US Indicts Sandworm, Russia’s Most Destructive Cyberwar Unit

Nearly half a decade ago, the Russian hackers known as Sandworm hit Western Ukraine with the first-ever cyberattack to cause a blackout, an unprecedented act of cyberwar that turned off the lights for a quarter million Ukrainians. They were just getting started. From there Sandworm embarked on a years-long spree of wantonly destructive attacks: another blackout attack on the Ukrainian capital of Kyiv in 2016, the release of the NotPetya worm in 2017 that spread globally from Ukraine to cause $10 billion in damage, and a cyberattack that temporarily destroyed the IT backend of the 2018 Winter Olympics in South Korea, among others.

Yet in spite of crossing every red line the cybersecurity world has tried to draw to protect civilian critical infrastructure from catastrophic hacking, Sandworm’s members had never been charged or even officially named in connection with those attacks. Until now.

On Monday, the Department of Justice unsealed charges including computer fraud and conspiracy against six of the hackers who allegedly make up Sandworm, a group also known in the security industry by the names Telebots, Voodoo Bear and Hades, and confirmed earlier this year to work in Unit 74455 of Russia’s GRU military intelligence agency based in a building known as the Tower in the Moscow suburb of Khimki. The indictment names all six Russian men, who are in their late twenties to early 30s: Yuriy Sergeyevich Andrienko, Sergey Vladimirovich Detistov, Pavel Valeryevich Frolov, Artem Valeryevich Ochichenko, and Petr Nikolayevich Pliskin, as well as Anatoliy Sergeyevich Kovalev, who was previously indicted two years ago for his allegedly role into hacking US States’ Boards of Election in 2016.

“No country has weaponized its cyber capabilities as maliciously or irresponsibly as Russia, wantonly causing unprecedented damage to pursue small tactical advantages and to satisfy fits of spite,” Assistant Attorney General John Demers said in a statement.

“They continue to do disruptive and destructive attacks against anyone they perceive to be an adversary to Russia or to have slighted Russia in some way,” added a senior Justice Department official who asked not to be identified, in a call with WIRED. “This is probably one of the most dangerous and aggressive groups of hackers that’s out there.”

The charges represent not only the first criminal charges against Sandworm for its most destructive attacks, but the first time that most of the charged hackers have been publicly identified as members of the hacker group. Two other GRU hackers believed to be part of Sandworm—Aleksey Aleksandrovich Potemkin and Aleksandr Vladimirovich Osadchuk—were previously named in the separate, 2018 indictment of 12 GRU hackers for hacking that interfered in the 2016 US election. Kovalev was also named in that 2018 indictment.

The new indictment also represents the first official acknowledgement from the US government that Sandworm was responsible for a cyberattack on the 2018 Winter Olympics, in which a piece of malware known as Olympic Destroyer took down much of the IT infrastructure of the Games just as the opening ceremony was beginning in Pyeongchang, South Korea. Olympic Destroyer contained layers of “false flags,” spoofed clues in its code designed to trick investigators into blaming North Korea or China.

In the aftermath, no government in the world officially seemed willing to blame the cyberattack on Russia, even as private intelligence firms like FireEye found strong evidence of Sandworm’s involvement, and US intelligence leaked their findings of Russia’s culpability to the Washington Post. (The European Union did finally name “Olympic Destroyer” as one of the known names for Sandworm in sanctions against the group in July, but without explicitly saying that the sanctions were in response to the Olympics attack.)

Leave a Reply