US indictment of operatives, accused of launching several attacks, gives a detailed account of how they went about their business
The Sandworm team of Russian military intelligence, alleged to have unleashed computer chaos against the Kremlin’s enemies around the world, is said to operate out of a blue-tinted glass skyscraper known simply as “the tower”.
From that address, 22 Kirova Street in the Moscow suburb of Khimki, the Sandworm hackers, also known more prosaically as the unit 74455 and “the main centre for special technologies”, launched attacks on the Ukrainian power system, Emmanuel Macron’s presidential bid in France in 2017, the South Korean Olympics in 2018 and the UK investigation into the 2018 Russian nerve agent attack in Salisbury.
According to cyber security experts, the same unit was involved in the hacking of the Democratic National Committee and Hillary Clinton’s election campaign in 2016, disguised as a hacktivist group dubbed Fancy Bear.
On Monday, US and UK authorities accused the unit of planning a cyberattack on the 2020 Olympics and Paralympics in Tokyo.
They did not just cause confusion and inconvenience. Quite apart from their alleged role in the rise of Donald Trump, they are accused of depriving hundreds of thousands of Ukrainians of light and heat in the middle of winter, and closing down the computer systems of a major Pennsylvania hospital. Their exploits are a foretaste of unconstrained cyber warfare might look like in the real world.
The US indictment of six Sandworm operatives, all GRU military intelligence officers, gives a detailed account of how they went about their business.
In preparation for the attack on the Olympics they studied the tactics and style of their North Korean counterparts, the Lazarus group, so they could mimic them and throw suspicion on Pyongyang.
When the UK’s Defence Science and Technology Laboratory and the Organisation for the Prohibition of Chemical Weapons in the Hague started to investigate the Novichok nerve agent attack on a KGB defector Sergei Skripal and his daughter Yulia in March 2018, the Sandworm hackers sent out spearphishing emails to investigators in both organisations purporting to come from known German and British journalists.
To increase the chances that at least some of the recipients would click on the malware-laced links, the “journalist” claimed to have information relevant to the investigation.
The indictment is based on lengthy investigations by FBI analysts in cooperation with Google, Cisco, Facebook and Twitter as well with allied intelligence agencies, most importantly the from the Five Eyes alliance, of the US, UK, Canada, Australia and New Zealand.
According to the indictment, the investigators were able to keep such a close watch on the hackers that it caught one of them, named as Anatoliy Kovalev, doing a bit of moonlighting, spearphishing Russian real estate companies, and car dealers as well as cryptocurrency exchanges abroad, apparently for private profit.
Thomas Rid, the professor of strategic studies at Johns Hopkins University and author of Active Measure – a book published this year on disinformation operations, said the level of detail in the indictment reflects the degree to which the GRU teams own networks were infiltrated.
“Today’s GRU indictment is an incredible document,” Rid wrote on Twitter. “The Five Eyes intelligence communities, I would suspect, must have stunning visibility into Russian military intelligence operations if today’s disclosures are considered dispensable.”
For all the efforts unit 74455 took to cover its tracks, they seem to have been remarkably sloppy in other ways.
According to Aric Toler of the Bellingcat investigative journalism team, three of the six accused registered their cars to the same address, which is also linked to the Sandworm unit.
“If you search for all of the people registering their cars to this address, you get 47 results – all probably GRU hackers,” Toler said.