Grand Jury Indictment of GRU Officers for Conspiracy, Fraud, Identity Theft, Aiding and Abetting

Source: Justice.gov
Type: court-document

Source Text

Excerpt only. The full source text is too long to reproduce here:

INDICTMENT

COUNT ONE
(Conspiracy to Commit an Offense Against the United States)

The grand jury charges:

  1. At all times relevant to the indictment, from at least in and around November 2015 through in and around October 20 19, the Russian Federation (“Russia”) operated a military intelligence agency called the Main Intelligence Directorate of the General Staff of the Armed Forces (“GRU”). The GRU was headquartered in Moscow, Russia, and was comprised ofmultiple units, including Military Unit 74455, which was also known within the GRU as the “Main Center for Special Technologies” (also known as “GTsST”) and by cybersecurity researchers as Sandworm Team, Telebots, Voodoo Bear, and Iron Viking. Military Unit 74455 was primarilylocated at 22 Kirova Street, Khimki, Moscow, Russia, a building referred to within the GRU as “the Tower.”
  2. Defendants YURIY SERGEYEVICH ANDRIENKO (IOp:nu: CepreeBnq AH,n;pneHKo), SERGEY VLADIMIROVICH DETISTOV (Cepren: BrraunMnpoBnq ,lJ;eTIICTOB), PAVEL VALERYEVICH FROLOV (IlaBen BanepLeB:nq (J)porroB), ANATOLIY SERGEYEVICH KOVALEV (AHaTon:nu: CepreeBHq KoBaneB), ARTEM VALERYEVICH OCHICHENKO (ApTeM BanepbeBIIq OqIIqeHKO), and PETR NIKOLAYEVICH PLISKIN (IleTp HIIKonaeBHq TirrIICKHH) were GRU officers working for Military Unit 74455 who knowingly and intentionally conspired with each other and with persons known and unknown to the grand jury (collectively, the “Conspirators”) to deploy destructive malware and take other disruptive actions, for the strategic benefit of Russia, through unauthorized access to victim computers. This included cyber-enabled malicious actions aimed at supporting broader Russian government efforts­ regardless of the consequences to innocent parties and critical infrastructure worldwide-to undermine, retaliate against, or otherwise destabilize: (1) Ukraine; (2) the country of Georgia; (3) France’s elections; ( 4) efforts to hold Russia accountable for its use of a weapons-grade nerve agent on foreign soil; and (5) the 2018 Winter Olympics after a Russian government-sponsored doping effort led to Russian athletes being unable to participate under the Russian flag.

THE VICTIMS
3. Among the victims targeted by Military Unit 74455 were thousands of U.S. and international corporations, organizations, and political campaigns and parties; foreign governments; entities and corporations associated with the 2018 Winter Olympic Games; and their respective employees. The victims included:
a. Ukraine, through the Conspirators’ deployment in and around December 2015 and December 2016 of destructive “BlackEnergy,” “KillDisk,” and “Industroyer” malware against companies supporting Ukraine’s electric power grid and against Ukraine’s Ministry of Finance and State Treasury Service;
b. France, through spearphishing campaigns in and around April and May 201 7 targeting local government entities, political parties, and campaigns, including now~French President Emmanuel Macron’s “La Republique En Marche!” political party in connection with Macron’s 2017 presidential campaign;
c. Hundreds of worldwide victims of the “NotPetya” malware attacks in and around June 2017, including: (1) civilian critical infrastructure, such as the Heritage Valley Health System, located in Sewickley, Pennsylvania, and Beaver, Pennsylvania, in the Western District of Pennsylvania, which had approximately 80 affected medical facilities; (2) a FedEx Corporation subsidiary, TNT Express B.V., which was one of the world’s largest express delivery companies; and (3) a large U.S. pham1aceutical manufacturer, which together had nearly $1 billion in losses resulting from the attacks;
d. International victims associated with the 2018 Winter Olympic Games, including: (1) Olympic partners and athletes, Republic of Korea (also known as South Korea) government agencies, and the International Olympic Committee (“IOC”), which the Conspirators targeted through spearphishing campaigns from in and around December 2017 until in and around February 2018; (2) South Korean nationals and international visitors to South Korea, whom the Conspirators targeted with malicious mobile applications in and around December 2017 and January 2018; and (3) the 2018 Winter Olympic Games more generally, through the deployment of destructive “Olympic Destroyer” malware against computer systems used by the Olympic Games’ information technology vendor and the PyeongChang Organizing Committee for the 2018 Olympic & Paralympic Winter Games (“PyeongChang Organizing Committee”) in and around February 2018;
e. International and government organizations investigating the poisoning of a former GRU officer and his daughter in the United Kingdom, through, among other conduct, a spearphishing campaign in and around April 2018 targeting the Organisation for the Prohibition of Chemical Weapons (“OPCW”) and the United Kingdom’s Defence Science and Technology Laboratory (“DSTL”); and
f. The country of Georgia and Georgian non-government organizations and private companies, including through a spearphishing campaign in and around January 2018 targeting a Georgian media outlet and a cyber attack in and around October 2019 that defaced approximately 15,000 websites and disrupted service to some of these websites.

THE DEFENDANTS
4. Defendant YURIY SERGEYEVICH ANDRIENKO was a Russian military intelligence officer assigned to Military Unit 74455. ANDRIENKO, together with PAVEL VALERYEVICH FROLOV, SERGEY VLADIMIROVICH DETISTOV, and PETR NIKOLA YEVICH PLISKIN, developed components of the NotPetya malware. ANDRIENKO, together with PLISKIN, also developed components of the Olympic Destroyer malware.
5. Defendant SERGEY VLADIMIROVICH DETISTOV was a Russian military intelligence officer assigned to Military Unit 74455. During his tenure with the unit, DETISTOV held the position of captain. DETISTOV developed components of the NotPetya malware and prepared infrastructure for a spearphishing campaign targeting the 2018 Winter Olympics.
6. Defendant PAVEL VALERYEVICH FROLOV was a Russian military intelligence officer assigned to Military Unit 74455. FROLOV developed components of the NotPetya malware and the malware that the Conspirators used against Ukraine’s Ministry of Finance and State Treasury Service.
7. Defendant ANATOLIY SERGEYEVICH KOV ALEV was a Russian military intelligence officer assigned to Military Unit 74455. KOVALEV sent spearphishing emails targeting a wide variety of entities and individuals, including those associated with French local government entities, political parties, and campaigns; the 2018 Winter Olympics; the DSTL; and a Georgian media entity. KOVALEV also engaged in spearphishing campaigns for apparent personal profit, including campaigns targeting large Russian real estate companies, auto dealers, and cryptocurrency miners, as well as cryptocurrency exchanges located outside of Russia. KOVALEY is a charged defendant in federal indictment number 18-CR-215 in the District of Columbia.
8. Defendant ARTEM VALERYEVICH OCHICHENKO served as a Russian military intelligence officer in Military Unit 74455. OCHICHENKO developed malicious email attachments and sent spearphishing emails containing those attachments to individuals working for the 2018 Winter Olympics’ official timekeeping partners and their subsidiaries. OCHICHENKO was also involved in the Conspirators’ targeting of the Georgian government and other Georgian entities in 2019.
9. Defendant PETR NIKOLAYEVICH PLISKIN served as a Russian military intelligence officer in Military Unit 74455 from the beginning ofthe conspiracy until in and around June 2018. During his tenure with the unit, PLISKIN served in a supervisory role as a Development Team Lead/IT manager. PLISKIN developed components of the NotPetya and Olympic Destroyer malware. (Images of defendants ANDRIENKO, DETISTOV, FROLOV, KOVALEY, OCHICHENKO, and PLISKIN are attached as Exhibit A.)

OBJECT OF THE CONSPIRACY
10. The object of the conspiracy was to deploy destructive malware and take other disruptive actions, for the strategic benefit of Russia, through unauthorized access (“hacking”) of victim computers.

MANNER AND MEANS OF THE CONSPIRACY
11. In furtherance of the conspiracy, ANDRIENKO, DETISTOV, FROLOV, KOVALEV, OCHICHENKO, PLISKIN, and others known and unknown to the grand jury procured, maintained, and utilized servers, email accounts, malicious mobile applications, and related hacking infrastructure to engage in spearphishing campaigns and other network intrusion methods against computers used by the victims. Also in furtherance of the conspiracy, ANDRIENKO, DETISTOV, FROLOV, and PLISKIN developed and deployed destructive malware against victim entities around the world, including in the Western District of Pennsylvania.
12. In order to avoid detection by law enforcement, security researchers, and victims, and to mask their GRU affiliation and location in Russia, the Conspirators used a variety of fictitious names and personas, as well as online infrastructure (including servers, domains, cryptocurrency, email accounts, social media accounts, and other online services) provided by companies in the United States and elsewhere. The Conspirators used this infrastructure for a wide range of conduct in furtherance of the conspiracy, including to: (1) communicate, research, and probe victim computer networks; (2) register malicious websites and domains with names mimicking legitimate ones; (3) send spearphishing emails; (4) store and distribute additional malware; (5) manage malware; (6) transfer stolen data; and (7) negatively influence the public perception of some of the victims. The Conspirators reused some of the same infrastructure to target multiple victim organizations and individuals.
13. To further mask their identities and conduct and to facilitate the purchase and leasing of infrastructure (such as servers and domain names) used in their hacking activity, the Conspirators paid for infrastructure using cryptocurrencies, such as bitcoin, and often leased infrastructure from resellers rather than leasing infrastructure directly from hosting companies. The Conspirators also used numerous operational accounts in fictitious names to purchase and lease infrastructure.
14. The Conspirators registered domain names and created URLs for use in their hacking activities that were designed to mimic or “spoof’ those oflegitimate websites that victims were familiar with, including email login pages, online file sharing and storage websites, and password reset pages. Examples include msrole.com/office_conf (which mimicked a website belonging to Microsoft) and jeojang.ga (with respect to which the Conspirators created the subdomain mafra.go.kr.jeojang.ga, which mimicked a website belonging to the Korean Ministry of Agriculture, Food, and Rural Affairs, The Conspirators used each ofthese domain names in connection with spearphishing campaigns targeting entities and individuals associated with the 2018 Winter Olympics.
15. The Conspirators typically initiated their hacking activities by researching the victim organizations, including their computer networks and employees. This research provided technical and biographical information that the Conspirators could exploit in subsequent intrusion activities (e.g., spearphishing campaigns).
16. The Conspirators crafted their spearphishing emails to trick unwitting recipients into giving the Conspirators access to their computers or account credentials (e.g., usernames and passwords). The Conspirators crafted these emails to resemble emails from trustworthy senders, such as email providers or colleagues, and encouraged the recipients to click on hyperlinks in the messages. Other spearphishing emails crafted by the Conspirators attached documents containing malware that, when opened and executed by the victims, infected victims’ computers.
17. The Conspirators used malware and hacking tools such as “BlackEnergy,” “Industroyer,” “KillDisk,” “NotPetya,” and “Olympic Destroyer” to hack into victim computers and networks, maintain command and control over such computers and networks, steal network credentials, obtain access to sensitive and private data, and render such computers and networks inoperable. To craft their malware, the Conspirators customized publicly available malware and hacking tools, and, in some instances, purposefully attempted to mimic the malware of other hacking groups-including the Lazarus Group, a state-sponsored hacking team in the Democratic People’s Republic of Korea (which is also known as North Korea)-as part of a “false flag” operation. The Conspirators also created certain malware components from scratch, including components enabling the Conspirators to conduct the destructive portions of their attacks.
18. After hacking into victim computers, the Conspirators performed a variety of functions designed to identify, collect, package, and view targeted data on victims’ computers, including stealing credentials that allowed the Conspirators to move laterally and exponentially throughout victims’ computer networks. The Conspirators also overwrote files and erased data from victim computers.
19. In addition, both during and after operational activity, the Conspirators made efforts to cover their tracks by deleting information from their operational accounts and deleting data on servers they controlled or had compromised.

Events Citing This Source

EventDateCategory
Access Hollywood and WikiLeaksOct 2016Foreign Interference & Disinformation

People Mentioned

PersonRole
Donald Trump45th and 47th President of the United States
Roger StoneLongtime Trump political advisor; convicted of obstruction and witness tampering, sentence commuted then pardoned

Institutions Mentioned

InstitutionDescription
DOJUnited States Department of Justice
GRUMain Intelligence Directorate of the Russian Armed Forces; hacked DNC and DCCC servers in 2016
WikiLeaksOrganization that published hacked DNC and Podesta emails obtained by Russian GRU hackers during the 2016 election