The U.S. Department of Justice plays the long game.
That much was made clear Monday as the DOJ announced charges against six Russian military officers accused of launching a string of damaging cyberattacks dating back to 2015. The men, all members of the Russian Main Intelligence Directorate (GRU), are allegedly behind the notoriously destructive NotPetya and Olympic Destroyer malware (among others).
NotPetya, disguised as ransomware, is a type of malware that appeared to intentionally damage victims’ computer systems. Unlike typical ransomware, which encrypts users’ files and demands payment to unlock them, NotPetya seemed designed to destroy what it touched. The Olympic Destroyer malware, for its part, targeted the 2018 Winter Olympics, and security experts at the time described its goal as one of “embarrassment.”
Like the famed WannaCry ransomware, NotPetya employed a leaked NSA exploit known as EternalBlue to power its spread.
Monday’s press release and corresponding unsealed indictment lay out the vast scale of the operation which began around November of 2015.
These GRU hackers and their co-conspirators engaged in computer intrusions and attacks intended to support Russian government efforts to undermine, retaliate against, or otherwise destabilize: (1) Ukraine; (2) Georgia; (3) elections in France; (4) efforts to hold Russia accountable for its use of a weapons-grade nerve agent, Novichok, on foreign soil; and (5) the 2018 PyeongChang Winter Olympic Games after Russian athletes were banned from participating under their nation’s flag, as a consequence of Russian government-sponsored doping effort.
The DOJ alleges that, in addition to the above-listed victims, the NotPetya malware disrupted hospital systems in the U.S. One such victim, cited in the press release, is Western Pennsylvania’s Heritage Valley health care system. The malware reportedly “caused the unavailability of patient lists, patient history, physical examination files, and laboratory records” as well as prevented access to “mission-critical computer systems (such as those relating to cardiology, nuclear medicine, radiology, and surgery) for approximately one week[.]”
This tangible impact on real people’s health was on top of the close to $1 billion in financial damages allegedly suffered by the Heritage Valley Health System, a FedEx Corporation subsidiary, and an unnamed “large U.S. pharmaceutical manufacturer.”
A third strain of malware, KillDisk, was allegedly designed by one of the indicted Russian hackers. It would, in addition to destroying computer files, draw an image of the mask from the show Mr. Robot on victims’ computer screens.
This is the real image, contained in the indictment, that would show up on some victims’ computers.
Image: screenshot / doj unsealed indictment
“[Pavel Valeryevich Frolov] designed the malware to draw the image in real time on the infected computer’s screen,” reads the unsealed indictment.
In addition to leaving a pop culture calling card, KillDisk was intended to “delete computer event logs and other files and reboot the infected computers,” explains the indictment. “Once rebooted, the infected computers were inoperable.”
Alleged GRU hackers.
Image: Doj
The six men, ranging in age from 27 to 35, are charged with “conspiracy to conduct computer fraud and abuse, conspiracy to commit wire fraud, wire fraud, damaging protected computers, and aggravated identity theft.”
These guys, too.
Image: doj
Notably, tech giants played a role in getting to the bottom of the attacks. The press release specifically thanks Google, Cisco, Facebook, and Twitter for “the assistance they provided in this investigation.”
And two more.
Image: doj
While if convicted the six men would face potentially decades in prison, they are not currently in custody. As of Monday, they were all listed on the FBI’s most wanted cybercriminals list.