and, efforts to hold Russia accountable for using a nerve agent to poison a former Russian spy on foreign soil. Sandworm has been described by WIRED as “the elite and shadowy Russian vanguard of cyberwar.” (here)
2. The Attacks
According to the fifty-page indictment, summarized in a press release by the Department of Justice (here), the defendants and their co-conspirators were responsible for the following destructive or destabilizing computer intrusions and attacks:
- Ukrainian Government & Critical Infrastructure: From December 2015 through December 2016, destructive malware attacks were deployed against Ukraine’s electric power grid, Ministry of Finance, and State Treasury Service, using malware known as BlackEnergy, Industroyer, and KillDisk;
- French Elections: From April through May 2017, spearphishing campaigns and related hack-and-leak efforts were undertaken targeting French President Emmanuel Macron’s “La Republique En Marche!” (En Marche!) political party, French politicians, and local French governments prior to the 2017 French elections;
- Worldwide Businesses and Critical Infrastructure (NotPetya): On June 27, 2017, destructive malware attacks were initiated that infected computers worldwide using malware known as NotPetya, including hospitals and other medical facilities in the Heritage Valley Health System in the Western District of Pennsylvania; a FedEx Corporation subsidiary, TNT Express B.V.; and, a large U.S. pharmaceutical manufacturer, which together suffered nearly $1 billion in losses from the attacks;
- PyeongChang Winter Olympics IT Systems (Olympic Destroyer): From December 2017 through February 2018 intrusions were made into computers supporting the 2018 PyeongChang Winter Olympic Games, which culminated in the February 9, 2018, destructive attack against the opening ceremony, using malware known as Olympic Destroyer;
- Novichok Poisoning Investigations: In April 2018 spearphishing campaigns were undertaken targeting investigations by the Organization for the Prohibition of Chemical Weapons (OPCW) and the United Kingdom’s Defence Science and Technology Laboratory (DSTL) into the nerve agent poisoning of Sergei Skripal, his daughter, and several U.K. citizens; and,
- Georgian Companies and Government Entities: A 2018 spearphishing campaign was deployed targeting a major media company and, in 2019, efforts to compromise the network of Parlaiment, and a wide-ranging website defacement campaign were undertaken.
I will single out the NotPetya attack on the Heritage Valley Health System, the Olympic Destroyer attack on the PyeongChang Winter Olympics and the spearphishing campaigns targeting En Marche! for particular comment. But, first, let’s return to the beginning. The Russian Main Intelligence Directorate is a military intelligence agency of the General Staff of the Armed Forces (GRU). It is comprised of multiple units, including Military Unit 74455, also known within the GRU as the “Main Center for Special Technologies” and by cybersecurity researchers as Sandworm Team, Telebots, Voodoo Bear and Iron Viking. (para. 1) The defendants were all GRU officers. The NotPetya attack, the Olympic Destroyer attack and the spearphishing campaigns targeting En Marche! are, then, examples of military attacks on civilian targets causing harm comparable to actual warfare.
3. NotPetya Malware
The indictment describes the NotPerya attack in some detail. The Heritage Valley Health System is located in Sewickley and Beaver, in the Western District of Pennsylvania. (para. 32) On June 27, 2017, the first computer in Heritage Valley’s network was infected by the NotPetya malware. The infection occurred as the result of a connection between the Heritage Valley computer and the computer network of another entity that had been affected. By stealing and using Heritage Valley’s user credentials to self-propagate, the malware spread from the initial infected Heritage Valley computer to other computers on the network. (para. 39)
Heritage Valley’s computer hard drives were encrypted; workstations were locked; and, patient lists, patient medical history information, physical examination files and prior laboratory records were inaccessible. Heritage Valley’s servers were also rendered inaccessible. The attack caused Heritage Valley to lose access to its mission-critical computer systems, such as those relating to cardiology, nuclear medicine, radiology and surgery, for approximately a week. In addition to the disruption of critical health care services, Heritage Valley spent over $2 million responding to, and recovering from, the attack. (para. 40)
4. Olympic Destroyer
On February 9, 2018, employees of a company that provided information technology (IT) support to the 2018 Olympic Games reported laptops unexpectedly rebooting with messages from BitLocker, a full-volume encryption feature, asking for a recovery key. Multiple company servers experienced the same behaviour. These events were caused by the deployment of malware that cybersecurity researchers called “Olympic Destroyer”. The hackers first compromised the IT company’s computer network and traversed the network seeking user credentials and information related to IT services being provided to the Winter Olympics. Then, upon compromising the workstation for an IT company network architect, the hackers used the employee’s credentials to gain access to the “Olympic environment” (the IT company computers supporting the Winter Olympics). (paras. 56-7)
Olympic Destroyer was designed “to steal valid user credentials from victim computers and then spread and replicate itself across a victim’s computer network by exploiting those credentials.” Among other destructive steps, the malware would “delete files from hard drives, force shutdowns and […] impede rebooting and recovery”. The primary objective of Olympic Destroyer was “to render infected computer systems inoperable.” (para. 58) The hackers deployed the malware to “reboot and wipe” 30 computers used by the PyeongChang Organizing Committee. (para. 62)
5. French Elections
During the days leading up to the presidential election in France on May 7, 2017, the hackers conducted seven spearphishing campaigns targeting more than 100 individuals who were members of President Emmanuel Macron’s “La Republique En Marche!” political party, other French politicians and high profile individuals, and email addresses associated with local French governments. During April 2017, Anatoliy Kovalev is specifically alleged “to have developed and tested a technique for sending spearphishing emails themed around file sharing through Google Docs”. Using an email account mimicking President Macron’s press secretary, the hackers sent a document infected with malware titled “Qui_peut_parler_aux_journalists.docx”, referring to a list of staff members who could talk to journalists about the terrorist attack in Paris during the previous day. (paras. 27-8)
From April 12, 2017, to April 26, 2017, a social media account controlled by GRU communicated with various French individuals offering to provide them with internal documents from En Marche! On May 3, 2017, unidentified individuals began to leak documents purporting to be from the En Marche! campaign’s email accounts. (paras. 29-30) (See also: Fry and Rebo. Summary: Justice Department Charges Six Russian GRU Officers. Lawfare. October 20, 2020) (here)
In an article published by WIRED titled US Indicts Sandworm, Russia’s Most Destructive Cyberwar Unit, Andy Greenberg described the indictment as “the first time that most of the charged hackers have been identified” and “the first official acknowledgement from the US government that Sandworm was responsible for a cyberattack on the 2018 Winter Olympics”. (here) Mr. Greenberg described the charges regarding the NotPetya malware attack as the most significant as it “ravaged networks across the world.” To initially install its self-spreading code, Sandworm hijacked the update mechanism of MEDoc, a common piece of Ukrainian accounting software. NotPetya then spread worldwide from Ukranian companies and government agencies “inflicting $10 billion in damage to companies including Merck, FedEx, Maersk, Mondelez, as well as paralyzing updates to medical record systems in hospitals across the US”. (See also: Indictment, para. 34)
Mr. Greenberg went on to suggest that, as with many foreign, state-sponsored hackers, the Sandworm defendants “will likely never see the inside of a US courtroom, given their protection by the Russian government.” Nevertheless, he emphasized that indictments limit the ability of hackers “to use the Western financial system or to travel to any country that may have an extradition agreement with the US.” It is also important to emphasize that the significant detail in the Sandworm indictment reflects the extent to which the GRU networks were infiltrated by investigators as suggested by Professor Thomas Rid of Johns Hopkins University. “Today’s GRU indictment is an incredible document,” he said. “The Five Eyes intelligence communities, I would suspect, must have stunning visibility into Russian military intelligence operations if today’s disclosures are considered dispensable.” (here)
It is unlikely that NotPetya will be the last malware attack to be unleashed on the internet by an authoritarian regime or rogue state to wreak digital havoc on a worldwide scale. Is there any reason for confidence that China or North Korea would not do something similar? The unease is all the more concerning as the analog universe relentlessly fades into the annals of history. I will leave you, then, with how Mr. Greenberg penultimately leaves all of us in his award-winning Sandworm: A New Era of Cyberwar and the Hunt for the Kremlin’s Most Dangerous Hackers (2020), at p. 314: “In a dimension of conflict without borders, we all live on the front line.”