The US is offering up to $10 million to identify or locate six Russian GRU hackers who are part of the notorious Sandworm hacker group.
This award is offered as part of the State Department’s Rewards for Justice program, which rewards whistleblowers for information leading to the identification or location of foreign government threat actors conducting malicious cyber operations against critical U.S. infrastructure.
The U.S. Department of State announced today that it is seeking information on six Russian officers with the Main Intelligence Directorate of the General Staff of the Armed Forces of the Russian Federation (GRU) for their alleged role in malicious cyberattacks on critical U.S. infrastructure.
“GRU officials Yuri Sergeyevich Andrienko (Юрий Сергеевич Андриенко), Sergey Vladimirovich Detistov (Сергей Владимирович Детистов), Pavel Valeryevich Frolov (Павел Валерьевич Фролов) Anatoliy Sergeyevich Kovalev (Анатолий Сергеевич Ковалев) Artem Valeryevich Ochichenko (Артем Валерьевич Очиченко) and Petr Nikolayevich Pliskin (Петр Николаевич Плискин) were members of a conspiracy that used destructive malware and other disruptive measures for Russia’s strategic advantage by gaining unauthorized access to victims’ computers,” the State Department announced today.
In 2020, the Justice Department indicted all six people for being part of Russia’s elite hacking group Sandworm (aka Team, Telebots, Voodoo Bear, and Iron Viking).
All six people were charged with conspiracy to commit computer fraud and abuse, conspiracy to commit wire fraud, wire fraud, damaging protected computers and aggravated identity theft.
Hacking activities associated with the Sandworm group include:
- Destructive malware attacks on Ukraine’s power grid, Ministry of Finance and State Treasury using malware known as BlackEnergy, Industroyer and KillDisk;
- April and May 2017 spearphishing campaigns and related hack-and-leak efforts targeting French President Macron “La République En Marche!” (En Marche!) political party, French politicians and local French governments ahead of the 2017 French elections;
- That 2017 destructive malware attacks that infected computers worldwide with malware called NotPetya, including hospitals and other medical facilities in the Heritage Valley Health System (Heritage Valley) in Pennsylvania’s Western District; a subsidiary of FedEx Corporation, TNT Express BV; and a major US pharmaceutical maker, who collectively suffered nearly $1 billion in losses from the attacks;
- Spearphishing campaigns and malicious mobile applications from December 2017 to February 2018 targeting South Korean citizens and officials, Olympic athletes, partners and visitors, and International Olympic Committee (IOC) officials;
- December 2017 to February 2018 attacks on computers supporting the PyeongChang 2018 Winter Olympics, culminating in the destructive malware attack on the opening ceremony on February 9, 2018, using malware called Olympic Destroyer;
- April 2018 spearphishing campaigns targeting investigations by the Organization for the Prohibition of Chemical Weapons (OPCW) and the UK Defense Science and Technology Laboratory (DSTL) into neurotoxin poisoning of Sergei Skripal, his daughter and several UK citizens; and
- A 2018 spearphishing campaign targeting a major media outlet, 2019 attempts to compromise Parliament’s network, and a widespread website defacement campaign in 2019.
- The creation of the Cyclops Blink botnet using a vulnerability in WatchGuard Firebox devices. The US government disabled this botnet before threat actors used the malware to launch attacks.
- April 2022 Attacks on a major Ukrainian utility with a new variant of the Industroyer industrial control system (ICS) malware and a new version of the CaddyWiper data destruction malware.
The Rewards of Justice has set up a Tor site at he5dybnt7sr6cm32xt77pazmtm65flqy6irivtflruqfc5ep7eiodiad.onion that can be used to anonymously submit tips about these threat actors and others.
The Rewards of Justice seeks information on other threat actors including REvil ransomware, DarkSide ransomware, North Korean cybercrime threat actors and nation-state hackers targeting US businesses and critical infrastructure sectors.