The U.S. government on Tuesday announced up to $10 million in rewards for information on six hackers associated with the Russian military intelligence service.
“These individuals participated in malicious cyber activities on behalf of the Russian government against U.S. critical infrastructure in violation of the Computer Fraud and Abuse Act,” the State Department’s Rewards for Justice Program said.
All the six Russian officers are members of an advanced persistent threat group called Sandworm (aka Voodoo Bear or Iron Viking), which is known to be operating since at least 2008 with a specific focus on targeting entities in Ukraine with the goal of establishing an illicit, long-term presence in order to mine highly sensitive data.
The hacker, who are officers of the Main Intelligence Directorate of the General Staff of the Armed Forces of the Russian Federation (GRU), are as follows –
- Artem Valeryevich Ochichenko, who has been linked to technical reconnaissance and spear-phishing campaigns to gain unauthorized access to IT networks of critical infrastructure facilities worldwide
- Petr Nikolayevich Pliskin, Sergey Vladimirovich Detistov, Pavel Valeryevich Frolov, and Yuriy Sergeyevich Andrienko, who are said to have developed components of the NotPetya and Olympic Destroyer malware used by the Russian government on June 27, 2017 to infect computer systems, and
- Anatoliy Sergeyevich Kovalev, who is accused of developing spear-phishing techniques and messages used by the Russian government to breach computer systems of critical infrastructure facilities
On October 15, 2020, the U.S. Justice Department indicted the aforementioned officers for carrying out destructive malware attacks with an aim to disrupt and destabilize other nations and cause monetary losses, charging them with conspiracy to commit wire fraud and aggravated identity theft.
As part of the initiative, the Rewards of Justice has set up a Tor website at “he5dybnt7sr6cm32xt77pazmtm65flqy6irivtflruqfc5ep7eiodiad[.]onion” that can be used to submit tips about these threat actors anonymously, or alternatively share the information via Signal, Telegram, or WhatsApp.
The Sandworm group was most recently linked to Cyclops Blink, a sophisticated and now neutralized botnet malware that infected internet-connected routers and firewalls made by ASUS and WatchGuard.
Another recent hacking activity associated with this group includes the deployment an updated version of Industroyer malware to attack high-voltage substations in Ukraine as part of ongoing invasion.