Uncle Sam charges Russian GRU cyber-spies behind 'WhisperGate intrusions'
Feds post $10M bounty for each of the six's whereabouts
The US today charged five Russian military intelligence officers and one civilian for their alleged involvement with the data-wiping WhisperGate campaign conducted against Ukraine in January 2022 before the ground invasion began.
In conjunction with the indictments, the feds also offered a $10 million bounty for information on each of the six suspects' whereabouts, and, along with nine other countries, released a 36-page cybersecurity advisory about the Russians' alleged network intrusion efforts, which the government agencies claim have been ongoing since at least 2020.
While none of the six named in the indictment are on American soil, so we're unlikely to see perp walks anytime soon, FBI Special Agent in Charge William DelBagno pledged, "There are steps that are going to be taken … to bring this indictment to fruition."
Speaking at a press conference on Thursday, the FBI's Baltimore Field Office special agent said US cops have partnered with Interpol "to serve red notices and ensure that if they [the accused] are in a location that can be affected, that they will take those on."
According to an indictment [PDF], Vladislav Borovkov, Denis Denisenko, Yuriy Denisov, Dmitriy Goloshubov, and Nikolay Korchagin, all said to be officers in Unit 29155 of the Russian Main Intelligence Directorate (GRU), conspired with Russian citizen Amin Stigal and others to compromise dozens of Ukrainian government computers prior to the Russian ground invasion and then either wipe all of the data from — or outright destroy — these machines while making it look like a ransomware infection.
This cyberattack, which has since been dubbed WhisperGate, "could be considered the first shot of the war," DelBagno said.
After infecting computer systems across government agencies responsible for emergency services, food safety, education and other non-military targets, the GRU officers stole and leaked personal data belonging to thousands of Ukrainian citizens, "seeking to sap the morale of the Ukrainian public," US Assistant Attorney General for National Security Matthew Olsen told reporters.
The Kremlin-backed crew also "taunt[ed] those victims," and "attempted to cover their tracks by pretending to be criminals engaged in ransomware attacks, leaving behind ransom notes demanding Bitcoin payments to return data from victim systems, data the perpetrators knew had already been destroyed and could not be recovered," Olsen said.
According to the court documents, the GRU also targeted computer systems in the US and 25 other NATO countries that were providing support to Ukraine.
In conjunction with the indictment and $60 million total Rewards for Justice prize, the FBI, Cybersecurity and Infrastructure Security Agency (CISA), and National Security Agency (NSA), along with 15 other US agencies and international partners across the UK, Canada, Australia, Ukraine, the Netherlands, Czech Republic, Germany, Estonia and Latvia, issued a very detailed joint cybersecurity advisory about the GRU's Unit 29155 [PDF].
To date, the FBI has documented more than 14,000 instances of domain scanning across at least 26 NATO members and additional European Union countries, we're told.
The Moscow cyberspies use publicly available tools to scan for open internet ports and vulnerabilities. When they find vulnerable networks, Unit 29155 gets to work obtaining CVE exploit code from GitHub repositories to use against victim infrastructure, according to the advisory.
- WhisperGate suspect indicted as US offers a $10M bounty for his capture
- Data-wiper malware strains surge as Ukraine battles ongoing invasion
- White House seizes 32 domains, issues criminal charges in massive election-meddling crackdown
- What a coincidence. Spyware makers, Russia's Cozy Bear seem to share same exploits
Some of the CVEs that the group has successfully exploited to gain initial access include: CVE-2021-33044 and CVE-2021-33045 in Dahua Security software, CVE-2022-26134 and CVE-2022-26138 in Atlassian Confluence Server and Data Center and CVE-2022-3236 in Sophos' firewall.
Unit 29155 cyber snoops like to use VPNs to anonymize their activity.
It's also common for the crew, once they've scanned for and found vulnerable IoT devices, to use exploitation scripts to authenticate to IP cameras with default usernames and passwords. "Attempts are then made to perform remote command execution via web to vulnerable IP cameras; if successful, cyber actors would dump configuration settings and credentials in plaintext," the agencies warn.
As such, they've also provided a list of three things that network defenders should do ASAP to avoid becoming the Russians' next victim organization:
- Prioritize routine system updates and remediate known exploited vulnerabilities.
- Segment networks to prevent the spread of malicious activity.
- Enable phishing-resistant multifactor authentication (MFA) for all externally facing account services, especially for webmail, virtual private networks (VPNs), and accounts that access critical systems.
"The six Russians in this indictment are not advanced cyber masterminds," DelBagno said, adding that they "are adept at exploiting vulnerabilities that countries and companies can guard against with simple steps."
Today's criminal charges and security alert follows yesterday's onslaught of actions taken by Uncle Sam to counter what the US says is Russia's attempts to influence the upcoming presidential election.
This included seizing 32 websites and charging two employees of a state-owned media outlet connected to a $10 million scheme to distribute pro-Kremlin propaganda. ®