Hidden Content
The GRU building known as the Tower, in the Moscow suburb of Khimki, where Sandworm operates.PHOTOGRAPH: MAXIM SHEMETOV/REUTERS/ALAMY
NEARLY HALF A decade ago, the Russian hackers known as Sandworm hit Western Ukraine with the first-ever cyberattack to cause a blackout, an unprecedented act of cyberwar that turned off the lights for a quarter million Ukrainians. They were just getting started. From there Sandworm embarked on a years-long spree of wantonly destructive attacks: another blackout attack on the Ukrainian capital of Kyiv in 2016, the release of the NotPetya worm in 2017 that spread globally from Ukraine to cause $10 billion in damage, and a cyberattack that temporarily destroyed the IT backend of the 2018 Winter Olympics in South Korea, among others.
Yet in spite of crossing every red line the cybersecurity world has tried to draw to protect civilian critical infrastructure from catastrophic hacking, Sandworm's members had never been charged or even officially named in connection with those attacks. Until now.

On Monday, the Department of Justice unsealed charges including computer fraud and conspiracy against six of the hackers who allegedly make up Sandworm, a group also known in the security industry by the names Telebots, Voodoo Bear, and Hades, and confirmed earlier this year to work in Unit 74455 of Russia's GRU military intelligence agency based in a building known as the Tower in the Moscow suburb of Khimki. The indictment names all six Russian men, who are in their late twenties to early thirties: Yuriy Sergeyevich Andrienko, Sergey Vladimirovich Detistov, Pavel Valeryevich Frolov, Artem Valeryevich Ochichenko, and Petr Nikolayevich Pliskin, as well as Anatoliy Sergeyevich Kovalev, who was previously indicted two years ago for his allegedly role into hacking US States' Boards of Election in 2016.

“No country has weaponized its cyber capabilities as maliciously or irresponsibly as Russia, wantonly causing unprecedented damage to pursue small tactical advantages and to satisfy fits of spite,” assistant attorney general John Demers said in a statement.
"They continue to do disruptive and destructive attacks against anyone they perceive to be an adversary to Russia or to have slighted Russia in some way," added a senior Justice Department official who asked not to be identified. "This is probably one of the most dangerous and aggressive groups of hackers that’s out there."

The charges represent not only the first criminal charges against Sandworm for its most destructive attacks, but the first time that most of the charged hackers have been publicly identified as members of the hacker group. Two other GRU hackers believed to be part of Sandworm—Aleksey Aleksandrovich Potemkin and Aleksandr Vladimirovich Osadchuk—were previously named in the separate, 2018 indictment of 12 GRU hackers for hacking that interfered in the 2016 US election. Kovalev, who in the new indictment is accused of helping to hack the 2017 campaign of French president Emmanuel Macron, was also named in those 2018 charges.

Now, however belatedly, that accountability has arrived for Sandworm's hackers. But as with so many indictments of foreign, state-sponsored hackers, the defendants will likely never see the inside of a US courtroom, given their protection by the Russian government. Nonetheless, indictments against foreign hackers limit their ability to use the Western financial system or to travel to any country that may have an extradition agreement with the US. "We have an obligation to hold accountable those who commit crimes— no matter where they reside and no matter for whom they work—in order to seek justice on behalf of these victims," US attorney Scott W. Brady said in a statement.

The Sandworm indictment also sends a message to the GRU and others hackers engaged in reckless attacks around the world that they, too, can be named and shamed, says John Hultquist, director of intelligence at FireEye, who first named Sandworm in 2014 and has tracked the hackers across their long, chaotic career. "It's obviously great that they're finally being accused," Hultquist says.

A Justice Department official denied that the timing of the indictment was related to the approach of Election Day in just two weeks. "We charge the cases when they're ready to be charged," the official said.
But Hultquist notes that Sandworm was, in fact, involved in the 2016 election interference, and that Microsoft has already linked another GRU group known as Fancy Bear or APT28 to attempts to breach campaigns and other political organizations involved in the 2020 election. "Plainly, I think they're attempting to discourage them from acting in this election by using legal tools and outing their involvement in other incidents," Hultquist says of the Justice Department's indictment.

Election aside, the signaling to state-sponsored hackers is clear, belated as it may be, says Hultquist: "We know who you are and what you’ve done," he says. And the consequences of that knowledge will catch up with hackers who cross red lines—even if it takes five years.