The Most Surprising Thing About the New Indictment of Six Russian Intelligence Hackers
By Josephine Wolff, Assistant Professor of Cybersecurity Policy, The Fletcher School
In May 2014, a grand jury in the Western District of Pennsylvania indicted five members of the Chinese military for cyberespionage—the first time the United States had ever filed charges against officers of a foreign government for hacking. In the six years since, the United States has issued several more such indictments accusing hackers in the employ of the Chinese, Russian, North Korean, and Iranian governments of breaking into U.S. computer networks, stealing confidential information, and manipulating U.S. businesses and voters. So the new indictment issued this week against six Russians associated with Military Unit 74455, GRU’s Main Center for Special Technologies, wasn’t exactly a surprise—symbolic, public charges aimed at naming and shaming foreign entities have become a fairly standard element of the U.S. response to nation-state hacking activity.
But the most recent charges against Russia are much more expansive and detailed than any of the previous hacking indictments filed against foreign government officials. Importantly, they are also far less U.S.-centric. Like the landmark 2014 indictment against the Chinese military officers, the recent charges against the six Russian hackers were filed in the Western District of Pennsylvania—but unlike those earlier charges, which largely detailed espionage conducted on Pennsylvania-based companies, the crimes outlined in the 2020 indictment were primarily focused on targets that were not just outside of Western Pennsylvania, but outside of the United States entirely.
The indictment describes a series of malware incidents over a period of four years that Unit 74455 carried out “for the strategic benefit of Russia,” such as attacking Ukraine’s electric grid in December 2015, leaving many without power—and heat. It says there were five targets that the incidents in question were designed to “undermine, retaliate against, or otherwise destabilize.” These five targets are described as: “(1) Ukraine; (2) the country of Georgia; (3) France’s elections; (4) efforts to hold Russia accountable for its use of a weapons-grade nerve agent on foreign soil; and (5) the 2018 Winter Olympics after a Russian government-sponsored doping effort led to Russian athletes being unable to participate under the Russian flag.”
Notably, none of those are U.S. targets! Certainly, the United States was affected by some of these incidents—particularly the NotPetya malware that was distributed by Russia in 2017 to target Ukrainian infrastructure. While it was aimed at Ukraine, the NotPetya malware famously ended up infecting the networks of hundreds of organizations worldwide, including the Heritage Valley Health System in Pennsylvania, which the indictment discusses at some length (perhaps because it is the only connection to the Western District of Pennsylvania in the entire document). Other U.S. companies hit by NotPetya are mentioned in passing—such as a pharmaceutical company and FedEx—but the bulk of the indictment is devoted to Russia’s operations in other countries: how it infiltrated the Ukrainian electric grid as early as 2015, for instance, and overwrote the memory in Ukrainian computers with zeros and the terms “mrR0b07” and “fS0cie7y” repeated over and over (references to the television show Mr. Robot).
The indictment is unusually rich with these sorts of details—the names of the infected attachments that the perpetrators used to distribute their malware, the email addresses they sent those phishing emails from (e.g., olympicgameinfo@gmail.com and alert.safekorea@gmail.com), the URLs they purchased to set up phishing websites (for instance, mafra.go.kr.jeojang.ga, a site that was set up to resemble the official Korean Ministry of Agriculture, Food, and Rural Affairs website at mafra.go.kr), the fact that some of the perpetrators named in the indictment actively celebrated the deployment of NotPetya on June 27, 2017. Those details are presumably intended not just to show off the United States’ investigative and forensic skills but also to send a clear message to Russia that the United States knows every webpage its officers have visited, every URL they’ve registered, every email they’ve sent. And it’s hard to believe that it’s a total coincidence the Department of Justice chose to send that message only two weeks before the presidential election, despite Assistant Attorney General John Demers saying on Monday that there was no particular significance to the timing of the announcement.
One of the hackers named in this week’s indictment, Anatoliy Sergeyevich Kovalev, was among the dozen Russians charged with interfering in the 2016 U.S. elections in a 2018 indictment filed as part of the investigation led by Robert Mueller. But even if the Department of Justice does have the security of the upcoming election in mind, the most recent indictment is in many ways a surprisingly globally minded act on the part of the U.S. government. It details South Korean, French, Ukrainian, Georgian, and U.K. victims of Russian hacking activities, highlighting just how much effort the United States government—in partnership with companies including Google, Cisco, Facebook, and Twitter—put into investigating these overseas exploits.
Even more surprising is the U.S. willingness to use the full force of its own legal system to censure Russia for these attacks on non-U.S. targets. It’s a rare act of public-facing cyber solidarity on the part of the United States, a signal not just to Russia but also to the rest of the world that the U.S. government regards online attacks on Ukrainian infrastructure, South Korean events, French politicians, Georgian media outlets, and U.K. government ministries as deserving of the same response as attacks on U.S. companies and elections.
What impact, if any, that signal will have remains to be seen. Hacking indictments of foreign military officials make for fascinating reading and strong symbolic statements, but they rarely lead to any actual arrests, and it’s not clear that they serve any strong deterrent function, either. Still, it’s promising to see the United States stand up to Russia so publicly and expand the scope of its naming and shaming efforts to encompass illegal hacking directed at other countries. Whether or not naming and shaming will be sufficient to address Russia’s hacking activities (it won’t), it’s still a positive development that the U.S. government’s response to those activities openly acknowledges the global nature of the internet and the fact that tactics and code used against other countries will inevitably affect us, too.
This piece was republished from Slate.