Threat Management, Threat Management, Threat Intelligence

U.S. indicts GRU officers over anti-doping agency hacks; Western allies condemn Russia

The U.S. and several key Western Allies have leveled an array of new and damning hacking allegations against Russia, with the Department of Justice announcing federal indictments against seven officers in Russia's Main Intelligence Directorate (GRU) military intelligence agency.

Officials from America, the UK, Australia, New Zealand and the Netherlands over last 24 hours have publicly accused Russia of hacking a myriad of targets, including anti-doping organizations, Ukraine, the U.S. Democratic National Committee, Westinghouse Electric Company and the Organization for the Prohibition of Chemical Weapons (OPCW).

A grand jury in the Western District of Pennsylvania handed down the U.S. indictment against the seven Russian defendants, identified as Aleksei Sergeyevich Morenets, 41; Evgenii Mikhaylovich, Serebriakov, 37; Ivan Sergeyevich Yermakov, 32; Artem Andreyevich Malyshev, 30; and Dmitriy Sergeyevich Badin, 27; Oleg Mikhaylovich Sotnikov, 46; and Alexey Valerevich Minin, 46. Charges includes computer hacking, wire fraud, aggravated identity theft, and money laundering.

Four of the accused -- Morenets, Serebriakov, Sotnikov, and Minin -- were alleged members of what authorities are calling a "close access" team that would brazenly travel to targets' physical locations in order to hack them over a local Wi-Fi network. Whenever remote attempts to capture a target's log-in credentials or gain privileged access proved fruitless, Russia would dispatch this team to capture the credentials and then transfer access over to Russia-based conspirators, officials say.

The three other defendants, Yermakov, Malyshev, and Badin, were previously named in a previous U.S. indictment charging Russian actors with interference in the 2016 presidential election.

According to the DOJ, the indictment covers illegal hacking activity conducted against individuals and organizations from December of 2014 through at least May 2018. Among the more high-profile of attacks executed by this group was a hacking and disinformation campaign seeking to discredit or embarrass anti-doping organizations and non-Russian athletes.

This campaign, which cyber experts have long attributed to the Russia-linked APT group Fancy Bear, was apparently a retaliatory act following the exposure of an institutionalized doping campaign during the 2014 Sochi Olympics, which led to the sanctions against Russia and some Russian athletes at the 2016 and 2018 games in Rio de Janeiro and Sochi. In response to this long-running operation, the DOJ has seized the domains fancybears.net and fancybears.org.

To carry out the plot, the defendants allegedly used spear phishing and local hacking techniques to gain unlawful access to networks and data belonging to around 40 sporting organizations, including the World Anti-Doping Agency, the U.S. Anti-Doping Agency, the Canadian Centre for Ethics in Sport (CCES), the International Association of Athletics Federations and FIFA. Some of this data included highly confidential and sensitive medical records.

The stolen information was then strategically cherry-picked, modified and released to reporters and media outlets in order to support Russian perspectives on the scandal -- making it look like anti-doping agencies were unfairly singling out Russia while overlooking abuses of the system by other international athletes.

"The actions of these seven hackers, all working as officials for the Russian government, were criminal, retaliatory, and damaging to innocent victims and the United States' economy, as well as to world organizations," said FBI Director Christopher Wray in a DOJ press release. "Their actions extended beyond borders, but so did the FBI's investigation."

The indictment also accuses four of the GRU officers of traveling to the Hague in the Netherlands in April 2018 to perform a close-up hack of the Organisation for the Prohibition of Chemical Weapons (OPCW) watchdog group.

Their next target was apparently the OPCW's Spiez Swiss Chemical Laboratory, but the Deutch defense intelligence service MIVD disrupted the operation before it was completed, said the DOJ, noting that the suspects left behind equipment that contained data that confirmed previous attacks, including one against the CCES.

The DOJ's account of this attack gibes with a press statement issued earlier today by the Netherlands' Ministry of Defense, which announced the disruption of a Russian operation against OPCW assets. The four suspects were caught on surveillance footage at Schiphol airport in Amsterdam, and were later escorted out of the country, according to the Ministry.

"This cyber operation against the OPCW is unacceptable. By revealing this Russian action, we send a clear message: Russia has to stop this," said Minister of Defense Ank Bijleveld. "The OPCW is a respected international institute that represents 193 states from all over the world, to work together on a world without chemical weapons, and as a host country, Dutch has the responsibility to protect international organizations here."

The investigation, which was aided by British investigators and the Dutch intelligence agency AIVD, also linked one of the suspects to hacking activity in Malaysia related to the probe surrounding the downing of Malaysia Airlines Flight 17 over Ukraine -- an act which is widely blamed on Russian militants.

In another public admonishment, the UK, Australia and New Zealand each issued related statements [1, 2, 3] blaming Fancy Bear for a variety of reckless hacking activities over the past several years.

In addition to referencing the anti-doping cyberattacks, the trio of countries also linked the Russian group to the 2016 hack of the U.S. DNC, the 2015 hack of a small U.K. TV station's email accounts, and the NotPetya ransomware variant BadRabbit.

Set loose in October 2017, BadRabbit impacted operations at the Kyiv metro, Odessa airport, Russia’s central bank and two Russian media outlets.

"We have, with the operations exposed today, further shone a light on the unacceptable cyber activities of the Russian military intelligence service, the GRU," reads a joint statement issued today by U.K. Prime Minister Theresa May and Dutch Prime Minister Mark Rutte. "Our action today reinforces the clear message from the international community: We will uphold the rules-based international system, and defend international institutions from those that seek to do them harm."

"The GRU's actions are reckless and indiscriminate: they try to undermine and interfere in elections in other countries; they are even prepared to damage Russian companies and Russian citizens," said Jeremy Hunt, foreign secretary at the U.K.'s National Cyber Security Centre (NCSC), in a press release. "This pattern of behavior demonstrates their desire to operate without regard to international law or established norms and to do so with a feeling of impunity and without consequences."

The office of Scott Morrison, prime minister of Australia, also chimed in with a statement: "While Australia was not significantly impacted, this activity affected the ability of the public in other parts of the world to go about their daily lives. It caused significant, indiscriminate harm to civilian infrastructure and resulted in millions of dollars in economic damage, including in Russia. This is unacceptable and the Australian Government calls on all countries, including Russia, to refrain from these types of malicious activities."

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.