{ "id": "d26902c2-0674-4b6d-a05f-d49b44886c30", "created_at": "2026-04-06T15:53:02.33847Z", "updated_at": "2026-04-10T03:37:09.174282Z", "deleted_at": null, "sha1_hash": "a069c9f2bb90c29ca92743f5108f3a0a3ec3f648", "title": "Six Russian GRU Officers Charged in Connection with Worldwide Deployment of Destructive Malware and Other Disruptive Actions in Cyberspace", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 55516, "plain_text": "Six Russian GRU Officers Charged in Connection with Worldwide\r\nDeployment of Destructive Malware and Other Disruptive Actions\r\nin Cyberspace\r\nPublished: 2020-10-19 · Archived: 2026-04-06 15:27:15 UTC\r\nOn Oct. 15, 2020, a federal grand jury in Pittsburgh returned an indictment charging six computer hackers, all of\r\nwhom were residents and nationals of the Russian Federation (Russia) and officers in Unit 74455 of the Russian\r\nMain Intelligence Directorate (GRU), a military intelligence agency of the General Staff of the Armed Forces. \r\nThese GRU hackers and their co-conspirators engaged in computer intrusions and attacks intended to support\r\nRussian government efforts to undermine, retaliate against, or otherwise destabilize: (1) Ukraine; (2) Georgia; (3)\r\nelections in France; (4) efforts to hold Russia accountable for its use of a weapons-grade nerve agent, Novichok,\r\non foreign soil; and (5) the 2018 PyeongChang Winter Olympic Games after Russian athletes were banned from\r\nparticipating under their nation’s flag, as a consequence of Russian government-sponsored doping effort. \r\nTheir computer attacks used some of the world’s most destructive malware to date, including: KillDisk and\r\nIndustroyer, which each caused blackouts in Ukraine; NotPetya, which caused nearly $1 billion in losses to the\r\nthree victims identified in the indictment alone; and Olympic Destroyer, which disrupted thousands of computers\r\nused to support the 2018 PyeongChang Winter Olympics.  The indictment charges the defendants with conspiracy,\r\ncomputer hacking, wire fraud, aggravated identity theft, and false registration of a domain name.\r\nAccording to the indictment, beginning in or around November 2015 and continuing until at least in or around\r\nOctober 2019, the defendants and their co-conspirators deployed destructive malware and took other disruptive\r\nactions, for the strategic benefit of Russia, through unauthorized access  to victim computers (hacking).  As\r\nalleged, the conspiracy was responsible for the following destructive, disruptive, or otherwise destabilizing\r\ncomputer intrusions and attacks:\r\nUkrainian Government \u0026 Critical Infrastructure: December 2015 through December 2016 destructive\r\nmalware attacks against Ukraine’s electric power grid, Ministry of Finance, and State Treasury Service,\r\nusing malware known as BlackEnergy, Industroyer, and KillDisk;\r\nFrench Elections: April and May 2017 spearphishing campaigns and related hack-and-leak efforts\r\ntargeting French President Macron’s “La République En Marche!” (En Marche!) political party, French\r\npoliticians, and local French governments prior to the 2017 French elections;\r\nWorldwide Businesses and Critical Infrastructure (NotPetya): June 27, 2017 destructive malware\r\nattacks that infected computers worldwide using malware known as NotPetya, including hospitals and\r\nother medical facilities in the Heritage Valley Health System (Heritage Valley) in the Western District of\r\nPennsylvania; a FedEx Corporation subsidiary, TNT Express B.V.; and a large U.S. pharmaceutical\r\nmanufacturer, which together suffered nearly $1 billion in losses from the attacks;\r\nPyeongChang Winter Olympics Hosts, Participants, Partners, and Attendees: December 2017 through\r\nFebruary 2018 spearphishing campaigns and malicious mobile applications targeting South Korean citizens\r\nhttps://www.justice.gov/opa/pr/six-russian-gru-officers-charged-connection-worldwide-deployment-destructive-malware-and\r\nPage 1 of 5\n\nand officials, Olympic athletes, partners, and visitors, and International Olympic Committee (IOC)\r\nofficials;\r\nPyeongChang Winter Olympics IT Systems (Olympic Destroyer): December 2017 through February\r\n2018 intrusions into computers supporting the 2018 PyeongChang Winter Olympic Games, which\r\nculminated in the Feb. 9, 2018, destructive malware attack against the opening ceremony, using malware\r\nknown as Olympic Destroyer;\r\nNovichok Poisoning Investigations: April 2018 spearphishing campaigns targeting investigations by the\r\nOrganisation for the Prohibition of Chemical Weapons (OPCW) and the United Kingdom’s Defence\r\nScience and Technology Laboratory (DSTL) into the nerve agent poisoning of Sergei Skripal, his daughter,\r\nand several U.K. citizens; and\r\nGeorgian Companies and Government Entities: a 2018 spearphishing campaign targeting a major media\r\ncompany, 2019 efforts to compromise the network of Parliament, and a wide-ranging website defacement\r\ncampaign in 2019.\r\nCybersecurity researchers have tracked the Conspirators and their malicious activity using the labels “Sandworm\r\nTeam,” “Telebots,” “Voodoo Bear,” and “Iron Viking.”\r\nThe charges were announced by Assistant Attorney General John C. Demers; FBI Deputy Director David\r\nBowdich; U.S. Attorney for the Western District of Pennsylvania Scott W. Brady; and Special Agents in Charge of\r\nthe FBI’s Atlanta, Oklahoma City, and Pittsburgh Field Offices, J.C. “Chris” Hacker, Melissa R. Godbold, and\r\nMichael A. Christman, respectively.\r\n“No country has weaponized its cyber capabilities as maliciously or irresponsibly as Russia, wantonly causing\r\nunprecedented damage to pursue small tactical advantages and to satisfy fits of spite,” said Assistant Attorney\r\nGeneral for National Security John C. Demers.  “Today the department has charged these Russian officers with\r\nconducting the most disruptive and destructive series of computer attacks ever attributed to a single group,\r\nincluding by unleashing the NotPetya malware.  No nation will recapture greatness while behaving in this way.”\r\n“The FBI has repeatedly warned that Russia is a highly capable cyber adversary, and the information revealed in\r\nthis indictment illustrates how pervasive and destructive Russia’s cyber activities truly are,” said FBI Deputy\r\nDirector David Bowdich.  “But this indictment also highlights the FBI’s capabilities.  We have the tools to\r\ninvestigate these malicious malware attacks, identify the perpetrators, and then impose risks and consequences on\r\nthem.  As demonstrated today, we will relentlessly pursue those who threaten the United States and its citizens.”\r\n“For more than two years we have worked tirelessly to expose these Russian GRU Officers who engaged in a\r\nglobal campaign of hacking, disruption and destabilization, representing the most destructive and costly cyber-attacks in history,” said U.S. Attorney Scott W. Brady for the Western District of Pennsylvania.  “The crimes\r\ncommitted by Russian government officials were against real victims who suffered real harm.  We have an\r\nobligation to hold accountable those who commit crimes – no matter where they reside and no matter for whom\r\nthey work – in order to seek justice on behalf of these victims.” \r\n“The exceptional talent and dedication of our teams in Pittsburgh, Atlanta and Oklahoma City who spent years\r\ntracking these members of the GRU is unmatched,” said FBI Pittsburgh Special Agent in Charge Michael A.\r\nhttps://www.justice.gov/opa/pr/six-russian-gru-officers-charged-connection-worldwide-deployment-destructive-malware-and\r\nPage 2 of 5\n\nChristman.  “These criminals underestimated the power of shared intelligence, resources and expertise through\r\nlaw enforcement, private sector and international partnerships.”\r\nThe defendants, Yuriy Sergeyevich Andrienko (Юрий Сергеевич Андриенко), 32; Sergey Vladimirovich\r\nDetistov (Сергей Владимирович Детистов), 35; Pavel Valeryevich Frolov (Павел Валерьевич Фролов), 28;\r\nAnatoliy Sergeyevich Kovalev (Анатолий Сергеевич Ковалев), 29; Artem Valeryevich Ochichenko (Артем\r\nВалерьевич Очиченко), 27; and Petr Nikolayevich Pliskin (Петр Николаевич Плискин), 32, are all charged in\r\nseven counts: conspiracy to conduct computer fraud and abuse, conspiracy to commit wire fraud, wire fraud,\r\ndamaging protected computers, and aggravated identity theft.  Each defendant is charged in every count.  The\r\ncharges contained in the indictment are merely accusations, however, and the defendants are presumed innocent\r\nunless and until proven guilty beyond a reasonable doubt.\r\nThe indictment accuses each defendant of committing the following overt acts in furtherance of the charged\r\ncrimes:\r\nDefendant Summary of Overt Acts\r\nYuriy Sergeyevich\r\nAndrienko\r\n·      Developed components of the NotPetya and Olympic Destroyer malware.\r\nSergey Vladimirovich\r\nDetistov\r\n·      Developed components of the NotPetya malware; and\r\n·      Prepared spearphishing campaigns targeting the 2018 PyeongChang Winter\r\nOlympic Games. \r\nPavel Valeryevich\r\nFrolov\r\n·       Developed components of the KillDisk and NotPetya malware.\r\nAnatoliy Sergeyevich\r\nKovalev\r\n·       Developed spearphishing techniques and messages used to target:\r\n-       En Marche! officials;\r\n-       employees of the DSTL;\r\n-       members of the IOC and Olympic athletes; and\r\n-       employees of a Georgian media entity.\r\nhttps://www.justice.gov/opa/pr/six-russian-gru-officers-charged-connection-worldwide-deployment-destructive-malware-and\r\nPage 3 of 5\n\nArtem Valeryevich\r\nOchichenko\r\n·       Participated in spearphishing campaigns targeting 2018 PyeongChang Winter\r\nOlympic Games partners; and\r\n·       Conducted technical reconnaissance of the Parliament of Georgia official\r\ndomain and attempted to gain unauthorized access to its network.\r\nPetr Nikolayevich\r\nPliskin\r\n·       Developed components of the NotPetya and Olympic Destroyer malware. \r\nThe defendants and their co-conspirators caused damage and disruption to computer networks worldwide,\r\nincluding in France, Georgia, the Netherlands, Republic of Korea, Ukraine, the United Kingdom, and the United\r\nStates. \r\nThe NotPetya malware, for example, spread worldwide, damaged computers used in critical infrastructure, and\r\ncaused enormous financial losses.  Those losses were only part of the harm, however.  For example, the NotPetya\r\nmalware impaired Heritage Valley’s provision of critical medical services to citizens of the Western District of\r\nPennsylvania through its two hospitals, 60 offices, and 18 community satellite facilities.  The attack caused the\r\nunavailability of patient lists, patient history, physical examination files, and laboratory records.  Heritage Valley\r\nlost access to its mission-critical computer systems (such as those relating to cardiology, nuclear medicine,\r\nradiology, and surgery) for approximately one week and administrative computer systems for almost one month,\r\nthereby causing a threat to public health and safety.\r\nThe conspiracy to commit computer fraud and abuse carries a maximum sentence of five years in prison;\r\nconspiracy to commit wire fraud carries a maximum sentence of 20 years in prison; the two counts of wire fraud\r\ncarry a maximum sentence of 20 years in prison; intentional damage to a protected computer carries a maximum\r\nsentence of 10 years in prison; and the two counts of aggravated identity theft carry a mandatory sentence of two\r\nyears in prison.  The indictment also alleges false registration of domain names, which would increase the\r\nmaximum sentence of imprisonment for wire fraud to 27 years in prison; the maximum sentence of imprisonment\r\nfor intentional damage to a protected computer to 17 years in prison; and the mandatory sentence of imprisonment\r\nfor aggravated identity theft to four years in prison.  These maximum potential sentences are prescribed by\r\nCongress, however, and are provided here for informational purposes only, as the assigned judge will determine\r\nany sentence of a defendant.\r\nDefendant Kovalev was previously charged in federal indictment number CR 18-215, in the District of Columbia,\r\nwith conspiring to gain unauthorized access into the computers of U.S. persons and entities involved in the\r\nadministration of the 2016 U.S. elections.\r\nTrial Attorney Heather Alpino and Deputy Chief Sean Newell of the National Security Division’s\r\nCounterintelligence and Export Control Section and Assistant U.S. Attorneys Charles Eberle and Jessica Smolar\r\nof the U.S. Attorney’s Office for the Western District of Pennsylvania are prosecuting this case.  The FBI’s\r\nAtlanta, Oklahoma City, and Pittsburgh field offices conducted the investigation, with the assistance of the FBI’s\r\nCyber Division.\r\nhttps://www.justice.gov/opa/pr/six-russian-gru-officers-charged-connection-worldwide-deployment-destructive-malware-and\r\nPage 4 of 5\n\nThe Criminal Division’s Office of International Affairs provided critical assistance in this case.  The department\r\nalso appreciates the significant cooperation and assistance provided by Ukrainian authorities, the Governments of\r\nthe Republic of Korea and New Zealand, Georgian authorities, and the United Kingdom’s intelligence services, as\r\nwell as many of the FBI’s Legal Attachés and other foreign authorities around the world.  Numerous victims\r\ncooperated and provided valuable assistance in the investigation.\r\nThe department is also grateful to Google, including its Threat Analysis Group (TAG); Cisco, including its Talos\r\nIntelligence Group; Facebook; and Twitter, for the assistance they provided in this investigation.  Some private\r\nsector companies independently disabled numerous accounts for violations of the companies’ terms of service.\r\nSource: https://www.justice.gov/opa/pr/six-russian-gru-officers-charged-connection-worldwide-deployment-destructive-malware-and\r\nhttps://www.justice.gov/opa/pr/six-russian-gru-officers-charged-connection-worldwide-deployment-destructive-malware-and\r\nPage 5 of 5", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://www.justice.gov/opa/pr/six-russian-gru-officers-charged-connection-worldwide-deployment-destructive-malware-and" ], "report_names": [ "six-russian-gru-officers-charged-connection-worldwide-deployment-destructive-malware-and" ], "threat_actors": [ { "id": "39842197-944a-49fd-9bec-eafa1807e0ea", "created_at": "2022-10-25T16:07:24.310589Z", "updated_at": "2026-04-10T02:00:04.931264Z", "deleted_at": null, "main_name": "TeleBots", "aliases": [], "source_name": "ETDA:TeleBots", "tools": [ "BadRabbit", "Black Energy", "BlackEnergy", "CredRaptor", "Diskcoder.C", "EternalPetya", "ExPetr", "Exaramel", "FakeTC", "Felixroot", "GreyEnergy", "GreyEnergy mini", "KillDisk", "LOLBAS", "LOLBins", "Living off the Land", "NonPetya", "NotPetya", "Nyetya", "Petna", "Petrwrap", "Pnyetya", "TeleBot", "TeleDoor", "Win32/KillDisk.NBB", "Win32/KillDisk.NBC", "Win32/KillDisk.NBD", "Win32/KillDisk.NBH", "Win32/KillDisk.NBI", "nPetya" ], "source_id": "ETDA", "reports": null }, { "id": "8941e146-3e7f-4b4e-9b66-c2da052ee6df", "created_at": "2023-01-06T13:46:38.402513Z", "updated_at": "2026-04-10T02:00:02.959797Z", "deleted_at": null, "main_name": "Sandworm", "aliases": [ "IRIDIUM", "Blue Echidna", "VOODOO BEAR", "FROZENBARENTS", "UAC-0113", "Seashell Blizzard", "UAC-0082", "APT44", "Quedagh", "TEMP.Noble", "IRON VIKING", "G0034", "ELECTRUM", "TeleBots" ], "source_name": "MISPGALAXY:Sandworm", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "7bd810cb-d674-4763-86eb-2cc182d24ea0", "created_at": "2022-10-25T16:07:24.1537Z", "updated_at": "2026-04-10T02:00:04.883793Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "APT 44", "ATK 14", "BE2", "Blue Echidna", "CTG-7263", "FROZENBARENTS", "G0034", "Grey Tornado", "IRIDIUM", "Iron Viking", "Quedagh", "Razing Ursa", "Sandworm", "Sandworm Team", "Seashell Blizzard", "TEMP.Noble", "UAC-0082", "UAC-0113", "UAC-0125", "UAC-0133", "Voodoo Bear" ], "source_name": "ETDA:Sandworm Team", "tools": [ "AWFULSHRED", "ArguePatch", "BIASBOAT", "Black Energy", "BlackEnergy", "CaddyWiper", "Colibri Loader", "Cyclops Blink", "CyclopsBlink", "DCRat", "DarkCrystal RAT", "Fobushell", "GOSSIPFLOW", "Gcat", "IcyWell", "Industroyer2", "JaguarBlade", "JuicyPotato", "Kapeka", "KillDisk.NCX", "LOADGRIP", "LOLBAS", "LOLBins", "Living off the Land", "ORCSHRED", "P.A.S.", "PassKillDisk", "Pitvotnacci", "PsList", "QUEUESEED", "RansomBoggs", "RottenPotato", "SOLOSHRED", "SwiftSlicer", "VPNFilter", "Warzone", "Warzone RAT", "Weevly" ], "source_id": "ETDA", "reports": null }, { "id": "a66438a8-ebf6-4397-9ad5-ed07f93330aa", "created_at": "2022-10-25T16:47:55.919702Z", "updated_at": "2026-04-10T02:00:03.618194Z", "deleted_at": null, "main_name": "IRON VIKING", "aliases": [ "APT44 ", "ATK14 ", "BlackEnergy Group", "Blue Echidna ", "CTG-7263 ", "ELECTRUM ", "FROZENBARENTS ", "Hades/OlympicDestroyer ", "IRIDIUM ", "Qudedagh ", "Sandworm Team ", "Seashell Blizzard ", "TEMP.Noble ", "Telebots ", "Voodoo Bear " ], "source_name": "Secureworks:IRON VIKING", "tools": [ "BadRabbit", "BlackEnergy", "GCat", "NotPetya", "PSCrypt", "TeleBot", "TeleDoor", "xData" ], "source_id": "Secureworks", "reports": null }, { "id": "b3e954e8-8bbb-46f3-84de-d6f12dc7e1a6", "created_at": "2022-10-25T15:50:23.339976Z", "updated_at": "2026-04-10T02:00:05.27483Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "Sandworm Team", "ELECTRUM", "Telebots", "IRON VIKING", "BlackEnergy (Group)", "Quedagh", "Voodoo Bear", "IRIDIUM", "Seashell Blizzard", "FROZENBARENTS", "APT44" ], "source_name": "MITRE:Sandworm Team", "tools": [ "Bad Rabbit", "Mimikatz", "Exaramel for Linux", "Exaramel for Windows", "GreyEnergy", "PsExec", "Prestige", "P.A.S. Webshell", "AcidPour", "VPNFilter", "Neo-reGeorg", "Cyclops Blink", "SDelete", "Kapeka", "AcidRain", "Industroyer", "Industroyer2", "BlackEnergy", "Cobalt Strike", "NotPetya", "KillDisk", "PoshC2", "Impacket", "Invoke-PSImage", "Olympic Destroyer" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775490782, "ts_updated_at": 1775792229, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/a069c9f2bb90c29ca92743f5108f3a0a3ec3f648.pdf", "text": "https://archive.orkl.eu/a069c9f2bb90c29ca92743f5108f3a0a3ec3f648.txt", "img": "https://archive.orkl.eu/a069c9f2bb90c29ca92743f5108f3a0a3ec3f648.jpg" } }