WASHINGTON (NYTIMES) – The Justice Department on Monday (Oct 19) unsealed charges accusing six Russian military intelligence officers of an aggressive worldwide hacking campaign that caused mass disruption and cost billions of dollars by attacking targets like a French presidential election, the electricity grid in Ukraine and the opening ceremony of the 2018 Winter Olympics.
Prosecutors said the suspects were from the same unit that helped distribute stolen Democratic emails in the 2016 election. Though Justice Department officials played down the timing of the announcement two weeks before the presidential election, it nevertheless served as US officials’ latest censure of Russia’s hostile intrusions into other countries’ affairs, even as President Donald Trump has adopted a more accommodating stance toward Moscow.
The prosecutors focused on seven breaches that together showed how Russia sought in recent years to use its hacking abilities to undermine democratic institutions and ideals, retaliate against enemies and destroy rival economies.
“No country has weaponized its cyber capabilities as maliciously or irresponsibly as Russia, wantonly causing unprecedented damage to pursue small tactical advantages and to satisfy fits of spite,” said John Demers, the assistant attorney-general for national security.
He added, “Their cyber attack combined the emotional maturity of a petulant child with the resources of a nation-state.”
The Russian Embassy in Washington strongly denied the allegations. “It is absolutely obvious that such news breaks have no bearing on reality and are aimed at whipping up Russophobic sentiments in American society, at launching a ‘witch hunt’ and spy mania, which have been a distinctive feature of the political life in Washington for several years,” the embassy’s press office said in a written statement Monday.
Prosecutors said the suspects worked for Unit 74455 of the Russian intelligence Main Directorate, commonly referred to as the GRU.
Known among cyber security analysts as Sandworm, the unit worked hand in hand with another GRU unit to leak Democrats’ stolen emails during the 2016 election, embarrassing Hillary Clinton’s campaign in the final stretch.
Cyber security and national security experts had long argued that the Russians were behind the hacks that prosecutors detailed Monday. But the indictment was the first time a major law enforcement agency made the allegation, bolstering the hacking unit’s notoriety as one of the most audacious in the world.
“The GRU’s hackers operate as a strategic arm of the Russian state, and they have been using this cyber tool as a military weapon in a military campaign,” said Thomas Bossert, Trump’s first Homeland Security adviser, who is now the president of security firm Trinity Cyber.
One of the suspects charged in the newly unsealed indictments, Anatoliy Sergeyevich Kovalev, was indicted two years ago on charges announced by the special counsel, Robert Mueller, over the 2016 election hacks. Kovalev was accused of playing a role in hacking election administration infrastructure alongside a larger scheme by other GRU officers indicted in the thefts and release of emails from Democratic computer networks.
The new charges did not address 2020 election interference; US intelligence agencies have assessed that Russia is trying to influence the vote in November.
The charges also showed the limits of the United States’ power to deter Russia. Many of the breaches occurred after the US imposed sanctions and publicly rebuked Russia over its 2016 election sabotage, and it is highly unlikely that the Kremlin will hand over the intelligence officers to stand trial in American courts.
Among the operations that the Justice Department cited was the release of stolen documents just as voting was beginning in France’s presidential election in 2017, an apparent bid to hurt Emmanuel Macron in his eventual victory against Marine Le Pen, a far-right candidate supported by Moscow. Security researchers at the time quickly blamed Russia.
Unlike the distribution of hacked emails in the 2016 American election, the French operation mixed genuine documents with altered material.
The French news media largely ignored the stolen documents, in part because of questions of their authenticity, but also because France was in a government-mandated blackout period immediately before the vote.
US officials have warned that Russia could repeat those tactics in the presidential race this year, mixing falsified material with real stolen documents in a way that is difficult to tell fact from fiction.
The indictment also portrayed Russia as determined to disrupt the 2018 Winter Olympics in Pyeongchang, South Korea, in retaliation for its embarrassing ban from the Olympics over its systemic efforts to undermine anti-doping rules.
The GRU for months sent spoofed emails to members of the International Olympic Committee, athletes and other companies, posing as Olympics or Korean government officials to trick the recipients into giving them access to key Olympics infrastructure. At one point, they hacked a company that provided timekeeping services to the Olympics, court papers showed.
Having laid their trap, the Russian officers attacked the opening ceremony of the games, taking down internet access and telecasts, grounding broadcasters’ drones, shutting Olympics websites and preventing spectators from attending the opening ceremony.
Security experts labelled the attack Sour Grapes for its spiteful nature.
“If you were under the impression that, after 2016, they hung it up and gave up their aggressive behaviour, the fact they hacked the Olympics should disabuse you of that notion,” said John Hultquist, director of threat intelligence at FireEye, a Silicon Valley cyber security firm.
“It was a vindictive attack. There was no clear geopolitical reason to do that. And it impacted the entire international community.” Experts had initially blamed North Korea for the attack but later determined that the GRU used North Korean hacking tools to throw off investigators.
As the Justice Department unsealed the indictment Monday, British officials also revealed new details of a similar Russian plot to disrupt the Tokyo Olympics that had been scheduled for this summer but were postponed until 2021 because of the coronavirus.
Britain’s foreign secretary, Dominic Raab, condemned the attacks as “cynical and reckless.” The allegations threatened to undermine Russia’s efforts to lift a four-year ban from international sports, including the Olympics, at Court of Arbitration for Sport, which has yet to rule on the matter.
“The IOC and the organising committees of the Olympic Games have identified cyber security as a priority area and invest a lot to offer the Olympic Games the best cybersecurity environment possible,” the IOC said in a statement Monday. “Given the nature of the topic, we do not divulge those measures.”
The Justice Department indictment said the suspects were also responsible for developing malware used in attacks on Ukraine’s power grid. The first, on Dec 23, 2015, infiltrated Ukrainian energy companies, cutting power for hours to more than 200,000 residents in the country’s west.
In a follow-up in late 2016 that targeted the power grid in Kyiv, Ukraine, the suspects used a second piece of malware, called Industroyer, to cut electricity for an hour, the indictment said. The malware, according to experts, posed one of the greatest digital threats to critical infrastructure since Stuxnet, the computer attack by the United States and Israel that took out Iran’s uranium centrifuges in 2009.
The suspects were also accused of carrying out an attack in June 2017 that is considered the most costly in history. Called NotPetya, it was originally aimed at Ukraine but quickly boomeranged around the world, paralysing some of the biggest corporations in Europe and the United States at an estimated total cost of US$10 billion (S$13.5 billion).
It was never clear, intelligence experts said, whether Russia intended to limit the attack to the Ukrainian economy and any company that dared to do business with Ukraine, or whether it knowingly built a tool that would wreak global havoc.
But the estimated cost to Mondelez, the maker of Oreo cookies and Ritz crackers, alone was more than US$100 million; Merck, the pharmaceutical giant, reported some US$700 million in damage; the attack also impeded computer use at hospitals and medical facilities in western Pennsylvania.
In 2019, the same suspects took aim at the government of the country of Georgia, the indictment said. They defaced about 15,000 websites and replaced many homepages with images of its former president, known for his efforts to counter Russian influence, alongside the caption “I’ll be back,” an apparent bid to try to avoid detection.
At a news conference in Washington to announce the indictments, Demers, the Justice Department’s top national security official, took direct aim at President Vladimir Putin of Russia, who made an unusual appeal for a cyber “reset” with the United States last month.
Demers said the indictments were “a cold reminder of why its proposal is nothing more than dishonest rhetoric and cynical and cheap propaganda.” He also took a dig in a news release at Putin’s claims that he is restoring Russia to greatness.
“No nation,” Demers said, “will recapture greatness while behaving in this way.” Michael S. Schmidt and Nicole Perlroth.