On Oct. 19, the Justice Department unsealed an indictment naming six Russian military intelligence officers, members of GRU Unit 74455, also known as “Sandworm.” The GRU “hackers” have been indicted for conspiracy, computer fraud, wire fraud, and aggravated identity theft, undertaken throughout a series of high-impact cyber operations dating back to 2015. While the level of detail in the indictment is impressive, it ultimately reveals very little of note beyond what was already publicly known, given how many of the cyber operations at issue were already publicly attributed to Russia and even to this specific GRU unit. It thus serves as the latest example of DOJ’s head-scratching policy of indicting state actor hackers in an ostensible effort to deter or punish their activity, when the hackers themselves are exceedingly unlikely to see the inside of a U.S. courtroom and their government employers rarely face additional consequences.
However, related statements by government officials about how the investigation was conducted, along with recent reporting related to U.S. actions against Russian cybercriminals, signal a potential bright path forward in countering malicious foreign cyber activity.
The Indictment Is Detailed, But Reveals Little New Information
The indictment discusses six major GRU cyber campaigns, providing a level of detail that suggests U.S. investigators deeply infiltrated the GRU’s operations. However, at the time of the filing, each of the campaigns had already been attributed to the GRU, and the United States had already previously condemned or imposed penalties on GRU officers for several of them.
The indictment first details a series of attacks on Ukraine’s electrical grid and various Ukrainian government agencies in 2015 and 2016. While at the time Ukraine and private cybersecurity researchers immediately pointed at Russia, the connection to the GRU was not drawn with more certainty until 2018 when private researchers conclusively linked the malware used in the 2015 and 2016 attacks to the malware used in the 2017 NotPetya attacks (discussed below), which the CIA had already attributed to the GRU. The indictment provides a thorough account of how the attacks were carried out (including the fun detail that the KillDisk malware used in the Ukraine grid attacks contained several references to the television show “Mr. Robot”), but the general methodology and overall attribution to the Russian government are not new revelations.
Second, the indictment discusses the hack-and-leak operation against Emmanuel Macron’s presidential campaign during the 2017 French election. The indictment identifies the responsible GRU officer by name and describes the spearphishing email he used in the attack. However, again, these general revelations are not new, as U.S.-based cybersecurity researchers tied the operation to the GRU within a week of it happening in 2017.
Third, the indictment describes the 2017 NotPetya worm, which spread rapidly around the world, using the leaked NSA tool “EternalBlue” to exploit a vulnerability in unpatched Windows systems. NotPetya affected government entities, multinational companies, hospitals, and more, resulting in an estimated $10 billion in total damages worldwide. The indictment details which GRU officers authored specific pieces of malware used in the operation and which officers celebrated the deployment of the malware. However, the attribution is again old news—in March 2018, in response to NotPetya and Russian interference in the 2016 U.S. election, the Treasury Department sanctioned the GRU itself and six GRU officials under the Countering America’s Adversaries Through Sanctions Act (CAATSA) and Executive Order 13694 (“Blocking the Property of Certain Persons Engaging in Significant Malicious Cyber-Enabled Activities”). The European Union also sanctioned the same GRU unit, Unit 74455, for NotPetya in July 2020.
Fourth, the indictment outlines the “Olympic Destroyer” attacks of 2018 against IT systems at the Winter Olympics in PyeongChang, South Korea. These attacks were noteworthy in that the GRU hackers tried to leave clues that would lead back to the North Korean “Lazarus Group” in an attempted false flag operation. At the time, Russia’s foreign ministry said: “We know that Western media are planning pseudo-investigations on the theme of ‘Russian fingerprints’ in hacking attacks on information resources related to the hosting of the Winter Olympic Games. … Of course, no evidence will be presented to the world.” While the indictment conclusively proves Russia’s foreign ministry wrong, U.S. government officials leaked that the operation was attributable to GRU hackers from Unit 74455 less than two weeks after the attacks.
Fifth, the indictment addresses a series of 2018 spearphishing campaigns against the Organisation for the Prohibition of Chemical Weapons (OPCW) in the Netherlands and the United Kingdom’s “Defense Science and Technology Laboratory” related to investigations into the Russian poisoning of former Russian-spy-turned-defector Sergei Skripal and his daughter. Interestingly, in October 2018, the Justice Department indicted four different GRU officers involved in the same cyber operations against the OPCW (among other activities); these officers had traveled to the Netherlands to intercept Wi-Fi traffic at OPCW’s headquarters a week after the attempted spearphishing campaigns described here, but were caught by Dutch intelligence. Those four GRU officers were sanctioned by the Treasury Department in 2018 and by the EU in July 2020.
Finally, the indictment describes a broad cyber campaign against government and private sector entities in Georgia in 2018 and 2019. These attacks mainly targeted media entities and government websites, disrupting broadcasts and defacing websites with the image of an exiled former Georgian president, without any apparent goal beyond causing chaos. Early this year, Secretary of State Mike Pompeo publicly attributed these attacks to Unit 74455 and condemned them in February 2020.
While not mentioned in the indictment, a recent public announcement by the United Kingdom also described GRU malicious cyber activity targeting the postponed 2020 Olympic Games. Overall, the indictment and the U.K.’s announcement suggest a busy and relentless GRU.
The Indictment of State Actor Hackers Has Failed to Deter Malicious State Cyber Activity
The most damning statement against the multi-year experiment of indicting foreign state actor hackers for the ostensible purpose of deterring them might be the statement of Assistant Attorney General for National Security John Demers at the announcement of this most recent indictment: “No country has weaponized its cyber capabilities as maliciously or irresponsibly as Russia, wantonly causing unprecedented damage to pursue small tactical advantages and to satisfy fits of spite.” The Justice Department began indicting foreign state actor hackers in 2014, and this is the thirteenth such indictment (the fourth of Russian state actors and the third of GRU officers specifically). As more time passes and countries realize that they face few significant consequences from these indictments, they may actually grow more emboldened. For example, one year after the first indictment of Chinese military hackers in 2014, President Xi Jinping pledged to President Barack Obama that China would cease all cyber-enabled economic espionage. Yet, Chinese state hackers have been indicted by the Justice Department for economic espionage twice this year. If Russian state hackers still appear to be interfering in the upcoming U.S. election after these four indictments, the idea that these indictments have a deterrent effect strains credulity.
In fact, one of the GRU officers indicted this week, Anatoliy Sergeyevich Kovalev, was previously indicted by the Justice Department for his role in Russia’s 2016 election interference campaign. The Treasury Department also designated him for sanctions for his involvement in that campaign. FBI Deputy Director David Bowdich commented that the indictments highlight the FBI’s capabilities and show the FBI’s ability to “investigate these malicious malware attacks, identify the perpetrators, and then impose risks and consequences on them.” Mr. Kovalev and his colleagues either do not find the “risks and consequences” particularly severe or fear greater “risks and consequences” from their Russian employer if they cease their work for the GRU, despite the theoretical risk of restricted international travel and exclusion from the U.S. financial system because of a looming U.S. indictment.
As the U.S. intelligence community has confirmed that Russia is once again trying to intervene in U.S. elections through cyber operations, one wonders whether Mr. Kovalev will eventually earn his third indictment for election-related cyberattacks. It is notable that in Mr. Kovalev’s case, the U.S. has singled out a single individual for indictment related to cyber-enabled interference in the 2016 U.S. presidential election and the 2017 French presidential election, while evidence suggests that the Russian government has undertaken a widespread election interference campaign all over Europe. Historically, state intelligence activities have been dealt with outside of the domestic criminal justice system. For example, in 2001, after FBI agent Robert Hanssen was exposed as a Russian asset, the United States declared 50 Russian diplomats “persona non grata” and expelled them (also known as “PNGing”). After ten Russian spies were arrested in the U.S. in 2010, they were transferred to Russia in exchange for the release of four Russian prisoners. The Justice Department’s decision to start indicting state actor hackers is a shift of this norm.
Prosecutors may disfavor the nomenclature “naming & shaming” to describe these indictments because it can distract from the fact that these are legitimate indictments attempting to hold criminals accountable in the name of their victims and the American people. But it is not an off-base descriptor. After six years of indictments, no foreign state actor hacker has yet faced an American court room. With multiple indictments and thousands of pages from the Senate Select Committee on Intelligence detailing Russian election interference, any hope of shame seems a bridge too far.
These Cyber Indictments Are Not Worth the Revelation of Sources and Methods
Yet, this indictment, which is much more detailed than previous press releases, public statements, or even earlier indictments of foreign actors, does reveal clues as to the extent of U.S. access to GRU systems. The indictment reveals knowledge of GRU servers, domains, cryptocurrencies, email accounts, social media accounts, and more. One sentence suggesting a deep level of exploitation notes: “Conspirators made efforts to cover their tracks by deleting information from their operational accounts and deleting data on servers they controlled or had compromised.” While experts undoubtedly scrub documents like these to minimize the revelation of “sources and methods,” that review can never be perfect. For example, Bellingcat investigator Aric Toler was able to identify that the FBI almost certainly obtained the “Wanted” poster photos of the GRU officers using the Russian facial recognition site “FindClone,” which can connect a reverse image search (using, e.g., a snapshot from an exploited webcam) to someone’s profile on the Russian social network Vkontakte (VK). This knowledge might encourage the GRU to take greater steps to obscure the identities of its operatives and ensure that photos of them are removed from social media sites like VK and databases like FindClone that cache even deleted images from these sites. U.S. intelligence agencies likely benefit from being able to track the names of GRU operatives and obtain their photos, so if the GRU tightens its operational security, U.S. counterespionage efforts may become more difficult.
If indictments such as this one provide a roadmap for groups like the GRU to improve their operational security, but fail to deter them, it is hard to see their worth when there are plenty of other cybercriminals without state sponsorship worth indicting. In a world of limited resources, it seems to make more sense for the FBI and Justice Department lawyers to focus on those criminals and let U.S. intelligence agencies, the Defense Department, State Department, and Treasury Department focus on pushing back in their respective ways against state actors. The Treasury and State Departments might even convince the European Union, which recently imposed sanctions against Russian state hackers for the second time this year, to develop a maximum pressure campaign against Russia for this activity, without having to reveal sources and methods as indictments require.
Hints of Cooperation Reveal a Bright Path Forward for Combatting Malicious Cyber Activity
One aspect of the indictment and its related announcements marked a positive sign for the way forward in pushing back against malicious cyber activity. The Justice Department and FBI noted that they received “significant cooperation and assistance” from Ukraine, South Korea, New Zealand, the United Kingdom, Google, Cisco, Facebook, and Twitter. This kind of international, public-private cooperation may prove extremely effective if continued as part of ex ante disruption campaigns—which may be going on, but not publicly reported—rather than just ex post criminal indictments.
Recent reporting about efforts by U.S. Cyber Command and Microsoft to disrupt the Russian botnet “Trickbot” signal that this public-private disruption strategy may be picking up steam. While the efforts were not coordinated, the news about Cyber Command’s efforts might be a sign that its “persistent engagement” campaign—which has included its disruption of Russian troll farm the Internet Research Agency during the 2018 midterm elections—is more widespread than reported. Microsoft announced that it convened “an international group of industry and telecommunications providers” in its efforts to disrupt Trickbot. Microsoft undertook the campaign as part of a new legal strategy, requesting a court order from the U.S. District Court for the Eastern District of Virginia to halt intellectual property violations by the botnet before dismantling parts of its infrastructure.
If the private sector and public sector continue to innovate and cooperate internationally, the world could unleash an effective force to disrupt malicious cyber activity, whether attempted by private or state actors