Inside the DoJ’s GRU Indictments for Cyber Meddling

For the third time in the past two years, the United States has indicted intelligence officers associated with Russia’s Main Intelligence Directorate (GRU), the military intelligence entity of the General Staff of the Armed Forces of the Russian Federation. A review of the indictment shows the six officers were members of GRU Unit 74455 and their activities were focused on penetrating global targets of interest and disseminating misinformation and disinformation.

According to court documents and Department of Justice publicly released materials, they were successful in the implementation of destructive malware, although their attempts to influence the French elections in April and May 2017 were thwarted. The destructive malware, “NotPetya,” inflicted damage in excess of $1 billion to U.S. commercial entities.

The DoJ provided the following synopsis of the destructive, disruptive and destabilizing efforts of Unit 74455, aka Sandworm Team.

• Ukrainian Government & Critical Infrastructure: From December 2015 through December 2016, destructive malware attacks were waged against Ukraine’s electric power grid, Ministry of Finance and State Treasury Service, using malware known as BlackEnergy, Industroyer and KillDisk.
• French Elections: April and May 2017 the group launched spear-phishing campaigns and related hack-and-leak efforts targeting French President Macron’s “La République En Marche!” (En Marche!) political party, French politicians and local French governments prior to the 2017 French elections.
• Worldwide Businesses and Critical Infrastructure (NotPetya): The group launched destructive malware attacks that infected computers worldwide June 27, 2017, using NotPetya, including hospitals and other medical facilities in the Heritage Valley Health System (Heritage Valley) in the Western District of Pennsylvania; a FedEx Corporation subsidiary, TNT Express B.V.; and a large U.S. pharmaceutical manufacturer. Together the organizations suffered nearly $1 billion in losses from the attacks.
• PyeongChang Winter Olympics Hosts, Participants, Partners and Attendees: From December 2017 through February 2018, the group launched spear-phishing campaigns and malicious mobile applications targeting South Korean citizens and officials, Olympic athletes, partners and visitors, as well as International Olympic Committee (IOC) officials.
• PyeongChang Winter Olympics IT Systems (Olympic Destroyer): Between December 2017 and February 2018, the group launched intrusions into computers supporting the 2018 PyeongChang Winter Olympic Games, which culminated in the Feb. 9, 2018, destructive malware attack against the opening ceremony using malware known as Olympic Destroyer.
• Novichok Poisoning Investigations: In April 2018, the group conducted spear-phishing campaigns targeting investigations by the Organisation for the Prohibition of Chemical Weapons (OPCW) and the United Kingdom’s Defence Science and Technology Laboratory (DSTL) into the nerve agent poisoning of Sergei Skripal, his daughter and several U.K. citizens.
• Georgian Companies and Government Entities: The group was responsible for a 2018 spear-phishing campaign targeting a major media company, 2019 efforts to compromise the network of Parliament and a wide-ranging website defacement campaign in 2019.

In October 2018 a group of GRU intelligence officers traveled abroad as they targeted “U.S. persons, corporate entities, international organizations, and their respective employees located around the world, based on their strategic interest to the Russian government,” according to the indictment. These seven officers comprised a portion of the GRU’s “close access” teams. In addition, their desired outcome was to influence the Olympic body and anti-doping organizations, which had publicized the Russian state-sponsored doping program at the Sochi Winter Olympics. GRU Unit 74455 took the information acquired, fed it out piecemeal and engaged 186 members of media in an attempt to amplify their desired message comprised of misinformation.

A separate group of GRU officers who were indicted in July 2018 were focused on the 2016 U.S. election and came from Unit 26165 and Unit 74455. Those from within Unit 26165 focused on Hillary Clinton using spear-phishing techniques to compromise the Democratic National Committee (DNC). Unit 74455 was used for the distribution of the misinformation/disinformation and materials stolen from the DNC using the fictitious Guccifer 2.0 moniker. In addition, it was Unit 74455 that attempted to hack into U.S. state boards of elections, secretaries of state and U.S. companies that provided software and technology for the administration of elections. One of the defendants in the recent indictment was also named in the 2018 indictment.

On Oct. 22, 2019, Deputy Assistant Attorney General Adam S. Hickey testified before the House Judiciary Committee and addressed foreign influence attempts directed at U.S. elections. In his statement to the committee, Adams referenced the indictments of the 19 GRU officers and their efforts to influence the elections and voter perceptions.

1. Cyber operations targeting election infrastructure.
2. Cyber operations targeting political organizations, campaigns and public officials.
3. Covert influence operations to assist or harm political organizations, campaigns and public officials.
4. Covert influence operations, including disinformation operations, to influence public opinion and sow division.
5. Overt influence efforts, such as the use of foreign media outlets or other organizations to influence policymakers and the public.

Director FBI noted at a press conference the evening of Oct. 21:

“We are not going to tolerate foreign interference in our elections or any criminal activity that threatens the sanctity of your vote or undermines the public confidence in the outcome of the election. When we see indications of foreign interference or federal election crimes, we’re going to aggressively investigate and work with our partners to quickly take appropriate action.”

There is little likelihood that the GRU and its Unit 26165 and Unit 74455 will remove the United States and western nations from their operating directives. Therefore, we should be forever mindful that the GRU is targeting U.S. companies, infrastructure and government entities, even those without any defense or intelligence connections.