The United States on Monday unsealed criminal charges against six Russian intelligence officers in connection with some of the world’s most damaging cyberattacks, including disruption of Ukraine’s power grid and the release of a mock ransomware virus that infected computers globally and caused billions of dollars in damage.
The alleged hackers are members of the same military intelligence agency — the GRU — previously charged in connection with efforts to interfere in the 2016 U.S. presidential campaign. And one of those charged Monday, 29-year-old Anatoliy Kovalev, was also indicted as part of special counsel Robert S. Mueller III’s investigation of the alleged conspiracy to hack American election systems that year.
But the new indictment does not charge any Russians with attempting to interfere in this year’s contest, and officials said the announcement was not timed to the current political schedule.
Rather, the six Russians stand accused of what Justice Department officials say is the single most disruptive and destructive series of cyberattacks ever attributed to one group. The indictment, like others before it, is an effort, officials say, to pull the veil back on how Moscow has sought to punish or retaliate against detractors of the Russian Federation — whether they are former Soviet states, European nations or the United States.
“No country has weaponized its cyber capabilities as maliciously and irresponsibly as Russia, wantonly causing unprecedented collateral damage to pursue small tactical advantages and to satisfy fits of spite,” Assistant Attorney General John Demers said in announcing the indictment.
On the heels of the U.S. announcement, the British government levied its own accusation, saying the same GRU unit sought to hack individuals and organizations involved in the 2020 Summer Olympics and Paralympic Games that were due to take place in Tokyo. Foreign Secretary Dominic Raab condemned the effort as “cynical and reckless,” and said Britain will continue to work with its allies “to call out and counter” malicious attacks.
Russian officials dismissed Monday’s developments.
“The new allegations of cyberattacks aimed at interfering are another step to discredit Moscow,” Leonid Slutsky, chairman of the State Duma Committee on International Affairs, told the Interfax news agency. “Such statements have never been accompanied by strong evidence — it’s all in the category of ‘highly likely.’ ”
The charges read like a Top 10 list of cyberattacks and attempts, which authorities say were conducted by a team known as Unit 74455. Cybersecurity researchers have dubbed it the Sandworm Team.
In 2016, Unit 74455 worked in tandem with another GRU team, Unit 26165, to carry out the hack of Democratic computers and leak of emails ahead of that year’s election in 2016. Unit 26165 conducted the intrusion, officials determined, while their colleagues at Unit 74455 set up a website, DCLeaks, to display hacked emails. The GRU also leaked the emails to WikiLeaks, whose disclosure drew far more attention than the one on DCLeaks.
Although officials said Monday’s indictment was not a specific warning to Moscow to avoid interfering in this year’s election, they said it serves as a “general” warning that such activities are not deniable.
“Americans should be confident that a vote cast for their candidate will be counted for that candidate,” Demers said.
FBI Deputy Director David Bowdich said the charges show that “time and again, Russia has made it clear they will not abide by accepted norms and instead they intend to continue their destructive and destabilizing cyber behavior.”
The timeline of Unit 74455’s activities dates back to at least 2015. According to the indictment, the alleged hackers unleashed wave after wave of computer attacks on Ukraine — a former Soviet state engaged in ongoing conflict with Russia and a perennial target for Moscow.
In late 2015 and 2016, the alleged hackers launched computer attacks against Ukraine’s electric grid, officials said.
In the 2015 attack, the GRU tunneled into three electric distribution systems and disrupted circuit breakers remotely — the first cyberattack to cause a power outage, said Robert M. Lee, chief executive of Dragos, a cyber firm specializing in critical infrastructure. A year later, the Russians targeted a transmission company, employing more sophisticated malware designed specifically to interfere with electric grids, Lee said.
“These attacks turned out the lights and turned off the heat in the middle of the Eastern European winter, as the lives of hundreds of thousands of Ukrainian men, women and children went dark and cold,” Demers said.
Hackers also deployed malware against Ukraine’s Finance Ministry and State Treasury Service in late 2016, disconnecting the treasury’s automated payment system and temporarily disabling the Finance Ministry’s telecommunications infrastructure, the indictment said.
In 2017, U.S. officials said, the Russian military launched a more costly attack against Ukraine, one that quickly spread to computer systems around the world. That malware, dubbed “NotPetya,” is considered by many security experts to be the most destructive cyberattack ever unleashed. Disguised as ransomware ostensibly demanding money, NotPetya acted more like a forest fire, torching computer networks as it spread and inflicting billions of dollars in damages, officials said.
It infected computers at dozens of hospitals, doctors’ offices and medical facilities in western Pennsylvania as well as at a large drugmaker and a FedEx subsidiary, which collectively suffered nearly $1 billion in losses, officials said.
One U.S. pharmaceutical firm spent more than half a billion dollars to fix the problems caused by NotPetya, officials said.
The hack of a company supporting the 2018 Winter Olympics came in apparent retaliation for the International Olympic Committee’s ban on participation by the Russian team after the IOC found evidence of widespread doping by Russian athletes, officials said. Although individual athletes were allowed to compete in the Winter Games, they could not do so under the Russian banner or display the flag on their uniforms.
Demers said the Russians showed “the maturity of a petulant child” in choosing to attack the 2018 Games. That malware, dubbed “Olympic Destroyer,” deleted data from thousands of computers supporting the Games, rendering them inoperable, U.S. officials said. The authors of that software tried to make it look like the work of North Korea, but U.S. investigators and computer experts have said it was Russian.
The GRU attempted to replicate its 2016 success in hacking and leaking emails to disrupt the U.S. election by attempting a similar feat in France in 2017, officials said, but its effort fizzled when media organizations that received the emails refrained from reporting on them because of a mandatory news blackout on the eve of the election.
Nonetheless, the indictment shows that the GRU was trying for a while to get the hacked material placed, evidently without success. According to the charges, from April 12 through April 26, 2017, a GRU-controlled social media account contacted various French individuals offering them access to internal Macron campaign documents. Macron reported on May 6 — the day before the election — that the material had been disseminated.
The targeting of the organizations investigating the attempted assassination of Skripal did not result in apparent compromises, but took place as Britain announced it had identified the poison used as a military-grade nerve agent, Novichok, a class of chemical weapons developed in the former Soviet Union and Russia.
Although none of the defendants is in custody, Justice Department officials say the indictment educates the American public and the international community about Moscow’s aims, sends a message to others that “there’s no safe haven abroad,” and offers support to those who have been hurt.
“We want to stand behind the victims that have been targeted by this group,” said a department official, who spoke on the condition of anonymity because the person was not authorized to speak on the record. “Victims should not have to face foreign governments and their intelligence services alone.”
The other defendants charged Monday are Yuriy Andrienko, 32, Sergey Detistov, 35, Pavel Frolov, 28, Artem Ochichenko, 27, and Petr Pliskin, 32.
Isabelle Khurshudyan in Moscow contributed to this report.