SecureWorld News

NotPetya and Olympic Destroyer Malware: 6 Russian Officers Charged

Written by SecureWorld News Team | Tue | Oct 20, 2020 | 6:17 PM Z

They are all members of Unit 74455 of the Russian Main Intelligence Directorate (GRU).

A grand jury in Pittsburgh, Pennsylvania, just indicted six members of this Russian military unit for unleashing some of the most widespread and damaging cyberattacks ever seen.

Russian officers charged in NotPetya cyberattack

The NotPetya cyberattack crashed networks around the globe, doing billions in damage. But the GRU members being charged in this case started with other strains of malware and a narrow target: Ukraine's power grid.

U.S. Assistant Attorney General for National Security, John Demers, says the power grid attacks  in 2015 and 2016 were the first known destructive attacks against civilian critical infrastructure. They plunged Ukraine's cities into darkness. Again, that was the start. According to Demers:

"From there, the conspirators' destructive path... widened to encompass virtually the whole world. In what is commonly referred to as the most destructive and costly cyber attack ever, the conspirators unleashed the 'NotPetya' malware.

Although it masqueraded as ransomware, designed to extort money, this was a false flag: the co-conspirators designed the malware to spread with devastating and indiscriminate alacrity—bringing down entire networks in seconds and searching for remote computer connections through which to attack additional innocent victims, all without hope of recovery or repair. The entirely foreseeable result was that the worm quickly spread globally, shutting down companies and inflicting immense financial harm."

Following that, the hackers in this case used cyber to respond to a source of national embarrassment for Russia. 

The GRU's Olympic Destroyer malware

Russia's Olympic athletes and programs felt the sting of international penalties for illegal doping. And members of GRU Unit 74455 launched an attack to sting back. 

Demers did not hold back on this allegation:

"Their cyber attack combined the emotional maturity of a petulant child with the resources of a nation state. They conducted spearphishing campaigns against South Korea, the host of the 2018 PyeongChang Winter Olympic Games, as well as the International Olympic Committee, Olympic partners, and athletes.

Then, during the opening ceremony, they launched the 'Olympic Destroyer' malware attack, which deleted data from thousands of computers supporting the Games, rendering them inoperable. Although the conspirators took steps to pin the Olympic Destroyer attack on North Korea, this second false-flag attempt also failed. Cybersecurity researchers ultimately attributed the attack to Sandworm Team, as we do today."

[RELATED: Like a Spy Movie: How Russia Hacked Its Olympic Enemies]

Which GRU members are charged in these global cyberattacks?

Here is a look at the different players charged in the NotPetya and Olympic Destroyer cyberattacks, and their involvement, according to the U.S. Department of Justice:

Timeline of the GRU cyberattacks involved in this case

Now, let's look at a chronological account of the cyberattacks the suspects in this case are charged with unleashing on the world. We'll include details on the malware variants being used, as well.

  • Ukrainian Government & Critical Infrastructure: December 2015 through December 2016 destructive malware attacks against Ukraine's electric power grid, Ministry of Finance, and State Treasury Service, using malware known as BlackEnergy, Industroyer, and KillDisk;
  • French Elections: April and May 2017 spearphishing campaigns and related hack-and-leak efforts targeting French President Macron's "La République En Marche!" political party, French politicians, and local French governments prior to the 2017 French elections;
  • Worldwide Businesses and Critical Infrastructure (NotPetya): June 27, 2017 destructive malware attacks that infected computers worldwide using malware known as NotPetya, including hospitals and other medical facilities in the Heritage Valley Health System (Heritage Valley) in the Western District of Pennsylvania; a FedEx Corporation subsidiary, TNT Express B.V.; and a large U.S. pharmaceutical manufacturer, which together suffered nearly $1 billion in losses from the attacks;
  • PyeongChang Winter Olympics Hosts, Participants, Partners, and Attendees: December 2017 through February 2018 spearphishing campaigns and malicious mobile applications targeting South Korean citizens and officials, Olympic athletes, partners, and visitors, and International Olympic Committee (IOC) officials;
  • PyeongChang Winter Olympics IT Systems (Olympic Destroyer): December 2017 through February 2018 intrusions into computers supporting the 2018 PyeongChang Winter Olympic Games, which culminated in the Feb. 9, 2018, destructive malware attack against the opening ceremony, using malware known as Olympic Destroyer;
  • Novichok Poisoning Investigations: April 2018 spearphishing campaigns targeting investigations by the Organisation for the Prohibition of Chemical Weapons (OPCW) and the United Kingdom's Defence Science and Technology Laboratory (DSTL) into the nerve agent poisoning of Sergei Skripal, his daughter, and several U.K. citizens; and
  • Georgian Companies and Government Entities: a 2018 spearphishing campaign targeting a major media company, 2019 efforts to compromise the network of Parliament, and a wide-ranging website defacement campaign in 2019.
Russia just proposed a cyber 'reset' with the United States

These charges come shortly after Russian leaders said they would like to enter a new era of cyber collaboration and norm setting with the United States.

Demers says these charges, and the related cyberattacks, show how absurd something like that would be.

"Today's allegations, in their entirety, provide a useful lens for evaluating Russia's offer two weeks ago of a cyber 'reset' between Russia and the United States.

Russia is certainly right that technologically sophisticated nations that aspire to lead have a special responsibility to secure the world order and contribute to widely accepted norms, peace and stability. That's what we're doing here today.

But this indictment lays bare Russia's use of its cyber capabilities to destabilize and interfere with the domestic political and economic systems of other countries, thus providing a cold reminder of why its proposal is nothing more than dishonest rhetoric and cynical and cheap propaganda."

Read Demer's complete remarks for yourself.

Related podcast: Cybersecurity, Geopolitics, and the Threat Landscape