Russian GRU officers charged with “laundry list” of cyberattacks – but arrests unlikely

By Lucy Ingham

The US Department of Justice (DoJ) has announced that it has charged six Russian officers in Unit 74455 of the Russian Main Intelligence Directorate (GRU) with a host of cyberattacks targeting countries and organisations across the world.

These include attacks against the Ukrainian Government and critical infrastructure; French politicians in the run up to the 2017 French elections; the organisations investigating the Novichok poisoning in the UK; the hosts, participants and attendees of the PyeongChang Winter Olympics and key media and the government of Georgia.

The DoJ also has charged the six with perpetrating the NotPetya malware attacks, which in 2017 crippled business and critical infrastructure around the world, impacting hospitals and businesses among others. Three companies alone impacted by NotPetya saw combined losses of just below $1bn.

Together the GRU officers accused of the cyberattacks are believed to be operating as a group known as Sandworm, a threat group backed by and working on behalf of the Russian state.

“Today’s indictments of GRU officers reads like a laundry list of many of the most important cyberattack incidents we have ever witnessed,” said John Hultquist, senior director of analysis at Mandiant Threat Intelligence.

“Sandworm has been involved in many of the most aggressive cyberattacks and information operations ever seen, including repeated successful attacks on the Ukrainian grid, the economically devastating NotPetya fake ransomware attacks, the hack and leak operation targeting the 2017 French Elections, and the attack on the PyeongChang Olympic Games.

“Incidentally, though it is not covered in this indictment, Sandworm was also involved in 2016 US election interference, managing the leak portion of the hack and leak operations as well as carrying out intrusions into election infrastructure.”

Charges of GRU cyberattacks welcomed, but DoJ justice “highly unlikely”

While the charges by the DoJ of the GRU officers is considered a welcome sign, shining a light on the severity and breadth of the cyberattacks, experts do not expect this to translate into a court case.

“The Sandworm hacking group has been laying a path of cyber destruction around the world for years, including the devastating NotPetya ransomware attack in 2017 and many attempts to hack various Olympic games,” said Sam Curry, chief security officer at Cybereason.

“While today’s DOJ indictments are a great first step, it is highly unlikely these alleged criminals will ever face justice in a US courtroom.

“While no court can extradite or try the accused here, these charges will limit freedom of movement and travel in various parts of the world.”

However, while at worst these perpetrators are likely to see their global movement options limited, the accusations of the GRU officers by the DoJ is indicative of changing attitudes towards state-sponsored cyberattacks.

“Either a dramatic change in the US or Russian regimes might change the status quo, but it’s important to call out criminals and to set the groundwork for future diplomats, trade, foreign policy, and justice to finish the work,” said Curry.

“Finding a new geopolitical cyber norm is a multi-year and possibly multi-generational goal. It’s hard to believe that this behavior will lead to meaningful changes in Russian foreign policy, just as it hasn’t with APT 10 and Chinese foreign policy; but the goal isn’t just bringing the perpetrators to justice.

“The goal is to lay the building blocks for future work and a more peaceful, democratic, collaborative physical and cyber world one day.”

Read more: “Confusing and reeks of politics”: Cybersecurity community reacts to Russia report


Verdict deals analysis methodology

This analysis considers only announced and completed cross border deals from the GlobalData financial deals database and excludes all terminated and rumoured deals. Country and industry are defined according to the headquarters and dominant industry of the target firm. The term ‘acquisition’ refers to both completed deals and those in the bidding stage.

GlobalData tracks real-time data concerning all merger and acquisition, private equity/venture capital and asset transaction activity around the world from thousands of company websites and other reliable sources.

More in-depth reports and analysis on all reported deals are available for subscribers to GlobalData’s deals database.

Topics in this article: ,