The alleged cyberattackers hacked into software using destructive malware to black out thousands of computers and cause nearly $1 billion in losses, and were intended to support Russian government efforts to undermine, retaliate against, or otherwise destabilize worldwide computer networks, the Justice Department said.
The alleged hackers are officers of the Russian Main Intelligence Directorate (GRU), a military intelligence agency of the General Staff of the Armed Forces. Monday’s charges allege some of the most consequential political attacks levied by the Kremlin since its efforts to interfere in the 2016 US presidential election, including the hacking of Democratic Party email accounts.
The United States District Court for the Western District of Pennsylvania issued a federal arrest warrant for each of these defendants upon the grand jury’s return of the indictment.
“The defendants’ and their co-conspirators caused damage and disruption to computer networks worldwide, including in France, Georgia, the Netherlands, Republic of Korea, Ukraine, the United Kingdom, and the United States,” prosecutors said.
They are all charged in seven counts: conspiracy to conduct computer fraud and abuse, conspiracy to commit wire fraud, wire fraud, damaging protected computers, and aggravated identity theft.
One of the pieces of malware developed by the hackers took down the medical systems of Heritage Valley in Pennsylvania, prosecutors said.
From November 2015 to October 2019, “their computer attacks used some of the world’s most destructive malware to date, including: KillDisk and Industroyer, which each caused blackouts in Ukraine; NotPetya, which caused nearly $1 billion in losses to the three victims identified in the indictment alone; and Olympic Destroyer, which disrupted thousands of computers used to support the 2018 PyeongChang Winter Olympics,” prosecutors said.
The NotPetya malware, for example, spread worldwide, damaged computers used in critical infrastructure, and caused enormous financial losses. Those losses were only part of the harm, however. For example, the NotPetya malware impaired Heritage Valley’s provision of critical medical services to citizens of the Western District of Pennsylvania through its two hospitals, 60 offices, and 18 community satellite facilities.
The attack caused the unavailability of patient lists, patient history, physical examination files, and laboratory records. Heritage Valley lost access to its mission-critical computer systems (such as those relating to cardiology, nuclear medicine, radiology, and surgery) for approximately one week and administrative computer systems for almost one month, thereby causing a threat to public health and safety.
Yuriy Sergeyevich Andrienko, 32; Sergey Vladimirovich Detistov, 35; Pavel Valeryevich Frolov, 28; Anatoliy Sergeyevich Kovalev, 29; Artem Valeryevich Ochichenko, 27; and Petr Nikolayevich Pliskin, 32, face a maximum sentence of 27 years in prison for wire fraud.
They are wanted and assumed to be in Russia.
Prosecutors said Kovalev allegedly developed “spearphishing techniques and messages” to target: En Marche! officials; employees of the DSTL; members of the IOC and Olympic athletes; and employees of a Georgian media entity.”
“The victims who suffered real harm, as a result of these crimes are often ordinary citizens and businesses around the world,” US Attorney Scott W. Brady said at a Monday news conference.
The malware attacks disrupted the supply of electricity to more than 225,000 Ukrainian customers during the cold winter months of December 2015, according to the indictment.
When Ukraine was preparing their end of year pension payments, as well as the following year’s budget, there was a destructive malware attack against Ukraine’s Ministry of Finance and their state security service. During this attack, the conspirators used an updated version of KillDisk malware in December 2016, that caused the network to go down and prevented the execution of approximately 150,000 electronic payment transactions, according to the indictment.
Secretary of State Mike Pompeo said Monday that the charges “highlight once again Russia’s continuing disruptive, destructive, and destabilizing activities in cyberspace.”
“We call on Russia to put an end to its irresponsible behavior. Furthermore, we call upon all states that wish to see greater stability in cyberspace to join us in helping bring the actors charged today to justice,” he said in a statement.
The new indictments were the latest attempt by the US to crack down on the Russian intelligence agency known as the GRU, which was responsible for interfering in the 2016 election. GRU hackers stole tens of thousands of emails from top Democrats and weaponized material through WikiLeaks releases during the 2016 campaign, helping Donald Trump and weakening Democratic nominee Hillary Clinton.
Kovalev and 11 other GRU operatives were charged in 2018 with conspiring to hack the Democratic National Committee and Clinton’s campaign chairman. The charges were brought by special counsel Robert Mueller, whose investigation provided the most detailed account of how GRU hackers aggressively went after Western targets.
Kovalev has yet to face a judge in Washington, DC, for the outstanding charges.
“For this type of activity, they might be safe now. In the future, they’re gonna have to be looking over their shoulders,” said FBI Deputy Director David Bowdich.
This story has been updated with additional developments Monday.
CNN’s Jennifer Hansler contributed to this report.