US authorities blame six GRU officers for attacks on NotPetya, KillDisk and OlympicDestroyer

[Brother]

US Department of Justice filed charges six Russian citizens, who are believed to be members of the group Sandworm (aka Telebots, BlackEnergy, Voodoo Bear and so on), one of the most famous hacker groups, government-sponsored.

The American authorities claim that all the defendants serve in unit 74455 of the Main Intelligence Directorate of Russia (Unit 74455) and, on the orders of the Russian government, have carried out cyberattacks with the aim of destabilizing other countries, interfering in their internal politics , causing damage and monetary losses.

In particular, the DOJ links the Sandworm group to the following known incidents:

• attacks on the government and critical infrastructure of Ukraine: from December 2015 to December 2016, attacks were carried out on the power system of Ukraine, the Ministry of Finance and the State Treasury Service using BlackEnergy, Industroyer and KillDisk malware;
• French elections: In April-May 2017, prior to the French elections, targeted phishing attacks and related hacking attempts were recorded targeting the political party La République En Marche! French President Macron, other French politicians and local authorities in the country;
• Business and Critical Infrastructure Around the World (NotPetya): On June 27, 2017, massive NotPetya attacks began, affecting computers worldwide, including Heritage healthcare facilities in Pennsylvania, a subsidiary of FedEx Corporation, TNT Express BV, and a major pharmaceutical manufacturer in The United States, which ultimately incurred losses in the amount of $ 1 billion;
• organizers, participants, partners, and visitors to the Pyongyang Winter Olympics: From December 2017 to February 2018, phishing campaigns and malicious mobile apps targeted South Korean citizens and officials, Olympic athletes, Olympic partners and visitors, and officials from The International Olympic Committee;
• Pyongyang Winter Olympics IT Systems (Olympic Destroyer): From December 2017 to February 2018, attacks were recorded on systems serving the Pyongyang Winter Olympics. It culminated in a devastating attack on the opening ceremony of the Olympic Games on February 9, 2018, using the Olympic Destroyer malware;
• Novichok poisoning investigations: In April 2018, targeted phishing campaigns were spotted to investigate the Organization for the Prohibition of Chemical Weapons (OPCW) and the United Kingdom's Defense Science and Technology Laboratory (DSTL) into the poisoning of Sergei Skripal, his daughter and several British citizens with nerve agent;
• Attack on Georgian government institutions: In 2018, a spear-phishing campaign targeting a large media company was noticed, an attempt was made to compromise the parliament's network in 2019, and in 2019 large-scale deface attacks were noticed on a variety of websites.

According to court documents, the six GRU officers indicted are responsible for the following crimes:

At a press conference, US officials said that the group's attacks were often based on the indiscriminate use of destructive malware, which not only led to financial losses among thousands of companies, but also put human lives at risk, demonstrating disregard for any rules and regulations ...

"This case demonstrates that no country in the world has used its cyber potential as maliciously and irresponsibly as Russia, which has purposelessly inflicted unprecedented collateral damage in order to achieve small tactical advantages and satisfy its bouts of aggression," said Assistant Attorney General for National Security John Demers. John Demers), referring to the attack on the infrastructure of the Olympic Games that occurred after Russian athletes were banned from participating in the Olympics, as well as the NotPetya ransomware, which was originally aimed at Ukraine, but the group lost control, causing damage to companies around the world.
For example, the NotPetya malware prevented Heritage Valley from providing critical healthcare services to the citizens of the Western District of Pennsylvania and affected two hospitals, 60 offices and 18 ancillary facilities, the US Department of Justice said in a statement. - Due to the attack, patient lists, medical records, medical examination files and laboratory records were unavailable.
Heritage Valley lost access to its critical computer systems (for example, those related to cardiology, nuclear medicine, radiology and surgery) for about a week, and to its administrative systems for almost a month, which posed a threat to public health and safety. "

All six accused are currently at large in Russia. If they are detained and brought to justice in the US, each of them faces a sentence of several decades in prison.