U.S. Charges 5 GRU Officers, 1 Civilian, with Conspiracy to Hack Ukraine’s Government Prior to 2022 Invasion
U.S. prosecutors charged six Russian nationals for their alleged role in a conspiracy to hack Ukraine’s government prior to Russia’s invasion in February 2022, according to an indictment unsealed Thursday.
The indictment by a jury in the U.S. state of Maryland alleges that five officers of Unit 29155 of the Russian Main Intelligence Directorate (GRU) and a sixth civilian were involved in the scheme, which targeted Ukraine and 26 North Atlantic Treaty Organization (NATO) countries.
The charged officers’ names are: Vladislov Borkov, Denis Denisenko, Yuriy Denisov, Dmitry Goloshubov, and Nikolay Korchagin. The civilian’s name is Amin Stigal. He was already under indictment for conspiracy to commit computer intrusion. All six are charged with conspiracy to commit computer intrusion and wire fraud conspiracy.
The defendants allegedly engaged in a “conspiracy to hack into, exfiltrate data from, leak information obtained from, and destroy computer systems associated with the Ukrainian government in advance of the Russian invasion of Ukraine,” according to the U.S. Department of Justice (DOJ). “The defendants did so in order to sow concern among Ukrainian citizens regarding the safety of their government systems and personal data.”
The systems the conspirators are said to have targeted included government systems with no data pertaining to Ukraine’s military or defense.
“The GRU’s WhisperGate campaign, including targeting Ukrainian critical infrastructure and government systems of no military value, is emblematic of Russia’s abhorrent disregard for innocent civilians as it wages its unjust invasion,” said U.S. Assistant Attorney General Matthew G. Olsen of the National Security Division in a statement.
The indictment claims that on 13 January 2022, the defendants conspired to use a U.S. based company’s services to distribute malware known as “WhisperGate.” Made to look like ransomware, WhisperGate is a “cyberweapon designed to completely destroy the target computer and related data in advance of the Russian invasion of Ukraine,” according to the DOJ.
The conspirators allegedly used this cyberweapon to target dozens of Ukrainian government computer systems, including the Ministry of Internal Affairs, State Treasury, Judiciary Administration, State Portal for Digital Services, Ministry of Education and Science, and the Ministry of Agriculture.
The defendants attempted to “cover their tracks by pretending to be criminals engaged in ransomware attacks,” Olsen explained, adding that they demanded Bitcoin payments to return data they knew had already been destroyed.
“In conjunction with these attacks, the defendants compromised several of the targeted Ukrainian computer systems, exfiltrated sensitive data, including patient health records, and defaced the websites to read: ‘Ukrainians! All information about you has become public, be afraid and expect the worst. This is for your past, present, and future,’” the DOJ explained. “That same day, the defendants offered the hacked data for sale on the Internet.”
The defendants are also charged with hacking the transportation infrastructure of a Central European country that was providing support to Ukraine after the 2022 invasion began. This hack was based on work that the defendants allegedly did beginning in August 2021 to probe protected computer systems, including those in 26 NATO countries, to search for potential vulnerabilities.
“The indictment further alleges that from 5 August 2021 to 3 February 2022, the defendants leveraged the same computer infrastructure they used in the Ukraine-related attacks to probe computers belonging to a federal government agency in Maryland in the same manner as they had initially probed the Ukrainian Government networks,” the DOJ said.
The United States does not have an extradition agreement with Russia. Instead, the U.S. Department of State has a reward program and is offering up to $10 million for information that leads to the identification or location of the defendants.
“Through strokes on a keyboard, the accused criminals used computers to cross into countries, hunting for weaknesses and seeking to harm,” said Special Agent in Charge William J. DelBagno of the FBI Baltimore Field Office, which led the investigation. “We are united in identifying, prosecuting, and protecting against future crimes, and vow to relentlessly hunt down and counter these threats.”
Alongside the release of the charges, the U.S. National Security Agency (NSA), FBI, Cybersecurity and Infrastructure Security Agency (CISA), and allies released an advisory about Unit 29155’s activities and recommendations to improve cybersecurity posture.
“This Cybersecurity Advisory contains comprehensive information about GRU Unit 29155 cyber actors and their cyber activity,” said David Luber, NSA’s cybersecurity director, in a statement. “It is important for organizations to use this information and take immediate action to secure data and mitigate any harm caused by these malicious cyber actors.”
Unit 29155 actors have conducted computer network operations against NATO members, as well as countries in Europe, Latin America, and Central Asia, according to the advisory.
“Since early 2022, the primary focus of the cyber actors appears to be targeting and disrupting efforts to provide aid to Ukraine,” the advisory said. “To date, the FBI has observed more than 14,000 instances of domain scanning across at least 26 NATO members and several additional European Union (EU) countries. Unit 29155 cyber actors have defaced victim websites and used public website domains to post exfiltrated victim information.
“Whether through offensive operations or scanning activity, Unit 29155 cyber actors are known to target critical infrastructure and key resource sectors, including the government services, financial services, transportation systems, energy, and healthcare sectors of NATO members, the EU, Central American, and Asian countries.”
Recommended actions in the advisory include:
- Prioritizing routine system updates and remediating known exploited vulnerabilities.
- Segmenting networks to prevent the spread of malicious activity.
- Enabling phishing-resistant multifactor authentication (MFA) for all externally facing account services, especially for webmail, virtual private networks (VPNs), and accounts that access critical systems.
For more resources on protecting critical infrastructure from cyberattacks, check out our Focus on Converged Attacks series.