US Charges Six GRU Officers in NotPetya, KillDisk, and OlympicDestroyer Cyberattacks

By Riley ThompsonTechnology News

US Accuses Six GRU Officers of Major Global Cyberattacks

The US Department of Justice has charged six Russian nationals, believed to be members of the Sandworm group (also known as Telebots, BlackEnergy, Voodoo Bear, among others), one of the most notorious state-sponsored hacker groups. According to US authorities, all defendants serve in Unit 74455 of Russia’s Main Intelligence Directorate (GRU) and carried out cyberattacks under orders from the Russian government to destabilize other countries, interfere in their internal affairs, and cause damage and financial losses.

Key Incidents Linked to Sandworm

  • Attacks on Ukraine’s Government and Critical Infrastructure (2015–2016): Cyberattacks targeted Ukraine’s power grid, Ministry of Finance, and State Treasury Service using malware such as BlackEnergy, Industroyer, and KillDisk.
  • French Elections (2017): In April–May 2017, targeted phishing attacks and hacking attempts were directed at President Macron’s political party “La République En Marche!”, other French politicians, and local authorities ahead of the French elections.
  • Global Business and Critical Infrastructure (NotPetya, 2017): On June 27, 2017, the NotPetya malware launched massive attacks worldwide, affecting computers in various sectors, including Heritage Valley Health System in Pennsylvania, FedEx’s subsidiary TNT Express BV, and a major US pharmaceutical manufacturer, which suffered losses totaling $1 billion.
  • Winter Olympics Organizers and Participants (2017–2018): From December 2017 to February 2018, phishing campaigns and malicious mobile apps targeted South Korean citizens and officials, Olympic athletes, partners, visitors, and International Olympic Committee officials.
  • IT Systems of the PyeongChang Winter Olympics (Olympic Destroyer, 2018): Attacks on systems supporting the Winter Olympics culminated in a destructive cyberattack during the opening ceremony on February 9, 2018, using the Olympic Destroyer malware.
  • Novichok Poisoning Investigations (2018): In April 2018, targeted phishing campaigns aimed at the Organization for the Prohibition of Chemical Weapons (OPCW) and the UK’s Defence Science and Technology Laboratory (DSTL) were linked to investigations into the poisoning of Sergei Skripal, his daughter, and several UK citizens.
  • Attacks on Georgian Government Institutions (2018–2019): In 2018, a major media company was targeted by phishing, and in 2019, there was an attempt to compromise the Georgian parliament’s network, along with widespread defacement attacks on various websites.

Details of the Charges and Impact

According to court documents, the six GRU officers are responsible for these cybercrimes. At a press conference, US officials stated that the group’s attacks often involved indiscriminate use of destructive malware, resulting in financial losses for thousands of companies and putting human lives at risk, showing disregard for any norms or rules.

“This case demonstrates that no country has used its cyber capabilities as maliciously and irresponsibly as Russia, causing unprecedented collateral damage for minor tactical gains and to satisfy its bouts of aggression,” said John Demers, Assistant Attorney General for National Security, referencing the attack on Olympic infrastructure after Russian athletes were banned from the Games, and the NotPetya ransomware, which was initially aimed at Ukraine but spiraled out of control, affecting companies worldwide.

For example, the NotPetya malware disrupted Heritage Valley’s ability to provide critical medical services to citizens in Western Pennsylvania, impacting two hospitals, 60 offices, and 18 auxiliary facilities. According to the US Department of Justice, “Patient lists, medical histories, examination files, and lab records were unavailable due to the attack. Heritage Valley lost access to its critical computer systems (such as those for cardiology, nuclear medicine, radiology, and surgery) for about a week, and to administrative systems for nearly a month, creating risks to public health and safety.”

Currently, all six defendants remain at large in Russia. If apprehended and brought to trial in the US, each faces several decades in prison.

Leave a Reply