Skip to content

US Indicts Sandworm, Russia’s Most Destructive Cyberwar Unit

The new indictment also represents the first official acknowledgement from the US government that Sandworm was responsible for a cyberattack on the 2018 Winter Olympics, in which a piece of malware known as Olympic Destroyer took down much of the IT infrastructure of the Games just as the opening ceremony was beginning in Pyeongchang, South Korea. Olympic Destroyer contained layers of “false flags,” spoofed clues in its code designed to trick investigators into blaming North Korea or China. And according to the new indictment, Sandworm also tried to breach two Olympic partner organizations responsible for timekeeping in the Olympics, not just the Wifi, Olympics app, ticketing, and displays that were ultimately disrupted—perhaps an attempt to corrupt the Olympics sporting events’ actual results, too.

In the more than two years that followed, no government in the world officially seemed willing to blame the cyberattack on Russia, even as private intelligence firms like FireEye found strong evidence of Sandworm’s involvement, and US intelligence leaked their findings of Russia’s culpability to The Washington Post. (The European Union did finally name “Olympic Destroyer” as one of the known names for Sandworm in sanctions against the group in July, but without explicitly saying that the sanctions were in response to the Olympics attack.)

That long silence led to warnings from the cybersecurity community that Russia would no doubt attempt to attack the 2020 Olympics in Tokyo, too. And separately from the Sandworm indictment, those warnings were proven true today when the UK’s National Cybersecurity Center revealed that it had tracked, in a joint operation with US intelligence agencies, reconnaissance activities by Russian hackers seeking to disrupt the 2020 Olympics as predicted—though the games were ultimately delayed due to Covid-19—targeting the games’ organizers, logistics partners, and sponsors.

The Justice Department’s new indictment against the hackers includes a long history of other GRU hacking around the world: The hackers allegedly targeted the Organization for the Prohibition of Chemical Weapons in the Netherlands and the United Kingdom’s Defense Science and Technology Laboratory while those two organizations were investigating the Novichok poisoning of GRU defector Sergei Skripal and his daughter, an attack not previously linked to Sandworm despite known GRU involvement. The indictment also lays out new details of Sandworm’s targeting of the nation of Georgia in 2019, which included an attempt to compromise the Georgian parliament in addition to a previously known campaign of web defacements across the country’s internet, affecting 15,000 sites.

Perhaps most significantly, the criminal charges mark the first global law enforcement response targeting Sandworm’s hackers for their release of the NotPetya malware that ravaged networks across the world. To initially install its data-destroying, self-spreading code on its victims’ machines, Sandworm hijacked the update mechanism of MEDoc, a common piece of Ukrainian accounting software. But beyond infecting hundreds of Ukrainian companies and government agencies, NotPetya also spread far beyond Ukraine’s borders, inflicting $10 billion in damage to companies including Merck, FedEx, Maersk, Mondelez, as well as paralyzing updates to medical record systems in hospitals across the US and causing serious collateral damage to Russian firms, too.

The indictment accuses Andrienko, Detistov, Frolov, and Pliskin specifically of developing different components of the NotPetya malware. It goes so far as to state that Andrienko and Pliskin “celebrated” after the malware was deployed.

Despite US and EU sanctions against Russia for NotPetya, no hackers were criminally charged with the global cyberattack, or even named as individually responsible for it, until now. That apparent inaction led many in the cybersecurity world to marvel for years at Western governments’ failure to hold Sandworm accountable. “NotPetya tested the red lines of the West, and the result of the test was that there are no red lines yet,” Johns Hopkins professor of strategic studies Thomas Rid told WIRED in 2018. “The lack of any proper response is almost an invitation to escalate more.”