Cyberwarfare / Nation-State Attacks , Fraud Management & Cybercrime

US Broadens Indictments Against Russian Intelligence Hackers

Justice Department Adds Russian Intelligence Officers to Ukraine Hacking Indictment
US Broadens Indictments Against Russian Intelligence Hackers
Uniform badge of the Russian Main Intelligence Directorate (Image: Shutterstock)

The United States expanded an indictment against Russian intelligence hackers for attacking Ukraine as officials warned Thursday of ongoing malware attacks against Ukrainian government and civilian networks.

See Also: OnDemand | 2024 Phishing Insights: What 11.9 Million User Behaviors Reveal About Your Risk

A superseding indictment unsealed Thursday adds five Russian nationals to an indictment unsealed in June that charges Amin Timovich Stigal with conspiracy to hack into and destroy computer systems and data (see: Russian Indicted for Wiper Malware Campaign Against Ukraine).

Newly added to the roster of charged Russian Main Intelligence Directorate hackers are Yuriy Denisov, a colonel in the Russian military, and four Russian military lieutenants: Vladislav Borovkov, Denis Denisenko, Dmitriy Goloshubov and Nikolay Korchagin. The superseding indictment adds a charge of conspiracy to commit wire fraud. The U.S. offered up to $10 million for information on each of the defendants.

The defendants allegedly form part of Unit 29155 of the GRU's 161st Specialist Training Center - responsible for "espionage, sabotage and reputational harm," a separate federal advisory on Thursday warns. Prosecutors say Denisov is the Unit 29155 commanding officer.

The defendants allegedly deployed WhisperGate malware against Ukrainian victim organizations as early as January 2022. WhisperGate is one of more than a dozen different types of wiper malware deployed during the ongoing war. The weeks leading up to Russia's February 2022 invasion of Ukraine and the months after it were an intense period of wiper attacks. Security experts said Russia eventually appeared to have burned through its arsenal, potentially because Moscow's military planners anticipated a quick victory - although destructive cyberattacks remain a threat (see: Ukrainian Energy Sector Under Cyber Siege by Russian Hackers).

Analysts say Unit 29155 is distinct from other, well-known elements of the GRU, including Unit 74455 - popularly known as Sandworm - and Unit 26165, also known as APT 28, Forest Blizzard and Fancy Bear.

Unit 29155 is "responsible for attempted coups, sabotage and influence operations, and assassination attempts throughout Europe," the federal advisory says. It expanded into cyberattacks in 2020 or earlier, using hacking to conduct espionage, hack and leak sensitive information and conduct sabotage by remotely wiping systems. Although its focus since the Kremlin's initiation of a war of conquest again Ukraine has been its European neighbor, other victims have included members of NATO as well as targets in North America, Latin America and Central Asia.

The FBI said it observed more than 14,000 instances of domain scanning across at least 26 NATO members and warned the Russian hacking group was "known to target critical infrastructure and key resource sectors."

The superseding indictment describes the Russian military unit's cyber operations as "large-scale" intrusions targeting Ukrainian computer systems prior to the Russian invasion. The unit eventually gained access to protected computers, including systems associated with the transportation sector in a central European country.

The indictment says the defendants "hacked the computers of dozens of Ukrainian government entities" and attempted to destroy those computers in the month leading up to the full-scale Russian invasion. Prosecutors allege the purpose of the attack was in part to sow concern across Ukraine about the safety of its government's computer systems, as well as individuals' own personal data, ahead of the invasion.

The unsealed indictment comes a day after U.S. authorities seized internet domains and announced sanctions against Russian operatives over attempts to influence the upcoming presidential election (see: US Targets Russian Media and Hackers Over Election Meddling). A senior FBI official told reporters Thursday that recent actions against Russian-linked media and intelligence operatives underscore the Kremlin's persistent cyberthreat to the U.S. and the fact that it remains a major concern for federal authorities.

Recent U.S. sanctions targeting Russian cybercriminals include several members of the pro-Kremlin hacking group known as RaHDit, which is allegedly composed of active and former Russian intelligence officers.


About the Author

Chris Riotta

Chris Riotta

Managing Editor, GovInfoSecurity

Riotta is a journalist based in Washington, D.C. He earned his master's degree from the Columbia University Graduate School of Journalism, where he served as 2021 class president. His reporting has appeared in NBC News, Nextgov/FCW, Newsweek Magazine, The Independent and more.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing paymentsecurity.io, you agree to our use of cookies.