Beware Telebots, Voodoo Bear, Iron Viking, & Hades!
In 2017 the NotPetya malware brought many parts of the world to a standstill. In a number of ways, it was the worst cyber-attack in history – forcing 100s of companies offline, permanently wiping data, & costing billions.
That Russians were responsible for these attacks has always been a ‘forgone conclusion’ for many experts, but this is the 1st time that the US has ‘formally’ made the accusation.
Now, 3 years on, the US Govt. is pointing fingers. The US Dept. of Justice (DOJ) charged 6 Russian nationals in connection to the attack, a subsequent 2018 attack on the Winter Olympic Games, the 2015 & 2016 blackouts in Ukraine, targeting the 2017 French election & many other attacks.
In the indictment, returned by a Federal Grand Jury in Pittsburgh, PA, 6 hackers, all connected to Unit 74455, aka Sandworm, of Russian’s Main Intelligence Directorate, the GRU, were charged. In some security agencies, the group is also referred to as Telebots, Voodoo Bear, Iron Viking, & Hades.
In addition to NotPetya, the indicted were behind destructive malware including BlackEnergy, Industroyer, KillDisk, & Olympic Destroyer, the DOJ said Mon.
This indictment is yet another public denouncement of Russia’s hacking.
“No country has weaponised its cyber capabilities as maliciously or irresponsibly as Russia, wantonly causing unprecedented damage to pursue small tactical advantages & to satisfy fits of spite,” Assistant Attorney General for National Security John C. Demers commented during a press conference,
“Today the department has charged these Russian officers with conducting the most disruptive and destructive series of computer attacks ever attributed to a single group, including by unleashing the NotPetya malware.”
The CIA attributed the attack to Russia “with high confidence” in classified reports in Nov. 2017, but that is largely where it stopped as far as the US Govt. is concerned.
As WIRED’s Andy Greenberg, who authored a book on the Sandworm Group in 2019, noted on Twitter, this sort of accountability – publicly naming the men, even though it’s highly unlikely they’ll ever see the inside of a court room has ‘long been lacking’ from the US, at least when it comes to Russia.
The US Govt. has gone on record blaming hackers from China for targeting US firms involved in Coronavirus research, for hacking Equifax & Marriott Startwood hotels.
The prosecutors associated 7 incidents with Sandworm:
- Attacks against Ukraine’s electric power grid (BlackEnergy, Industroyer, & KillDisk)
- Spear-phishing campaigns targeting French President Macron’s “La République En Marche!” (En Marche!) political party
- The NotPetya attacks
- Attacks implicating the PyeongChang Winter Olympics, including attacks against S. Korean citizens & officials, Olympic athletes, partners, & visitors, & International Olympic Committee (IOC) officials
- Attacks against the systems & infrastructure that supported the games (Olympic Destroyer)
- Spear-phishing campaigns targeting investigations around the nerve agent poisoning of Sergei Skripal, a former Russian military intelligence officer, his daughter, & several others, incl. a fatality.
- Spear phishing campaign targeting companies & Govt. bodes in Georgia.
NotPetya, hit 100s of mission-critical computer systems, e.g. Heritage Valley Health Systems – a Pennsylvania healthcare system, offline for a week, leaving patient lists, histories, physical examination files, & lab records unobtainable.
It also affected the law firm DLA Piper, construction company Saint-Gobain, Russian oil company Rosneft, pharmaceutical company Merck & Co, the shipping company Maersk, & the food company Mondelez.
Russian Military Intelligence
The DOJ broke down what each Russian military intelligence officer actually did. One, Pavel Valeryevich Frolov for example, only developed NotPetya & KillDisk, another Sergey Vladimirovich Detistov developed NotPetya, but also prepared spear-phishing campaigns around the Winter Olympic Games.
The same day the Guardian reported, citing intelligence from UK’s National Cyber Security Centre (NCSC), that Russian military intelligence services were planning a cyber-attack against the Olympics in Tokyo this past summer as well, indicating the country still sought to disrupt the Olympics after it was banned several years ago.