The fur is not gonna fly: Uncle Sam charges seven Russians with Fancy Bear hack sprees

Largely pointless, since they're never going to stand trial

The GRU seven - from the FBI's "wanted" poster
Detail from the FBI's "Wanted" poster

In what's turning into International Cyber-Attribution Week, a US federal grand jury has indicted seven alleged Russian military intelligence officers – and accused them of hacking anti-doping watchdogs, sports officials, and others.

Four of the men are said to be part of a hacking operation, run by Kremlin spy agency GRU, that fell foul of Dutch intelligence. The Feds today named the seven as Dmitriy Sergeyevich Badin, Artem Andreyevich Malyshev, Alexey Valerevich Minin, Aleksei Sergeyevich Morenets, Evgenii Mikhaylovich Serebriakov, Oleg Mikhaylovich Sotnikov, and Ivan Sergeyevich Yermakov.

All seven were, it is claimed, part of GRU's Fancy Bear hacking team that infiltrated the World Anti-Doping Agency's computers in 2016, and other organizations. They are charged with computer hacking, wire fraud, aggravated identity theft, and money laundering.

The FBI said the accused conducted “computer hacking activity spanning from 2014 through May of 2018, including the computer intrusions of the United States Anti-Doping Agency (USADA), the World Anti-Doping Agency (WADA), and other victim entities during the 2016 Summer Olympics and Paralympics and afterwards.”

Pink Panther

Dutch cheesed off with Russians, expel four suspects over chemical weapons Wi-Fi spying

READ MORE

American prosecutors added that Westinghouse Electric Company and FIFA were also victims of the Fancy Bear cyber-attacks, in which hackers tried to get into their computer networks. The group allegedly created fictitious personas and used proxy servers to research their victims, sent spear-phishing emails, and ran backend servers to command and control malware infections.

If a victim didn't fall for their remote attacks (or, as the prosecutors noted, “accounts that were successfully compromised [that] did not have the necessary access privileges”), Morenets, Serebriakov, Sotnikov, and Minin allegedly set about accumulating frequent-flyer points. They would travel to where desirable servers and networks were located, break into Wi-Fi networks connected to those systems, and if the operation was successful, “the close access team transferred such access to conspirators in Russia for exploitation,” it is claimed.

In 2016, they leaked stolen private information about 250 athletes from 30 countries to journalists via email and Twitter as part of a GRU disinformation campaign, prosecutors claimed.

The charge sheet also provided detailed allegations of the team's April 2018 attempt to compromise the investigation into recent Novichok attacks in Salisbury, England. Morenets, Serebriakov, Sotnikov, and Minin used diplomatic passports to travel to The Hague in the Netherlands, in an attempt to break into the Wi-Fi network of the Organisation for the Prohibition of Chemical Weapons, which was probing the poisonings.

They intended, it is claimed, to continue to Spiez in Switzerland, home of the Spiez Swiss Chemical Laboratory, which was analyzing “military chemical agents, including the chemical agent that the United Kingdom authorities connected to the poisoning of a former GRU officer in that country” – the Novichok used against ex-GRU agent Sergei Skripal and his daughter Yulia, in other words.

A troll emerging from a nesting doll

UK pins 'reckless campaign of cyber attacks' on Russian military intelligence

READ MORE

“Data obtained from at least one item of equipment confirmed its operational use at multiple locations around the world, including connections to the Wi-Fi network of the CCES official’s hotel in Switzerland (the dates the conspirators conducted the Wi-Fi compromise of the senior CCES official’s laptop at the same hotel), and at another hotel in Kuala Lumpur, Malaysia in December 2017”, the prosecution stated.

The full indictment is here. It also details the alleged agents' use of Bitcoin to buy computer kit, and how they registered spoof domains to try and gather information (these included wada.awa.org and wada.arna.org to try and trap users looking for the legitimate wada.ama.org, and westinqhousenuclear.com, substituting a q for the g.

The indictments have been welcomed by the governments of Britain, the Netherlands, Canada, Australia, and New Zealand.

Since none of those named are present in America, we're unlikely to see a trial any time soon. ®




Biting the hand that feeds IT © 1998–2018