Skip to main content

DOJ Charges Sandworm, Group Behind Destructive NotPetya Attack

by Chris Brook on Tuesday October 20, 2020

Contact Us
Free Demo

That Russians were behind the attacks has always been a forgone conclusion to many experts but this is the first time that the U.S. has formally made the accusation.

In 2017 the NotPetya malware brought many parts of the world to a standstill. In many ways it was the worst cyberattack in history - knocking hundreds of companies offline, permanently wiping data, and costing billions in the process.

Now, three years later, the U.S. government is finally pointing fingers. The Department of Justice charged six Russian nationals in connection to the attack, a subsequent 2018 attack on the Winter Olympic Games, the 2015 and 2016 blackouts in Ukraine, targeting the 2017 French election and a slew of other attacks on Monday.

In an indictment, returned by a federal grand jury in Pittsburgh, six hackers, all connected to Unit 74455, also known as Sandworm, of Russian's Main Intelligence Directorate, the GRU, were charged. In some security circles, the group is also referred to as Telebots, Voodoo Bear, Iron Viking, and Hades.

In addition to NotPetya, the men were behind destructive malware including BlackEnergy, Industroyer, KillDisk, and Olympic Destroyer, the DOJ said Monday.

The indictment is yet another public denouncement of Russia's hacking power.

“No country has weaponized its cyber capabilities as maliciously or irresponsibly as Russia, wantonly causing unprecedented damage to pursue small tactical advantages and to satisfy fits of spite,” Assistant Attorney General for National Security John C. Demers said during a press conference, “Today the department has charged these Russian officers with conducting the most disruptive and destructive series of computer attacks ever attributed to a single group, including by unleashing the NotPetya malware.”

That Russians were behind the hacks has been a forgone conclusion to many experts but this is the first time that a major law enforcement unit made the accusation. The CIA attributed the attack to Russia "with high confidence" in classified reports in November 2017 but that's largely where it stopped as far as the U.S. government is concerned.

As WIRED’s Andy Greenberg, who penned a book on the Sandworm group last year, noted on Twitter, this kind of accountability - publicly naming the men, even though it's highly unlikely they'll ever seen the inside of a court room - has long been lacking from the U.S., at least when it comes to Russia. The U.S. government has gone on record blaming hackers from China for targeting U.S. firms involved in coronavirus research, for hacking Equifax and Marriott Startwood hotels.

In total, the prosecutors pinned seven incidents on Sandworm:

  • Attacks against Ukraine's electric power grid (BlackEnergy, Industroyer, and KillDisk)
  • Spearphishing campaigns targeting French President Macron’s “La République En Marche!” (En Marche!) political party
  • The NotPetya attacks
  • Attacks implicating the PyeongChang Winter Olympics, including attacks against  South Korean citizens and officials, Olympic athletes, partners, and visitors, and International Olympic Committee (IOC) officials
  • Attacks against the systems and infrastructure that supported the games (Olympic Destroyer)
  • Spearphishing campaigns targeting investigations around the nerve agent poisoning of Sergei Skripal, a former Russian military officer, his daughter, and several U.K. citizens
  • Spearphishing campaign targeting companies and government entities in Georgia.

NotPetya, for the uninitiated, knocked hundreds of mission-critical computer systems, like those belonging to Heritage Valley Health Systems – a Pennsylvania healthcare system, offline for a week, leaving patient lists, histories, physical examination files, and lab records unavailable.

It also affected the law firm DLA Piper, construction company Saint-Gobain, Russian oil company Rosneft, pharmaceutical company Merck & Co, the shipping company Maersk, and the food company Mondelez.

The DOJ broke down in detail what each Russian military intelligence officer did; one, Pavel Valeryevich Frolov for example, only developed NotPetya and KillDisk, another Sergey Vladimirovich Detistov developed NotPetya but also prepated spearphishing campaigns around the Winter Olympic Games.

The news came the same day the Guardian reported, citing intelligence from UK's National Cyber Security Centre, that Russian military intelligence services were planning a cyberattack against the Olympics in Tokyo this past summer too, indicating the country still sought to disrupt the Olympics after it was banned several years ago.

Tags:  hacking

Recommended Resources

The Definitive Guide to Data Loss Prevention
The Definitive Guide to Data Loss Prevention

All the essential information you need about DLP in one eBook.

6 Cybersecurity Thought Leaders on Data Protection
6 Cybersecurity Thought Leaders on Data Protection

Expert views on the challenges of today & tomorrow.

Digital Guardian Technical Overview
Digital Guardian Technical Overview

The details on our platform architecture, how it works, and your deployment options.