The U.S. Department of Justice (DOJ) on Thursday unsealed an indictment of five Russian intelligence officers, plus one Russian civilian, for conducting the “WhisperGate” cyberattack on Ukrainian infrastructure in January 2022. The case is largely symbolic, but offers an interesting look at what the FBI described as “the first shot of the war.”
The unsealed indictment names five officers of Russia’s Main Intelligence Directorate of the General Staff (GRU) as accomplices of a civilian hacker named Amin Timovich Stigal. A previous indictment in June named only Sitgal as perpetrator of the attack.
The GRU officers were part of a unit known as “Cadet Blizzard,” “Ember Bear,” and “Dev-0586.” The commander of the unit, Yuriy Denisov, was one of the men indicted on Thursday. The GRU team was tasked with using malware to attack critical infrastructure in Europe, Central America, and Asia.
Stigal, a native of Chechnya, either created or perfected an extremely destructive piece of malware known as “WhisperGate.”
The most remarkable feature of WhisperGate is that it “disguises” itself as a ransomware attack, in which data on the infected system would be encrypted and held hostage until the victims paid a ransom to unlock it. Stigal and the GRU team made some of the data they stole available for purchase on the Internet to maintain the illusion they were a routine gang of data thieves.
In reality, WhisperGate aggressively destroyed data beyond hope of recovery, including core operating software whose destruction would make devices, and entire systems, unusable.
According to DOJ, Stigal conspired with the GRU team to infect critical systems in Ukraine with WhisperGate and other destructive malware in January 2022 as a prelude to the Russian invasion, which was launched the following month.
The goals of the WhisperGate attack were to steal information from Ukrainian systems, cripple vital infrastructure, and sow terror among the Ukrainian population. Stigal and his GRU co-conspirators hacked Ukrainian websites to display messages such as, “Ukrainians! All information about you has become public, be afraid and expect the worst. This is for your past, present and future!”
Assistant Attorney General Matthew G. Olsen said on Thursday that the WhisperGate attack was “emblematic of Russia’s abhorrent disregard for innocent civilians as it wages its unjust invasion.”
Other U.S. officials noted that the Russian malware spread very quickly, without restraint or control from its GRU handlers, turning it into an electronic pandemic that infected systems far beyond Ukraine’s borders.
The Russians also deliberately attacked computer systems in the United States and Europe, including a federal government system in Maryland, as part of their battlespace preparation for the Ukraine invasion.
One of the charges against Stigal and the GRU officers is that they conspired to use the services of a U.S.-based company to distribute their cyber-weapon. According to prosecutors, Stigal began preparing for the attack in 2020 by creating a number of accounts with an unspecified American company that provided messaging and voice mail services. He later uploaded hundreds of files to these accounts, including the dangerous WhisperGate virus.
“The FBI, along with our law enforcement partners and allies, will relentlessly hunt down and counter these threats. This type of cyber warfare will not be tolerated. The scope of Russia’s crimes cannot be ignored,” vowed FBI Special Agent in Charge Bill DelBagno at a news conference on Thursday.
It was not immediately clear what consequences the Russian hackers would face, as they all appear to be safely beyond the reach of U.S. law enforcement. The U.S. State Department is offering a $10 million bounty for information leading to their arrest.
“They are marked people. We know who they are. There’s a reward on their head, and we’re going to pursue them relentlessly. The message is clear to the GRU, to the Russians: we are onto you,” insisted Assistant A.G. Olsen.
Ivan Kalabashkin, Deputy Head of the Cybersecurity Department for Ukraine’s SBU intelligence service, applauded the indictments while speaking at a cybersecurity forum in Washington on Thursday. He said Ukraine is weathering ten to fifteen Russian cyberattacks a day.
