Euro Security Watch with Mathew J. Schwartz

Cyberwarfare / Nation-State Attacks , Forensics , Fraud Management & Cybercrime

Elite Russian Sandworm Hackers' Epic OPSEC Problem

US Indictment Airs Russian Military and Operators' Dirty Laundry
Elite Russian Sandworm Hackers' Epic OPSEC Problem

Although Russia's elite nation-state hackers are capable of waging destructive attacks, the GRU military intelligence Sandworm operators have not been able to remain in the shadows, a U.S. federal grand jury indictment suggests (see: 6 Takeaways: Russian Spies Accused of Destructive Hacking).

See Also: The External Attack Surface Is Growing and Represents a Consistent Vulnerability

The indictment demonstrates the degree to which Western intelligence agencies have apparently been able to infiltrate the Russian intelligence apparatus to trace attacks back to specific agencies - and specific operators.

In attributing the 2017 NotPetya fake ransomware attack, attempts to disrupt the 2018 Winter Olympics and 2020 Summer Olympics and attacks against organizations investigating Russia's 2018 Novichok attack on British soil, the U.S. Department of Justice didn't just name and shame the GRU's Main Center for Specialist Technologies - aka GRU Unit 74455, which security researchers refer to as Sandworm, TeleBots, Voodoo Bear and Iron Viking.

The Justice Department also named six hackers that it said were behind the keyboard during the attacks, released their photographs and added them to the FBI's list of most wanted fugitives. All are believed to be in or around Moscow. And because Russia has no extradition treaty with the U.S., they're unlikely to ever see the inside of an American courtroom.

Alleged Russian GRU agents indicted last week (left to right, top row first): Yuriy Andrienko, Sergey Detistov, Pavel Frolov, Anatoliy Kovalev, Artem Ochichenko and Petr Pliskin. (Source: U.S. Justice Department)

"The Five Eyes intelligence communities ... must have stunning visibility into Russian military intelligence operations," cybersecurity expert Thomas Rid, a professor of strategic studies at Johns Hopkins University and author of "Active Measures," said on Twitter.

Not So Shadowy

The sources and methods - that's intelligence-speak for the practice of gathering and analyzing evidence - used to identify who was behind the keyboards for these attacks aren't clear. But, from an operational security standpoint, the GRU unit does not appear to have practiced exemplary OPSEC.

Aric Toler, a researcher with investigative journalism website Bellingcat, notes that, of the six men indicted, three had registered their car to Svobody 21B in Moscow - the physical address of their GRU unit. Presumably, they did this to avoid getting traffic tickets.

Toler says FBI investigators likely used a tool called FindClone - a Russian facial recognition site - or something similar to help identify the suspects. He notes that photographs of the suspects released by the Justice Department include images taken from now-deleted pages on VK - a Russian online social media and social networking service, akin to Facebook, on which the suspects appeared to have registered accounts using pseudonyms. These accounts had been cached by FindClone.

Blending: Cybercrime and Nation-State Attacks

Intelligence officials say that, for several years, it has been growing more difficult to distinguish between nation-state attacks and cybercrime campaigns because the same hackers may work for intelligence agencies during office hours and practice freelance hacking in their spare time.

An example of that appears in the indictment, as Rid has noted.

One suspect - Anatoliy Kovalev - has also been accused of engaging "in spear-phishing campaigns for apparent personal profit, including campaigns targeting large Russian real estate companies, auto dealers and cryptocurrency miners, as well as cryptocurrency exchanges located outside of Russia."

Rules for Russian Hackers

Russia's computer crime laws make it difficult to prosecute citizens, so long as they've only defrauded foreigners, or at least anyone outside the Commonwealth of Independent States, which comprises former republics of the Soviet Union (see: Russia's Cybercrime Rule Reminder: Never Hack Russians.)

Security experts say Russian intelligence agencies have long turned a blind eye to cybercrime, provided criminals steer clear of targeting Russia and its neighbors and occasionally do favors for the government's spies. Kovalev, however, is allegedly a Russian military intelligence officer. Before being indicted last week by a federal grand jury, he - along with 11 other officers - was indicted by a separate grand jury in July 2018 for his alleged role in interfering with the 2016 U.S. elections. Kovalev and another GRU officer were also charged with a separate conspiracy to hack into state election infrastructure and software providers' systems.

Whether his GRU superiors were aware of his alleged extracurricular activities isn't known. But thanks to the U.S. indictment, his apparent penchant for hacking for profit - including pwning other Russians - in his spare time is just part of the dirty laundry being aired by the federal government as it attempts to hold Moscow to account for its hacking activities.

About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.