Security Experts:

Connect with us

Hi, what are you looking for?



U.S. Charges Russian Intelligence Officers for NotPetya, Industroyer Attacks

The U.S. Department of Justice on Monday announced charges against six Russian intelligence officers for their alleged role in several major cyberattacks conducted over the past years.

The U.S. Department of Justice on Monday announced charges against six Russian intelligence officers for their alleged role in several major cyberattacks conducted over the past years.

The defendants are Yuriy Sergeyevich Andrienko, aged 32, Sergey Vladimirovich Detistov, 35, Pavel Valeryevich Frolov, 28, Anatoliy Sergeyevich Kovalev, 29, Artem Valeryevich Ochichenko, 27, and Petr Nikolayevich Pliskin, 32.

They have all been charged with damaging protected computers, conspiracy to conduct computer fraud and abuse, wire fraud, conspiracy to commit wire fraud, and aggravated identity theft.

The men are said to be members of Russia’s GRU military intelligence agency, which has long been known to conduct hacking operations on behalf of Moscow. Specifically, the suspects are said to be part of a group named Sandworm, which is also known as Telebots, Iron Viking and Voodoo Bear.

Sandworm is believed to be behind many high-profile attacks launched over the past years. The indictment against the Russian intelligence officers mentions attacks on Ukraine, including the destructive attacks aimed at the country’s power grid in 2015 and 2016 using the malware families known as BlackEnergy and Industroyer.

The group has also been linked to the NotPetya attack, which involved a wiper disguised as ransomware and which cost many companies millions of dollars. This attack was attributed to Russia by several governments in 2018.

The indictment also mentions the operation targeting elections in France in 2017, which involved data leaks. The hackers are also said to have targeted the PyeongChang Winter Olympics with the Olympic Destroyer malware, as well as Georgian companies and government organizations. For the attacks on Georgia, the US and the UK officially blamed Russia earlier this year.

John Hultquist, senior director of analysis at FireEye’s Mandiant Threat Intelligence, pointed out that while it’s not mentioned in the indictment, Sandworm was also involved in operations aimed at the 2016 presidential elections in the United States.

“This actor’s involvement in election interference in France is especially important as we near the end of elections in the US. One possible scenario we are anticipating is a very late game hack and leak operation, such as the one that was carried out in France. This incident is a reminder that dramatic late game operations are possible in the eleventh hour. Additionally, leaked information included fabricated materials, a reminder that actors may mix legitimate, stolen materials with items they have fabricated themselves,” Hultquist told SecurityWeek.

The Justice Department claims the defendants were involved in developing malware and malware components, preparing and conducting spear-phishing campaigns, and conducting reconnaissance.

The suspects are all at large and have been added by the FBI to its Cyber’s Most Wanted list. If convicted, they could be sentenced to lengthy prison terms.

Russian hackers charged

“For more than two years we have worked tirelessly to expose these Russian GRU Officers who engaged in a global campaign of hacking, disruption and destabilization, representing the most destructive and costly cyber-attacks in history,” said Scott Brady, U.S. Attorney for the Western District of Pennsylvania. “The crimes committed by Russian government officials were against real victims who suffered real harm. We have an obligation to hold accountable those who commit crimes – no matter where they reside and no matter for whom they work – in order to seek justice on behalf of these victims.”

U.S. authorities have credited several companies in the private sector for their assistance in the Sandworm investigation, including Google, Cisco Talos, Facebook and Twitter.

Related: U.S. Government Indicts Two Russian FSB Officers Over Yahoo Hack

Related: 12 Russian Intelligence Officers Indicted for Hacking U.S. Democrats

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.