{ "id": "9d252dd9-4c74-48ac-a48d-2ff1790fe803", "created_at": "2026-04-06T00:21:09.242369Z", "updated_at": "2026-04-10T03:37:09.040459Z", "deleted_at": null, "sha1_hash": "3ea222bb4ab010d621f3e3df2a9bcb6e8d10d2c4", "title": "US charges Russian GRU officers for NotPetya, other major hacks", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 39452, "plain_text": "US charges Russian GRU officers for NotPetya, other major hacks\r\nBy Tim Starks\r\nPublished: 2020-10-19 · Archived: 2026-04-05 13:15:42 UTC\r\nA federal grand jury returned an indictment against six alleged Russian intelligence officers who, collectively,\r\nwere responsible for “conducting the most disruptive and destructive series of computer attacks ever attributed to\r\na single group,” the Justice Department announced Monday.\r\nTheir attacks spanned the globe, including the worldwide 2017 NotPetya outbreak that did more than $1 billion in\r\ndamage to a number of U.S. organizations, according to the indictment; estimates place its worldwide cost at as\r\nmuch as $10 billion. The six accused hackers work for the Russian Main Intelligence Directorate, commonly\r\nknown as the GRU, that’s been connected to interference in the 2016 U.S. election and other major cyberattacks.\r\nBesides NotPetya, the alleged co-conspirators were behind destructive malware attacks beginning in December\r\n2015 that disrupted Ukraine’s electricity grid; 2017 spearphishing campaigns linked to hack-and-leak efforts to\r\ninterfere in the French election; attacks related to the Winter Olympics in 2017 and 2018, during a time where\r\nRussia was feuding with the Olympics over a doping scandal; spearphishing attacks in 2018 against investigations\r\ninto the nerve agent poisoning of former Russian intelligence officer Sergei Skripal and others; and 2018 and 2019\r\ncampaigns against numerous targets in Georgia, including an attempt to compromise the network of Parliament.\r\nCybersecurity researchers have labeled the hackers “Sandworm Team,” “Telebots,” “Voodoo Bear” and “Iron\r\nViking.” They are long believed to be behind those attacks and many others among the most high-profile in\r\nhistory.\r\n“No country has weaponized its cyber capabilities as maliciously or irresponsibly as Russia, wantonly causing\r\nunprecedented damage to pursue small tactical advantages and to satisfy fits of spite,” said John Demers, the\r\nassistant attorney general for national security. “Today the Department has charged these Russian officers with\r\nconducting the most disruptive and destructive series of computer attacks ever attributed to a single group,\r\nincluding by unleashing the NotPetya malware.”\r\nThe defendants — Yuriy Sergeyevich Andrienko, Sergey Vladimirovich Detistov, Pavel Valeryevich Frolov,\r\nAnatoliy Sergeyevich Kovalev, Artem Valeryevich Ochichenko and Petr Nikolayevich Pliskin — face charges of\r\nconspiracy to conduct computer fraud and abuse, conspiracy to commit wire fraud, wire fraud, damaging\r\nprotected computers and aggravated identity theft.\r\nThe Justice Department previously charged Kovalev, in 2018, alongside a group of other Russian officers for\r\nhacking Democrats during the 2016 campaign.\r\nEven though the announcement comes mere weeks before Election Day in the U.S., Demers told reporters that the\r\ntiming was “not particularly” tied to the vote. The indictment follows a surge in U.S. government responses to\r\naccused hacking by Russia, China and Iran, all three of whom are among the top nations the intelligence\r\ncommunity has accused of seeking to interfere in the 2020 campaign.\r\nhttps://www.cyberscoop.com/russian-hackers-notpetya-charges-gru/\r\nPage 1 of 2\n\nIn a background briefing with reporters, a DOJ official said: “Generally, it is a warning. It’s a warning to these\r\ncountries and the actors working with them these activities are not quite as deniable as they might have hoped they\r\nwere, originally.”\r\nThe U.S. NotPetya victims cited in the indictment include “hospitals and other medical facilities in the Heritage\r\nValley Health System (‘Heritage Valley’) in the Western District of Pennsylvania; a A FedEx Corporation\r\nsubsidiary, TNT Express B.V.; and a large U.S. pharmaceutical manufacturer.” A grand jury in Pittsburgh returned\r\nthe indictment.\r\nThe December, 2015 attack on the Ukrainian power grid left nearly 230,000 people without power, with the\r\nhackers using the BlackEnergy, Industroyer and KillDisk malware in attacks that stretched into late 2016.\r\nThe department worked on the indictment with authorities in Ukraine, South Korea, New Zealand, Georgia, the\r\nU.K. and other governments, as well as Google, Cisco, Facebook and Twitter.\r\nAlso Monday, the U.K. said the GRU conducted cyber reconnaissance against officials and organizations involved\r\nin the 2020 Tokyo Olympics before they were postponed.\r\n“The GRU’s actions against the Olympic and Paralympic Games are cynical and reckless,” said Foreign Secretary\r\nDominic Raab. “We condemn them in the strongest possible terms.”\r\nThe indictment is available in full below.\r\n[documentcloud url=”http://www.documentcloud.org/documents/7245159-2020-10-19-Unsealed-Indictment-0.html” responsive=true]\r\nSource: https://www.cyberscoop.com/russian-hackers-notpetya-charges-gru/\r\nhttps://www.cyberscoop.com/russian-hackers-notpetya-charges-gru/\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.cyberscoop.com/russian-hackers-notpetya-charges-gru/" ], "report_names": [ "russian-hackers-notpetya-charges-gru" ], "threat_actors": [ { "id": "39842197-944a-49fd-9bec-eafa1807e0ea", "created_at": "2022-10-25T16:07:24.310589Z", "updated_at": "2026-04-10T02:00:04.931264Z", "deleted_at": null, "main_name": "TeleBots", "aliases": [], "source_name": "ETDA:TeleBots", "tools": [ "BadRabbit", "Black Energy", "BlackEnergy", "CredRaptor", "Diskcoder.C", "EternalPetya", "ExPetr", "Exaramel", "FakeTC", "Felixroot", "GreyEnergy", "GreyEnergy mini", "KillDisk", "LOLBAS", "LOLBins", "Living off the Land", "NonPetya", "NotPetya", "Nyetya", "Petna", "Petrwrap", "Pnyetya", "TeleBot", "TeleDoor", "Win32/KillDisk.NBB", "Win32/KillDisk.NBC", "Win32/KillDisk.NBD", "Win32/KillDisk.NBH", "Win32/KillDisk.NBI", "nPetya" ], "source_id": "ETDA", "reports": null }, { "id": "8941e146-3e7f-4b4e-9b66-c2da052ee6df", "created_at": "2023-01-06T13:46:38.402513Z", "updated_at": "2026-04-10T02:00:02.959797Z", "deleted_at": null, "main_name": "Sandworm", "aliases": [ "IRIDIUM", "Blue Echidna", "VOODOO BEAR", "FROZENBARENTS", "UAC-0113", "Seashell Blizzard", "UAC-0082", "APT44", "Quedagh", "TEMP.Noble", "IRON VIKING", "G0034", "ELECTRUM", "TeleBots" ], "source_name": "MISPGALAXY:Sandworm", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "7bd810cb-d674-4763-86eb-2cc182d24ea0", "created_at": "2022-10-25T16:07:24.1537Z", "updated_at": "2026-04-10T02:00:04.883793Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "APT 44", "ATK 14", "BE2", "Blue Echidna", "CTG-7263", "FROZENBARENTS", "G0034", "Grey Tornado", "IRIDIUM", "Iron Viking", "Quedagh", "Razing Ursa", "Sandworm", "Sandworm Team", "Seashell Blizzard", "TEMP.Noble", "UAC-0082", "UAC-0113", "UAC-0125", "UAC-0133", "Voodoo Bear" ], "source_name": "ETDA:Sandworm Team", "tools": [ "AWFULSHRED", "ArguePatch", "BIASBOAT", "Black Energy", "BlackEnergy", "CaddyWiper", "Colibri Loader", "Cyclops Blink", "CyclopsBlink", "DCRat", "DarkCrystal RAT", "Fobushell", "GOSSIPFLOW", "Gcat", "IcyWell", "Industroyer2", "JaguarBlade", "JuicyPotato", "Kapeka", "KillDisk.NCX", "LOADGRIP", "LOLBAS", "LOLBins", "Living off the Land", "ORCSHRED", "P.A.S.", "PassKillDisk", "Pitvotnacci", "PsList", "QUEUESEED", "RansomBoggs", "RottenPotato", "SOLOSHRED", "SwiftSlicer", "VPNFilter", "Warzone", "Warzone RAT", "Weevly" ], "source_id": "ETDA", "reports": null }, { "id": "a66438a8-ebf6-4397-9ad5-ed07f93330aa", "created_at": "2022-10-25T16:47:55.919702Z", "updated_at": "2026-04-10T02:00:03.618194Z", "deleted_at": null, "main_name": "IRON VIKING", "aliases": [ "APT44 ", "ATK14 ", "BlackEnergy Group", "Blue Echidna ", "CTG-7263 ", "ELECTRUM ", "FROZENBARENTS ", "Hades/OlympicDestroyer ", "IRIDIUM ", "Qudedagh ", "Sandworm Team ", "Seashell Blizzard ", "TEMP.Noble ", "Telebots ", "Voodoo Bear " ], "source_name": "Secureworks:IRON VIKING", "tools": [ "BadRabbit", "BlackEnergy", "GCat", "NotPetya", "PSCrypt", "TeleBot", "TeleDoor", "xData" ], "source_id": "Secureworks", "reports": null }, { "id": "b3e954e8-8bbb-46f3-84de-d6f12dc7e1a6", "created_at": "2022-10-25T15:50:23.339976Z", "updated_at": "2026-04-10T02:00:05.27483Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "Sandworm Team", "ELECTRUM", "Telebots", "IRON VIKING", "BlackEnergy (Group)", "Quedagh", "Voodoo Bear", "IRIDIUM", "Seashell Blizzard", "FROZENBARENTS", "APT44" ], "source_name": "MITRE:Sandworm Team", "tools": [ "Bad Rabbit", "Mimikatz", "Exaramel for Linux", "Exaramel for Windows", "GreyEnergy", "PsExec", "Prestige", "P.A.S. Webshell", "AcidPour", "VPNFilter", "Neo-reGeorg", "Cyclops Blink", "SDelete", "Kapeka", "AcidRain", "Industroyer", "Industroyer2", "BlackEnergy", "Cobalt Strike", "NotPetya", "KillDisk", "PoshC2", "Impacket", "Invoke-PSImage", "Olympic Destroyer" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434869, "ts_updated_at": 1775792229, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/3ea222bb4ab010d621f3e3df2a9bcb6e8d10d2c4.pdf", "text": "https://archive.orkl.eu/3ea222bb4ab010d621f3e3df2a9bcb6e8d10d2c4.txt", "img": "https://archive.orkl.eu/3ea222bb4ab010d621f3e3df2a9bcb6e8d10d2c4.jpg" } }