It has been reported that The US Department of Justice has unsealed today charges against six GRU officers believed to be members of Sandworm, one of today’s most advanced state-sponsored hacking groups. Their attacks span the last decade and include some of the biggest cyber-attacks known to date, including trying to undermine UK efforts to hold Moscow accountable for the Salisbury spy poisoning. The charging announcement came as Britain accused Russian cyber spies of attacking the 2020 Olympics and Paralympics before they were postponed, and of posing as Chinese and North Korean hackers to target the 2018 games.
The breadth of targets and attack types shows that state-sponsored hacking groups are no longer just a threat to governments. Many organizations possess valuable data, such as about infrastructure, medicine and the economy, that a political adversary like Russia would use for malicious intent. Now that smartphones and tablets can access this type of data just as easily as a laptop or computer, groups like Sandworm are expanding their arsenal out to include phishing attacks, malicious mobile apps, and mobile vulnerability exploitation. For example, stealing research data from a pharmaceutical institution that is leading the search for a COVID-19 vaccine could give Russian-based drug developers enough of a leg up to beat a US-based company to the end goal. We’ve seen other groups such as North Korea’s Lazarus Group, carry out many targeted attacks against financial institutions in particular.
Groups like this use tactics, such as spear phishing, that are just as likely to reach targets on both computers, smartphones, or tablets. They know that the likelihood of a successful phishing attack increases dramatically if the target receives it on a mobile device. They can phish login credentials from particular users that would allow them to get into the corporate infrastructure, then move laterally around the infrastructure for surveillance purposes or to exfiltrate valuable data. Mobile users are accustomed to downloading helpful apps in unfamiliar situations.
In the case of something like a large event, attackers will use social engineering to convince targets to download a malicious app under the guise of it being helpful to the mobile user. Sandworm used the PyeongChang Olympics as a platform to distribute mobile malware in the form of malicious apps. These apps can be used to spy on the device users, exfiltrate data on the device, and gain access to any other apps the user logs into on that device.
Reports by the UK and US governments that Russia\’s GRU was conducting reconnaissance to enable cyberattacks against the 2020 Summer Olympics is, unfortunately, no surprise. Sovereign powers have used espionage to further their agendas since there have been sovereign powers.
Unfortunately, this means that civilian, commercial, academic, and even non-profit organizations may find themselves the target of malicious State or State Sponsored attackers. Against these highly resourced and well funded attackers, organizations are left with little legal means to stop their attacker.
This means organizations need to deploy the Best In Breed security tools to protect their environments, including behavioral analytic tools that can quickly and accurately adapt to the novel attacks State level attackers are able to deploy.
Today’s indictments of GRU officers reads like a laundry list of many of the most important cyberattack incidents we have ever witnessed. Sandworm has been involved in many of the most aggressive cyberattacks and information operations ever seen, including repeated successful attacks on the Ukrainian grid, the economically devastating NotPetya fake ransomware attacks, the hack and leak operation targeting the 2017 French Elections, and the attack on the Pyeongchang Olympic Games. Incidentally, though it is not covered in this indictment, Sandworm was also involved in 2016 US election interference, managing the leak portion of the hack and leak operations as well as carrying out intrusions into election infrastructure.
Pyeongchang Olympic Attack
The attack on the Pyeongchang Olympics was the culmination of a lengthy effort to discredit and harass the Olympic community that began within hours of the decision to disqualify Russian athletes from the Games. Prior to the destructive attack, Sandworm and other elements of the GRU orchestrated DDoS attacks, hack and leak operations, and other operations in the wake of the decision, going so far as to physically travel to hack organizations up close.
The Pyeongchang Games were targeted with a destructive attack that was meant to bring operations to a halt, and it nearly succeeded. The attack was carried out with malware bearing many similarities to tools used by North Korea but ultimately ties to Sandworm were uncovered. Despite their efforts to throw off investigators, the group’s involvement was predicted before the games even began, and many investigators ultimately attributed the incident to Russia.
Despite the thin veneer of their ruse, Russia did succeed in creating a viable alternative explanation for the attack, affording them a measure of deniability. Furthermore, despite this attack on an international event they have avoided a backlash from the international community. It’s important that their role is finally being recognized, because Russia has thus far avoided even so much as an official accusation.
The importance of these events as elections loom can’t be understated. This was the actor who targeted the elections in 2016, and an attack on an international event of goodwill is not an act of contrition. If there was a false impression, that in the wake of the 2016 incident, Russian has exercised restraint, this incident is evidence to the contrary. This was an act of international harassment using a tool that we may well see again this U.S. Presidential election cycle.
MacronLeaks
This actor’s involvement in election interference in France is especially important as we near the end of elections in the US. One possible scenario we are anticipating is a very late game hack and leak operation, such as the one that was carried out in France. This incident is a reminder that dramatic late game operations are possible in the eleventh hour. Additionally, leaked information included fabricated materials, a reminder that actors may mix legitimate, stolen materials with items they have fabricated themselves.
The Sandworm hacking group has been laying a path of cyber destruction around the world for years, including the devastating NotPetya ransomware attack in 2017 and many attempts to hack various Olympic games. While today\’s DOJ indictments are a great first step, it is highly unlikely these alleged criminals will ever face justice in a U.S. courtroom. While no court can extradite or try the accused here, these charges will limit freedom of movement and travel in various parts of the world. Either a dramatic change in the US or Russian regimes might change the status quo, but it\’s important to call out criminals and to set the groundwork for future diplomats, trade, foreign policy, and justice to finish the work. Finding a new geopolitical cyber norm is a multi-year and possibly multi-generational goal. It\’s hard to believe that this behavior will lead to meaningful changes in Russian foreign policy, just as it hasn\’t with APT 10 and Chinese foreign policy; but the goal isn\’t just bringing the perpetrators to justice. The goal is to lay the building blocks for future work and a more peaceful, democratic, collaborative physical and cyber world one day.