Cybercrime , Cybercrime as-a-service , Cyberwarfare / Nation-State Attacks

Feds Offer $10 Million Reward for Russia's Sandworm Hackers

6 Russian Military Intelligence Agents Charged With Launching NotPetya Destruction
Feds Offer $10 Million Reward for Russia's Sandworm Hackers

The U.S. government Tuesday announced a reward of up to $10 million for information pertaining to six alleged Russian military hackers tied to the 2017 NotPetya destructive malware campaign.

See Also: Strengthening Defenses with ISO/IEC 27001 Standards: The Frontier of Canadian Cybersecurity

NotPetya was wiper malware, disguised as ransomware, which was distributed via a legitimate Ukrainian software developer's update server. The malware spread globally, causing commercial damage of up to $10 billion.

A federal grand jury in October 2020 indicted the six Russians, all believed to be military intelligence officers serving in Russia's Main Intelligence Directorate, or GRU, for launching NotPetya (see: 6 Takeaways: Russian Spies Accused of Destructive Hacking).

The alleged Russian GRU agents who were indicted (left to right, top row first): Yuriy Andrienko, Sergey Detistov, Pavel Frolov, Anatoliy Kovalev, Artem Ochichenko and Petr Pliskin (Source: U.S. Department of Justice)

"All six individuals work in the GRU's Unit 74455, also known by cybersecurity researchers as Sandworm Team, Telebots, Voodoo Bear and Iron Viking," says a spokesperson for the Rewards for Justice program, which is administered by the U.S. Department of State's Diplomatic Security Service.

The program offers a reward of up to $10 million "for information leading to the identification or location of any person who, while acting at the direction or under the control of a foreign government, participates in malicious cyber activities against U.S. critical infrastructure in violation of the Computer Fraud and Abuse Act."

The Department of State says that since the program launched in 1984, more than $200 million has been paid to more than 100 people globally who have "provided actionable information that helped prevent terrorism, bring terrorist leaders to justice and resolve threats to U.S. national security."

Recently, the program has offered rewards for information tied to North Korean hackers, Iranians charged with interfering in 2020 U.S. elections and nation-state attackers who targeted critical infrastructure.

'We Know You Did It'

Whether the six Russians who allegedly launched NotPetya ever get detained abroad and extradited to the U.S. to face charges, the indictment was "a shot across the bow," says attorney Mark Rasch, who's of counsel to the law firm of Kohrman, Jackson & Krantz.

"Number one, it tells the Russians: 'We know you did it.' Number two, it tells the Russians: 'We know specifically the individuals who did it.' Number three, it acts to somewhat isolate those individuals and restrict their ability to travel. And number four, it tells the American people we're doing 'something' about cybercrime," Rasch says.

Speaking of the new reward money, "this latest act probably is more focused on three and four," he says.

No matter the rewards on offer, the Russian government never extradites its citizens. But alleged Russian criminals continue to be detained when they're traveling abroad, often on vacation, in response to requests from other nations, including the United States. Extradition proceedings then commence, during which the indictment against a suspect often gets unsealed.

Typically, Moscow will file a competing extradition request, charging the alleged cybercriminal with a minor offense. But this competing legal maneuver does not ever appear to have succeeded, at least for alleged cybercriminals.

Travel Plan Disruption

Charging Russian officers with breaking criminal statutes may also disrupt the suspects' "current and retirement plans," as well as make their travel planning more fraught, says Ian Thornton-Trump, CISO of threat intelligence firm Cyjax in Witny, England.

"Should these individuals find themselves in a country where law enforcement and government officials may be swayed by rewards like this, it is possible that these individuals may end up in America's hands," he says.

But experts say it's unlikely that these military officers will ever appear before a U.S. judge, at least if they remain in Russia. "There is no way a Russian citizen is going to grab their neighbor who works for the GRU and say to the Americans: 'Hey, look, I found this guy,'" says Rasch, who previously worked for the U.S. Department of Justice, where he started the computer crime unit within the criminal division's fraud section.

Nevertheless, the indictment and reward money still serve multiple purposes, including complicating GRU officers' lives. "It makes it more difficult for them to go to countries that are not affiliated or protected by Russia," Rasch says. "Because before this, the truth is, they would have to be captured by a foreign government and extradited. Now you're essentially incentivizing individuals to do the same thing."

Equation Group Hangover

One wrinkle with NotPetya is that some of its capabilities appear to have been built using tools developed by the U.S. National Security Agency, says Thornton-Trump, who from 1989 to 1992 served with the military intelligence branch of the Canadian Armed Forces.

Specifically, NotPetya used Eternal Blue to exploit a vulnerability in the server message block server in Windows and Double Pulsar to install a persistent backdoor.

These so-called Equation Group tools were somehow obtained - the specifics remain unknown - and leaked by a group calling itself the Shadow Brokers in early 2017.

"What America really wants to forget is the carelessness of letting their own NSA super-hacking tools get into malicious actors' hands," Thornton-Trump says. "Russia did not build NotPetya entirely. They added the ransomware payload to an Eternal Blue exploit and Double Pulsar Trojan and as they say, 'kicked the cyber tires and lit the cyber fires' with lots of swearing in Russian following the results of letting it loose."

Spies Are Going to Spy

Traditionally, however, the function of intelligence agencies isn't to unleash destructive malware, but instead to help their leaders avoid going to war by gathering useful intelligence into what other countries are doing, planning or thinking.

In service to this mission, intelligence agents regularly break local laws when operating abroad. At the same time, domestic counterintelligence officials will be working to keep tabs on suspected foreign agents.

"This has been the way spying has worked since the invention of spying," Thornton-Trump says. "U.S. intelligence agents and cyber actors are going to be persons of interest and high-value targets just as aggressive nation-state actors are. It's spy versus spy, and the only difference is a lot of it is done online now, making those actors a bit harder to get at."

One difference with NotPetya, however, is that its purpose "was not espionage, but destruction," Rasch says. Accordingly, the criminal indictment unsealed by the U.S. and the reward now being offered can also be seen as a reminder about what constitutes acceptable behavior by intelligence agencies versus what a federal grand jury considers to be criminal behavior.

Caveat nation-state hacker.

About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.