{ "id": "46dac15e-2056-45e5-b763-7f39c9648e50", "created_at": "2026-04-06T00:22:32.056443Z", "updated_at": "2026-04-10T03:35:59.519616Z", "deleted_at": null, "sha1_hash": "cffee170ab6b5832dfcca7b8e8d3f90cb2449a22", "title": "What Is the Point of These Nation-State Indictments?", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 61419, "plain_text": "What Is the Point of These Nation-State Indictments?\r\nBy Joel Brenner\r\nArchived: 2026-04-05 14:35:22 UTC\r\nWhen the U.S. Department of Justice unsealed the indictment in 2020 that charged six military intelligence\r\nofficers in Russia’s GRU with some of the most infamous cyber crimes on record, it did so with great fanfare.\r\nLeading off the 30-minute press conference in Washington on Oct. 19, John Demers, the assistant attorney general\r\nfor national security, called the crimes “the most disruptive and destructive series of computer attacks ever\r\nattributed to a single group.” Demers wasn’t being hyperbolic. NotPetya, the most notorious attack engineered by\r\nthis group, known as Sandworm, victimized dozens of companies and millions of people and caused an estimated\r\n$10 billion in damages.\r\nThe indictment received mixed reviews. Writing in Lawfare, Harvard law professor (and Lawfare co-founder)\r\nJack Goldsmith was highly critical of both the document and the timing, noting that the rollout occurred just two\r\nweeks before the presidential election. “What is the point?” Goldsmith asked before answering his own question.\r\n“In a word: attribution.” He noted that government officials had asserted that the indictment was a warning to\r\nwould-be hackers that the government can gather undeniable evidence proving the attack, and it highlighted the\r\ngovernment’s ability to identify the perpetrators.\r\nGoldsmith was not impressed. “This warning and highlight are not news,” he continued, “at least not to the\r\nsponsors of the attacks. The United States has for six years been playing up its extraordinary intelligence capacity\r\nto attribute malicious cyber operations. And for six years the attacks have grown worse.” (He wrote this two\r\nmonths before Russia’s SolarWinds hack made even bigger headlines, raising the most serious questions yet about\r\nthe country’s capacity to sniff out cyber threats.)\r\nGoldsmith couldn’t understand why Demers and the others who took their turns at the podium were congratulating\r\nthemselves. “None of my criticism is meant to minimize the horror of the Russian actions,” he emphasized. “But\r\nnaming and shaming is not much accountability. And trumpeting that fact is puzzling.” Especially right before the\r\npresidential election, when the government should be assuring citizens that voting will be safe and secure. Instead,\r\nGoldsmith suggested, the recitation of these crimes could well have the opposite effect.\r\nMany viewers of the press conference may have come away reassured by the “gotcha” speech they heard from\r\nDemers. But Goldsmith had a point. Putting aside the timing of the announcement, it does seem worth asking the\r\ndeeper question. What are these indictments accomplishing? The United States does not have an extradition treaty\r\nwith Russia. And these guys from the GRU are not exactly going to bring their families to Disney World; if they\r\ndid, they’d find themselves in handcuffs long before they made it to Space Mountain.\r\nWhen you look at the tangible results of these nation-state indictments, it’s hard to see a lot of wins. None of the\r\nmen whose names and photographs have graced their pages has landed in prison. Or even faced trial. That’s a lot\r\nof time and money spent for words in a legal document.\r\nhttps://www.lawfareblog.com/what-point-these-nation-state-indictments\r\nPage 1 of 5\n\nBut amid all of the doubts, the nation-state hacking indictments have achieved real progress. Investigators have\r\nuncovered a great deal of information about this netherworld. They have learned how to build cases, and how to\r\ncooperate with their counterparts in far-flung locations. Countries that have seen enough of these crimes have\r\nworked together to find common solutions. Some of these collaborations have surprised even the participants—\r\nand might surprise their critics, if they were better known.\r\nThere were similar doubts when the Justice Department rolled out the first of these indictments six years ago. The\r\nfocus then was China, and the alleged crime was economic espionage. There had been years of complaints about\r\nthis sort of thing. But back then, it was left to security companies like Mandiant (now part of FireEye) to present\r\nevidence of cyber crimes and attribute them publicly (which Mandiant did in China’s case in 2013). Before the\r\nJustice Department decided to pursue an indictment against five members of the People’s Liberation Army (PLA),\r\nPresident Obama’s cautious nature seemed to align with the widely perceived futility of attempting legal action\r\nagainst agents of the Chinese government. But behind the scenes, under pressure from the many U.S. companies\r\nthat claimed they’d been victimized by Chinese attacks, government officials were confronting their counterparts\r\nin China with evidence of crimes. And they were drawing a distinction between spying, which they acknowledged\r\nthat all nations do, and theft. When the evidence they presented to China was repeatedly rejected out of hand, the\r\nadministration finally decided to act.\r\nThe indictment was signed by David Hickton, then-U.S. attorney for the Western District of Pennsylvania, who\r\nspearheaded the initiative. The FBI’s Pittsburgh field office had gathered highly detailed evidence that PLA\r\nofficers had stolen proprietary information from, among others, U.S. Steel and the nuclear power firm\r\nWestinghouse. Hickton took it to a grand jury and obtained a sealed indictment. After months of back and forth\r\nbetween Justice and the State Department, which opposed legal action against the PLA, the indictment was finally\r\nunsealed in May 2014.\r\nAt the time, Goldsmith wrote a measured response. He had reservations. Everyone seemed to have some.\r\nCommentary and news articles alike acknowledged the obvious: There was virtually no chance anyone would ever\r\nbe tried on these charges. But Goldsmith did not dismiss the indictments as political theater. “Until yesterday,”\r\nGoldsmith wrote, “the [U.S. government] complaints against China’s cyber-snooping were nothing but talk.…But\r\nyesterday’s step clearly (and predictably, and thus purposefully) offended the Chinese in a way that prior talk did\r\nnot, and to that extent it shows that the [U.S. government] is somewhat more serious about this issue, and might\r\nretaliate further regardless of the costs to itself.” A Wall Street Journal editorial was less charitable. “The U.S.\r\nshould respond with its own cyber battle plan that attacks Chinese targets and forces China to play defense rather\r\nthan devote all of its resources to hacking U.S. targets.” The editorial concluded: “We can say with certainty that\r\nan indictment of five junior PLA hackers will be no deterrent at all.”\r\nAs it turned out, the editorial was wrong. The indictment may not have accomplished a great deal by itself, but it\r\nwas part of a strategy the Obama administration used to pressure China to change course. And change it did. As\r\nNew York Times reporter David Sanger wrote in his book “The Perfect Weapon,” China replied by insisting that\r\nthe indictment contained “fabricated facts,” a pretty flimsy response. Then-Attorney General Eric Holder’s\r\nrejoinder, according to Sanger, was: “If we fabricated all of this, then come over to Pittsburgh and embarrass us by\r\nforcing us to put up or shut up, and we’ll put up.” The leverage that the administration needed to press its case was\r\nPresident Xi Jinping’s first state visit to Washington in September 2015. Obama’s team was threatening to impose\r\nsanctions on China for cyberattacks, including the PLA’s. Xi was determined to avoid anything that would\r\nhttps://www.lawfareblog.com/what-point-these-nation-state-indictments\r\nPage 2 of 5\n\nblemish his visit. On the eve of his trip, Xi sent an advance delegation to Washington to negotiate. Before China’s\r\npresident returned home, he and Obama announced an agreement that their governments would not, in Obama’s\r\nwords, “conduct or knowingly support cyber-enabled theft of intellectual property, including trade secrets or other\r\nconfidential business information for commercial advantage.” And two months later, leaders of the G-20 all\r\ncommitted to abide by the same agreement.\r\nSo, was the PLA indictment a game-changer? Not exactly. There was no way to enforce it. And it didn’t end\r\nChina’s hacking. Yet the Justice Department continued issuing these indictments and expanded the targets to\r\ninclude members of Iran’s Islamic Revolutionary Guard Corps, for its alleged role in a series of distributed denial-of-service attacks on U.S. financial institutions, and North Korean computer programmer Park Jin Hyok, for his\r\nalleged involvement in a host of attacks, including those on Sony Pictures Entertainment after the studio released\r\n“The Interview.” And before the latest GRU indictment, Special Counsel Robert Mueller indicted a dozen\r\nmembers of that organization in 2018 for attacks that sought to influence the 2016 presidential election. Some of\r\nthese indictments were accompanied by sanctions, but from the look of things, none has matched the success of\r\nthe first.\r\nSo why expend the resources? Because these indictments have accomplished things that shouldn’t be taken for\r\ngranted. They may not be dramatic, but they’re foundational. Attributing an attack is the first step in holding a\r\nnation-state accountable—if nowhere else, then in the court of public opinion. For too long the U.S. government\r\npreferred to remain mum after a cyberattack, which suggested it was too ashamed to acknowledge the attack, too\r\nbaffled to identify the source or too afraid to attribute it. Laying out the evidence shifts the blame from victim to\r\nperpetrator. It paves the way for sanctions. And it gives the world a close look at the dangers in a legally rigorous\r\nform that cannot easily be dismissed as “fabricated facts.”\r\nIf anything, this seems more important today than it did in 2014. The past four years have been a time of\r\n“alternative facts.” A large segment of the U.S. population still believes arguments about last year’s election that\r\nwere thrown out of scores of courts for lack of evidence—any evidence. It’s never been more important to support\r\nthe rule of law. And if there was ever a time when the U.S. had reason to hold Russia to account—after what\r\namounts to a four-year pass—this is it. That’s one reason the Sandworm indictment was surprising and\r\nnoteworthy. Like the first indictment brought against China, this one also came from the U.S. attorney in\r\nPittsburgh—this time, Republican appointee Scott Brady. It focused on a broad range of attacks that began in 2015\r\nand extended into 2019. They included some in the Western District of Pennsylvania, but a big difference from\r\nprevious indictments is that nearly all of them occurred far from U.S. shores.\r\nWriting in Slate after the unsealing of the Sandworm indictment, Josephine Wolff was surprised at “the U.S.\r\nwillingness to use the full force of its own legal system to censure Russia for these attacks on non-U.S. targets.” A\r\nprofessor at Tufts University’s Fletcher School of Law and Diplomacy, Wolff saw this indictment as “a signal not\r\njust to Russia but also to the rest of the world that the U.S. government regards online attacks on Ukrainian\r\ninfrastructure, South Korean events, French politicians, Georgian media outlets, and U.K. government ministries\r\nas deserving of the same response as attacks on U.S. companies and elections.”\r\nLike the PLA indictment, this one was part of a strategy. It was preceded by a monthslong effort to build a\r\ncoalition of countries to call out Russia. That initiative achieved liftoff in February 2020, when the U.S. and the\r\nother “Five Eyes” countries, along with most of the EU, publicly attributed Russia’s alleged attacks on the country\r\nhttps://www.lawfareblog.com/what-point-these-nation-state-indictments\r\nPage 3 of 5\n\nof Georgia. At the time, the effort was praised for the show of solidarity, and there were calls for more collective\r\naction of this kind. But it was also criticized for the absence of hard evidence—another indication that indictments\r\nare important. That evidence, by the way, was delivered eight months later in the Sandworm indictment, which\r\nadded considerable heft to the package. It wasn’t simply another example of the U.S. acting unilaterally to make\r\nsome sort of statement. Instead of one voice, there was a chorus. And a chorus of voices naming and shaming has\r\na greater chance of deterring bad behavior than naming and shaming delivered by a soloist.\r\nThere’s another piece of the equation. Some cyber criminals in Eastern Europe work in both the public and private\r\nsectors. They are players in organized crime. And their private work sometimes bleeds into hacking they do for\r\nnation-states—specifically Russia. And sometimes their criminal infrastructures are used by both of these\r\nenterprises. An early example popped up in an indictment unsealed a week after that 2014 PLA indictment. This\r\none involved a Russian named Evgeniy Bogachev, who in many respects was way ahead of his time. He was\r\noperating what was known as the GameOver Zeus Botnet, a global network of an estimated 1 million computers\r\ninfected with malware. Bogachev and his cronies used this vast infrastructure to steal companies’ banking\r\ncredentials and wire themselves money from company bank accounts. They employed citizens who were not\r\nconnected to their gang to be money mules tasked (some unwittingly) with laundering the stolen funds. He also\r\nlaunched ransomware attacks years before they were a runaway hit with criminals. At the time of the indictment,\r\nBogachev and his confederates were believed to have stolen more than $100 million.\r\nHe’s never been caught. He doesn’t seem to stray from Russia. His victims are mostly companies from the West.\r\nAnd he’s found ways to spy for his country, which undoubtedly adds to his patina of untouchability. But if\r\nBogachev was beyond the reach of the law, his criminal infrastructure was not. The triumph of this case wasn’t\r\nthat an indictment was unsealed. It was that law enforcement was able to take down his giant botnet. How? Just as\r\nthe criminals were able to wreak havoc through an international confederation, law enforcement succeeded by\r\nmarshalling their own international gang. The press release celebrating the takedown credited the work of officers\r\nin no fewer than a dozen countries.\r\nPaul Rosenzweig wrote about the case in Lawfare. Rosenzweig was impressed by the broad cooperation—most\r\nsurprisingly Ukraine’s. Authorities there seized servers in contested territory: “a remarkable commitment from an\r\nunstable government,” Rosenzweig wrote. “As with the Chinese indictment [from the previous week], this case\r\nwas brought in Pittsburgh,” he noted, “which is an odd location to choose. Apparently, the office is developing an\r\nexpertise in cyber crime.” He concluded by complimenting “an effective use of law enforcement” and an\r\n“aggressive use of criminal law” that together signaled “that the U.S. is willing to take steps in defending its\r\nnetworks that it has heretofore been a bit reluctant to take.”\r\nEqually remarkable, in 2016 the U.S. attorney’s office in Pittsburgh obtained a sealed indictment that alleged a\r\nBulgarian man was part of a gang that bore some resemblance to Bogachev’s. Its victims were small- to medium-size businesses in the U.S. and Western Europe. The Bulgarian was arrested because he was the only one of the\r\ngroup who lived in a country that had an extradition treaty with the United States, and he was promptly sent to\r\nPittsburgh. One of the men was based in Ukraine, where he ran a “bulletproof” hosting service called Avalanche,\r\nwhich registered malicious domains for cyber criminals and hosted their executable malware files on its servers.\r\nThe investigation of this criminal enterprise continued until 2019, when the U.S. attorney’s office unsealed an\r\nindictment that charged 10 men with a conspiracy to steal funds using Avalanche and GozNym malware. None of\r\nthe men worked directly for a nation-state (as far as could be learned), but five of them were in Russia. The others\r\nhttps://www.lawfareblog.com/what-point-these-nation-state-indictments\r\nPage 4 of 5\n\nwere in Ukraine, Georgia and Moldova. It looked like just another name-and-shame indictment. That familiar\r\nquestion surfaced again: What was the point?\r\nBut the prosecutors and FBI agents in Pittsburgh were not willing to let it go. They flew to The Hague to meet\r\nwith their counterparts from countries where victim companies were located and where the gang members were\r\nbased (except Russia). And they agreed to work together to bring as many of the criminals to justice as they could\r\n—no matter where that was and no matter who received credit. Germany was a major player. Europol and\r\nEurojust were deeply involved. The five in Russia were beyond their grasp. But much to the surprise of the many\r\nnaysayers, the others were not. Three, including the ringleader, were arrested in Georgia. One of the FBI agents in\r\nPittsburgh, who helped work the case, testified during the Georgian trial by video linkup. All three were convicted,\r\nand the ringleader was sentenced to seven years in prison. The Avalanche administrator was arrested in Ukraine.\r\nHe escaped, only to be rearrested. Then a judge inexplicably released him pending trial, and he disappeared. The\r\nBulgarian pleaded guilty in Pittsburgh and was sentenced to time served (about three years).\r\nDid these cases transform the landscape? Hardly. There’s no shortage of cyber criminals in Eastern Europe. The\r\ndownfall of Avalanche and the conviction of four men didn’t put a dent in their ranks. But it was an important\r\nstep. The Sandworm indictment in October that focused on global attacks was impressive. But putting in the time\r\nand effort to develop evidence and relationships with cops and prosecutors far away—and trusting that they would\r\nsucceed, while knowing that they would get the credit if they did—was no small thing. It’s how you build teams.\r\nIt’s how you support the rule of law in places that have less experience with it.\r\nMaybe it’s time to stop asking that question about indictments. Here’s the bottom line. If there’s ever going to be a\r\nreal chance in the legal realm to make a dent on cyberattacks—whether the perpetrators are nation-states,\r\norganized gangs or individuals—the good guys will have to show they know how to collaborate at least as well as\r\nthe bad guys. Some of them seem to have gotten that message.\r\nSource: https://www.lawfareblog.com/what-point-these-nation-state-indictments\r\nhttps://www.lawfareblog.com/what-point-these-nation-state-indictments\r\nPage 5 of 5", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "Malpedia" ], "references": [ "https://www.lawfareblog.com/what-point-these-nation-state-indictments" ], "report_names": [ "what-point-these-nation-state-indictments" ], "threat_actors": [ { "id": "b740943a-da51-4133-855b-df29822531ea", "created_at": "2022-10-25T15:50:23.604126Z", "updated_at": "2026-04-10T02:00:05.259593Z", "deleted_at": null, "main_name": "Equation", "aliases": [ "Equation" ], "source_name": "MITRE:Equation", "tools": null, "source_id": "MITRE", "reports": null }, { "id": "aa73cd6a-868c-4ae4-a5b2-7cb2c5ad1e9d", "created_at": "2022-10-25T16:07:24.139848Z", "updated_at": "2026-04-10T02:00:04.878798Z", "deleted_at": null, "main_name": "Safe", "aliases": [], "source_name": "ETDA:Safe", "tools": [ "DebugView", "LZ77", "OpenDoc", "SafeDisk", "TypeConfig", "UPXShell", "UsbDoc", "UsbExe" ], "source_id": "ETDA", "reports": null }, { "id": "b753c6a8-a83d-47bc-829d-45e56136eb7d", "created_at": "2023-01-06T13:46:38.97802Z", "updated_at": "2026-04-10T02:00:03.169611Z", "deleted_at": null, "main_name": "GozNym", "aliases": [], "source_name": "MISPGALAXY:GozNym", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "8941e146-3e7f-4b4e-9b66-c2da052ee6df", "created_at": "2023-01-06T13:46:38.402513Z", "updated_at": "2026-04-10T02:00:02.959797Z", "deleted_at": null, "main_name": "Sandworm", "aliases": [ "IRIDIUM", "Blue Echidna", "VOODOO BEAR", "FROZENBARENTS", "UAC-0113", "Seashell Blizzard", "UAC-0082", "APT44", "Quedagh", "TEMP.Noble", "IRON VIKING", "G0034", "ELECTRUM", "TeleBots" ], "source_name": "MISPGALAXY:Sandworm", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "7bd810cb-d674-4763-86eb-2cc182d24ea0", "created_at": "2022-10-25T16:07:24.1537Z", "updated_at": "2026-04-10T02:00:04.883793Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "APT 44", "ATK 14", "BE2", "Blue Echidna", "CTG-7263", "FROZENBARENTS", "G0034", "Grey Tornado", "IRIDIUM", "Iron Viking", "Quedagh", "Razing Ursa", "Sandworm", "Sandworm Team", "Seashell Blizzard", "TEMP.Noble", "UAC-0082", "UAC-0113", "UAC-0125", "UAC-0133", "Voodoo Bear" ], "source_name": "ETDA:Sandworm Team", "tools": [ "AWFULSHRED", "ArguePatch", "BIASBOAT", "Black Energy", "BlackEnergy", "CaddyWiper", "Colibri Loader", "Cyclops Blink", "CyclopsBlink", "DCRat", "DarkCrystal RAT", "Fobushell", "GOSSIPFLOW", "Gcat", "IcyWell", "Industroyer2", "JaguarBlade", "JuicyPotato", "Kapeka", "KillDisk.NCX", "LOADGRIP", "LOLBAS", "LOLBins", "Living off the Land", "ORCSHRED", "P.A.S.", "PassKillDisk", "Pitvotnacci", "PsList", "QUEUESEED", "RansomBoggs", "RottenPotato", "SOLOSHRED", "SwiftSlicer", "VPNFilter", "Warzone", "Warzone RAT", "Weevly" ], "source_id": "ETDA", "reports": null }, { "id": "bc289ba8-bc61-474c-8462-a3f7179d97bb", "created_at": "2022-10-25T16:07:24.450609Z", "updated_at": "2026-04-10T02:00:04.996582Z", "deleted_at": null, "main_name": "Avalanche", "aliases": [], "source_name": "ETDA:Avalanche", "tools": [], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434952, "ts_updated_at": 1775792159, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/cffee170ab6b5832dfcca7b8e8d3f90cb2449a22.pdf", "text": "https://archive.orkl.eu/cffee170ab6b5832dfcca7b8e8d3f90cb2449a22.txt", "img": "https://archive.orkl.eu/cffee170ab6b5832dfcca7b8e8d3f90cb2449a22.jpg" } }