Six officers from the Russian Main Intelligence Directorate (GRU), a military intelligence agency of the general staff of the armed forces, have been charged in connection with worldwide hacking attacks, including the NotPetya ransomware offence that penetrated Maersk's IT systems in June 2017.
On 15 October, a federal grand jury in Pittsburgh returned an indictment charging six computer hackers, all of whom were residents and nationals of Russia and officers in Unit 74455 of the GRU, said the US Justice Department in its statement.
The computer hackers used some of the world’s most destructive malware to date, according to the US Justice Department, including NotPetya that cost Maersk in the region of US$300 million in lost revenues.
As a result of the cyber hack, cargo was left on quaysides, booking services were disrupted, Maersk's terminal operator APM Terminals shut down several ports, including its facility in Rotterdam, while empty containers needed repositioning.
“The cyber attack made it necessary to invest in chartered tonnage to bring fluidity to the network. There were bottlenecks in certain areas so we had to hire extra capacity to help with the movement of cargo,” explained Maersk's Vincent Clerc some months after the attack. “These were “short-term charters through the course of the [third] quarter and we are still using some of that tonnage to re-position empties, but they are gradually being phased out,” Clerc added.
It was suggested at the time that the NotPetya attack was similar to an earlier Petya attack which hit the UK health service, the National Health Service (NHS), and one ethical hacker said that a Microsoft patch created for the Petya attack would have prevented the NotPetya virus from infiltrating Maersk's systems.
At the time Clerc rejected this view, saying the NotPetya bug was “a day-zero virus” so the means to control it were developed as the attack was taking place, and he maintained that all the patches from Microsoft were in place.
Though he went on to say, that the NotPetya attack had caught the company with “certain parts of the estate not sufficiently protected”, adding that parts of the system, such as Damco, were “heavily impacted” by the attack because it sells itself through having high visibility and being open to customers, which meant it was more open to the effects.
The indictment charges the defendants with conspiracy, computer hacking, wire fraud, aggravated identity theft, and false registration of a domain name.
Justice Department officials said these GRU hackers and their co-conspirators engaged in computer intrusions and attacks intended to support Russian government efforts to destabilise Ukraine and Georgia, undermine elections in France, hold Russia accountable for its use of a weapons-grade nerve agent, Novichok, on foreign soil and retaliate against the ban of the Russian flag in 2018 PyeongChang Winter Olympic Games.
"No country has weaponised its cyber capabilities as maliciously or irresponsibly as Russia, wantonly causing unprecedented damage to pursue small tactical advantages and to satisfy fits of spite," said assistant attorney general for national security, John C. Demers.
According to the indictment, beginning in or around November 2015 and continuing until at least in or around October 2019, the defendants and their co-conspirators deployed destructive malware and took other disruptive actions, for the strategic benefit of Russia, through unauthorised access to victims' computers.
As alleged, the conspiracy was responsible for the following destructive, disruptive, or otherwise destabilising computer intrusions and attacks:
- Ukrainian Government & Critical Infrastructure
- French Elections
- Worldwide Businesses and Critical Infrastructure (NotPetya)
- PyeongChang Winter Olympics Hosts, Participants, Partners, and Attendees:
- PyeongChang Winter Olympics IT Systems (Olympic Destroyer)
- Novichok Poisoning Investigations
- Georgian Companies and Government Entities
"The FBI has repeatedly warned that Russia is a highly capable cyber adversary, and the information revealed in this indictment illustrates how pervasive and destructive Russia’s cyber activities truly are," added Federal Βureau οf Ιnνestigatiοn (FBI) deputy director, David Bowdich.
Six men aged between 27 and 35, have been placed on the FBI’s wanted list following the announcement of the US Justice Department.
The six accused hackers are all allegedly members of Unit 74455, a cyber hacking division of Russia’s intelligence services which goes a number of other names including Sandworm, BlackEnergy Group and Voodoo Bear, according to a statement by the US customs.
They are all charged with seven counts: conspiracy to conduct computer fraud and abuse, conspiracy to commit wire fraud, wire fraud, damaging protected computers, and aggravated identity theft. Each defendant is charged with every count. The charges contained in the indictment are merely accusations, however, and the defendants are presumed innocent unless and until proven guilty beyond a reasonable doubt.
The indictment accuses each defendant of committing the following overt acts in furtherance of the charged crimes:
|Defendant||Summary of Overt Acts|
|Yuriy Sergeyevich Andrienko|
|Sergey Vladimirovich Detistov|
|Pavel Valeryevich Frolov|
|Anatoliy Sergeyevich Kovalev|
- En Marche! officials
- employees of the DSTL
- members of the IOC and Olympic athletes
- employees of a Georgian media entity
|Artem Valeryevich Ochichenko|
|Petr Nikolayevich Pliskin|
The defendants and their co-conspirators caused damage and disruption to computer networks worldwide, including in France, Georgia, the Netherlands, Republic of Korea, Ukraine, the United Kingdom, and the US, noted the Justice Department.