This article is more than 1 year old
Feds offer big rewards for info on suspected Russian Sandworm intel officers
A different type of bug bounty
Uncle Sam will dole out up to $10 million for vital information on each of six Russian GRU officers linked to the Kremlin-backed Sandworm gang, who, according to the Feds, have plotted to carry out destructive cyber-attacks against American critical infrastructure.
It's hoped the money, offered via the US Department of State's Rewards for Justice program, will lead to the snaring of the following men said to be Russian intelligence officers: Yuriy Sergeyevich Andrienko (Юрий Сергеевич Андриенко), Sergey Vladimirovich Detistov (Сергей Владимирович Детистов), Pavel Valeryevich Frolov (Павел Валерьевич Фролов), Anatoliy Sergeyevich Kovalev (Анатолий Сергеевич Ковалев), Artem Valeryevich Ochichenko (Артем Валерьевич Очиченко), and Petr Nikolayevich Pliskin (Петр Николаевич Плискин).
According to the US government, these are all members of the GRU's Unit 74455, also known as Sandworm, and they "deployed destructive malware and took other disruptive actions for the strategic benefit of Russia through unauthorized access to victim computers," according to the State Department.
All six officers have been charged with conspiracy to conduct computer fraud and abuse, conspiracy to commit wire fraud, wire fraud, damaging protected computers, and aggravated identity theft offenses. And one of the six — Kovalev — was previously charged with meddling in the 2016 US elections.
Kovalev also developed spear-phishing techniques and messages that the Russian government used to target computer systems of critical infrastructure facilities worldwide, according to the State Department.
Meanwhile, Ochichenko conducted technical reconnaissance and helped carry out these spear phishing campaigns against critical infrastructure owners and operators, it is claimed.
In a separate report, the Sandworm crew were named by Microsoft as being part of a series of Russian-led attacks again Ukraine before, during, and after the invasion of the sovereign state.
Sandworm was responsible for deploying at least two types of disk-wiping malware, CaddyWiper and Industroyer2, Microsoft claimed with "moderate confidence." The gang was also said to be behind attacks against an Ukrainian ISP and other infrastructure agencies. Microsoft spotted "at least six separate Russia-aligned nation-state actors" going after Ukrainian targets in over 237 recorded events. Initially, both prior to the invasion and in the opening week, these attacks went after government systems though as the war bogged down, destructive attacks were launched against critical infrastructure operations and non-government targets.
"Given Russian threat actors have been mirroring and augmenting military actions, we believe cyberattacks will continue to escalate as the conflict rages," warned Tom Burt, Microsoft's veep of customer security.
"Russian nation-state threat actors may be tasked to expand their destructive actions outside of Ukraine to retaliate against those countries that decide to provide more military assistance to Ukraine and take more punitive measures against the Russian government in response to the continued aggression."
And the four other men — Pliskin, Detistov, Frolov, and Andrienko — allegedly developed components of the NotPetya malware that Moscow used in 2017 to infect computer systems of hospitals and critical infrastructure facilities worldwide. This outbreak cost US entities alone about $1 billion in financial losses, it is said.
- Five Eyes nations fear wave of Russian attacks against critical infrastructure
- Feds take down Kremlin-backed Cyclops Blink botnet
- Feds offer $5m reward for info on North Korean cyber crooks
- Cyclops Blink malware sets up shop in ASUS routers
Sandworm has been increasing its nefarious cyber activities since Russia invaded Ukraine. In early April the US Justice Department revealed details of a court-authorized take-down of command-and-control systems that the gang used to direct network devices infected by its Cyclops Blink malware. This botnet software nasty allows the systems to be remote controlled to carry out attacks on behalf of its masterminds — in this case, the GRU, a Russian military foreign intelligence outfit.
Additionally, Cyclops Blink, according to UK and US intel agencies, is Sandworm's replacement for VPNFilter, which it used to target routers and storage devices in 2018.
Just last week, all Five Eyes nations' cybersecurity agencies urged critical infrastructure to be ready for attacks by crews backed by or sympathetic to the Kremlin. This joint alert named Sandstorm as one of the state-sponsored gangs and provided technical details about the team and its activities. ®