6 Russian intelligence officers indicted by U.S. for alleged cyber attacks

The Justice Department on Monday indicted six Russian intelligence agency officers for their alleged roles in what prosecutors called some of the most destructive cyber attacks in history.

One attack targeting more than 300 victims worldwide impacted the Sewickley-based Heritage Valley Health System, while others targeted the Ukrainian power grid in 2016, the 2017 French elections and the 2018 winter Olympics.

The seven-count indictment, returned Thursday in Pittsburgh by U.S. Attorney Scott Brady, includes charges for conspiracy, wire fraud, computer fraud and aggravated identity theft. The indictment was unsealed Monday.

The named defendants are all officers within Unit 74455 of the Russian Main Intelligence Directorate, known as the GRU, which is a military intelligence agency.

The alleged attacks began in November 2015 and continued into October 2019, and were deployed to benefit Russia, said Assistant Attorney General John Demers.

“No country has weaponized its cyber capabilities as maliciously or irresponsibly as Russia, wantonly causing unprecedented damage to pursue small tactical advantages and to satisfy fits of spite,” Demers said.

As part of the conspiracy and to mask their identities, the indictment said, the officers paid for their hacking infrastructure using cryptocurrencies such as bitcoin. In some instances, the Russians created a “false flag” to try to pin blame for attacks on someone else. In the case of the Olympics, the indictment said, the Russian officers tried to make it appear that North Korea was responsible.

FBI Deputy Director David Bowdich said that Russia’s behavior has made it clear it seeks to disrupt foreign entities through cyber attacks.

“We investigate one major hack only to uncover another one,” he said.

Investigators, including ones in Pittsburgh, Atlanta and Oklahoma City, worked for two years on the case, Brady said.

“The crimes committed by Russian government officials were against real victims who suffered real harm,” he said. “We have an obligation to hold accountable those who commit crimes – no matter where they reside and no matter for whom they work – in order to seek justice on behalf of these victims.”

Heritage Valley was one of the alleged victims of malware called NotPetya, which was launched worldwide on June 27, 2017.

The indictment said the first Heritage Valley computer was impacted at 7:23 a.m. that day.

The infection, the filing said, occurred as a result of a connection between the health system computer and another computer network from a different entity that had already been infected.

“By stealing and using Heritage Valley user credentials to self-propagate, the malware then spread from the initial infected Heritage Valley computer to other computers on Heritage Valley’s computer network,” the indictment said.

At Heritage Valley, nearly 80 offices and facilities were impacted, as the NotPetya malware locked system hard drives, prohibiting access to patient lists, patient history, physical examination files and laboratory records, Brady said.

For several hours, the indictment continued, the systems’ hard drives were encrypted, work stations were locked and patient files were inaccessible.

“At that time, the health system implemented downtime procedures and continued care delivery until systems were restored,” Heritage Valley spokeswoman Suzanne Sakson said.

The hospital system lost access to critical computer systems for cardiology, nuclear medicine, radiology and surgery for about one week, and to administrative computer systems for a month.

Heritage Valley spent about $2 million to repair the damage caused by the malware.

Sakson said there was no indication that they were specifically targeted.

Bowdich called the NotPetya attack one of the most destructive cyber attacks ever.

“This cyber attack crippled that hospital’s operations,” Bowdich said.

Other American victims of NotPetya included TNT Express B.V., a subsidiary of FedEx, and a large pharmaceutical company. TNT Express spent $400 million trying to recover from the malware, Brady said. The pharmaceutical company spent $500 million.

In total, FBI Pittsburgh Special Agent in Charge Mike Christman said that NotPetya resulted in $10 billion in damages against 300 victims worldwide.