Getty Images
Federal prosecutors on Thursday unsealed an indictment charging six Russian nationals with conspiring to hack into the computer networks of the Ukrainian government and its allies and steal or destroy confidential data at the behest of the Kremlin.
The indictment, filed in the U.S. District Court for the District of Maryland, said five of the men were officers in Unit 29155 of the Russian Main Intelligence Directorate (GRU), a military intelligence agency of the Armed Forces General Staff. Along with a sixth defendant, prosecutors alleged, they were involved in a conspiracy to hack, exfiltrate data, leak information and destroy computer systems associated with the Ukrainian government in advance of Russia’s invasion of Ukraine in February 2022.
Targeting Critical Infrastructure with WhisperGate
The indictment, which replaces an earlier indictment, comes 32 months after Microsoft documented the discovery of a destructive piece of malware dubbed WhisperGate that infected dozens of Ukrainian government, nonprofit and IT organizations. WhisperGate masqueraded as ransomware but was in fact malware that permanently destroyed computers and the data stored on them by erasing the master boot record, a part of the hard drive needed to launch the operating system during startup.
In April 2022, three months after the report was published, Microsoft released a new report finding that WhisperGate was part of a much broader campaign aimed at coordinating destructive cyberattacks on critical infrastructure and other targets in Ukraine with kinetic military operations conducted by Russian forces. Thursday’s indictment included many of the factual findings reported by Microsoft.
“The GRU’s WhisperGate campaign, including the targeting of Ukraine’s critical infrastructure and government systems with no military value, exemplifies Russia’s appalling disregard for innocent civilians as it carries out its unjust invasion,” Assistant Attorney General Matthew G. Olsen of the National Security Division said in a statement. “Today’s indictment underscores that the Department of Justice will use every tool available to disrupt this type of malicious cyber activity and hold perpetrators accountable for indiscriminate and destructive attacks on the United States and our allies.”
Later in the campaign, Russian operatives targeted computer systems in countries around the world that provided support to Ukraine, including the United States and 25 other NATO countries.
The six suspects are:
- Yuriy Denisov, a colonel in the Russian Army and commanding officer of Cyber Operations for Unit 29155
- Vladislav Borokov, a lieutenant in Unit 29155 who works in cyber operations
- Denis Denisenko, a lieutenant in Unit 29155 who works in cyber operations
- Dmitriy Goloshubov, a lieutenant in Unit 29155 working on cyber operations
- Nikolay Korchagin, a lieutenant in Unit 29155 working in cyber operations
- Amin Stigal, an alleged civilian conspirator, was indicted in June for his role in WhisperGate activities
Federal prosecutors said the conspiracy began no later than December 2020 and was ongoing. The defendants and other unindicted accomplices, the indictment alleged, scanned computers of potential targets around the world, including in the U.S., looking for vulnerabilities and exploiting them to gain unauthorized access to many of the systems. The defendants would then infect the networks with wiper malware and, in some cases, exfiltrate the stored data.
Thursday's charges came a day after Justice Department officials announced charges against two Russian media executives accused of funneling millions of Kremlin dollars to a company responsible for producing and publishing propaganda videos in the U.S. that garnered millions of views on social media. Federal prosecutors said the goal was to covertly influence public opinion and deepen social divisions, including over Russia's war in Ukraine.
Also Wednesday, federal officials took other legal steps to counter what they called other Russian psychological operations. The actions included seizing 32 internet domains they said were being used to spread anti-Ukrainian propaganda, imposing sanctions on Russian individuals and entities accused of spreading Russian propaganda and charging two people accused of conspiring to help a Russian broadcaster violate U.S. sanctions.
Unit 29155 is a covert branch of the GRU that carries out coups, sabotage and assassinations outside Russia. According to WIRED, Unit 29155 recently acquired its own active team of cyberwarfare operators in a move that signals Russia’s merging of physical and digital tactics more than in the past. WIRED said the unit stands out from others within the GRU that use more recognized Russian state hacking groups, such as Fancy Bear or APT28 and Sandworm.
The Justice Department announced a $10 million reward for the suspects' locations or cyber activities. The wanted poster and Thursday's indictment showed photos of all six suspects. The move is intended to limit the men's travel and discourage other Russians from following their lead.
