The new indictment also represents the first official acknowledgement from the US government that Sandworm was responsible for a cyberattack on the 2018 Winter Olympics, in which a piece of malware known as Olympic Destroyer took down much of the IT infrastructure of the Games just as the opening ceremony was beginning in Pyeongchang, South Korea. Olympic Destroyer contained layers of “false flags,” spoofed clues in its code designed to trick investigators into blaming North Korea or China.
In the more than two years that followed, no government in the world officially seemed willing to blame the cyberattack on Russia, even as private intelligence firms like FireEye found strong evidence of Sandworm’s involvement, and US intelligence leaked their findings of Russia’s culpability to the Washington Post. (The European Union did finally name “Olympic Destroyer” as one of the known names for Sandworm in sanctions against the group in July, but without explicitly saying that the sanctions were in response to the Olympics attack.)
The indictment against the hackers includes a long history of other GRU hacking around the world: The hackers allegedly targeted the Organization for the Prohibition of Chemical Weapons in the Netherlands and the United Kingdom’s Defense Science and Technology Laboratory while those two organizations were investigating the Novichok poisoning of GRU defector Sergei Skripal and his daughter, an attack not previously linked to Sandworm despite known GRU involvement. The indictment also lays out new details of Sandworm’s targeting of the nation of Georgia in 2019, which included an attempt to compromise the Georgian parliament in addition to a previously known campaign of web defacements across the country’s internet, affecting 15,000 sites.
Perhaps most significantly, the criminal charges mark the first global law enforcement response targeting Sandworm’s hackers for their release of the NotPetya malware that ravaged networks across the world. To initially install its data-destroying, self-spreading code on its victims’ machines, Sandworm hijacked the update mechanism of MEDoc, a common piece of Ukrainian accounting software. But beyond infecting hundreds of Ukrainian companies and government agencies, NotPetya also spread far beyond Ukraine’s borders, inflicting $10 billion in damage to companies including Merck, FedEx, Maersk, Mondelez, paralyzing updates to medical record systems in hospitals across the US and causing serious collateral damage to Russian firms, too.
The indictment accuses Andrienko, Detistov, Frolov, and Pliskin specifically of developing different components of the NotPetya malware. It goes so far as to state that Andrienko and Pliskin “celebrated” after the malware was deployed.
Despite US and EU sanctions against Russia for NotPetya, no hackers were criminally charged with the global cyberattack until now or even named as individually responsible for it. That apparent inaction led many in the cybersecurity world to marvel for years at western governments’ failure to hold Sandworm accountable. “NotPetya tested the red lines of the West, and the result of the test was that there are no red lines yet,” Johns Hopkins professor of strategic studies Thomas Rid told WIRED in 2018. “The lack of any proper response is almost an invitation to escalate more.”
Now, however belatedly, that accountability has arrived for Sandworm’s hackers. But as with so many indictments of foreign, state-sponsored hackers, the defendants will likely never see the inside of a US courtroom, given their protection by the Russian government. Nonetheless, indictments against foreign hackers limit their ability to use the Western financial system or to travel to any country that may have an extradition agreement with the US. “We have an obligation to hold accountable those who commit crimes – no matter where they reside and no matter for whom they work—in order to seek justice on behalf of these victims,” US Attorney Scott W. Brady said in a statement.