{
	"id": "37fdc7d6-8592-45e6-88a9-b130ca6f3fc9",
	"created_at": "2026-04-06T02:11:41.395783Z",
	"updated_at": "2026-04-10T03:21:17.775353Z",
	"deleted_at": null,
	"sha1_hash": "f6f6c4c1d9a48d4554a6b499dbc92863d52510f7",
	"title": "U.S. Charges Russian GRU Officers with International Hacking and Related Influence and Disinformation Operations",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 53208,
	"plain_text": "U.S. Charges Russian GRU Officers with International Hacking\r\nand Related Influence and Disinformation Operations\r\nPublished: 2018-10-04 · Archived: 2026-04-06 01:48:54 UTC\r\nA grand jury in the Western District of Pennsylvania has indicted seven defendants, all officers in the Russian\r\nMain Intelligence Directorate (GRU), a military intelligence agency of the General Staff of the Armed Forces of\r\nthe Russian Federation, for computer hacking, wire fraud, aggravated identity theft, and money laundering. \r\nAccording to the indictment, beginning in or around December 2014 and continuing until at least May 2018, the\r\nconspiracy conducted persistent and sophisticated computer intrusions affecting U.S. persons, corporate entities,\r\ninternational organizations, and their respective employees located around the world, based on their strategic\r\ninterest to the Russian government.   \r\nAmong the goals of the conspiracy was to publicize stolen information as part of an influence and disinformation\r\ncampaign designed to undermine, retaliate against, and otherwise delegitimize the efforts of international anti-doping organizations and officials who had publicly exposed a Russian state-sponsored athlete doping program\r\nand to damage the reputations of athletes around the world by falsely claiming that such athletes were using\r\nbanned or performance-enhancing drugs.\r\nThe charges were announced at a press conference by Assistant Attorney General for National Security John C.\r\nDemers, United States Attorney for the Western District of Pennsylvania Scott W. Brady, FBI Deputy Assistant\r\nDirector for Cyber Division, Eric Welling, and Director General Mark Flynn for the Royal Canadian Mounted\r\nPolice.\r\n\"State-sponsored hacking and disinformation campaigns pose serious threats to our security and to our open\r\nsociety, but the Department of Justice is defending against them,\" Attorney General Jeff Sessions said. \"Today we\r\nare indicting seven GRU officers for multiple felonies each, including the use of hacking to spread the personal\r\ninformation of hundreds of anti-doping officials and athletes as part of an effort to distract from Russia’s state-sponsored doping program. The defendants in this case allegedly targeted multiple Americans and American\r\nentities for hacking, from our national anti-doping agency to the Westinghouse Electric Company near Pittsburgh.\r\nWe are determined to achieve justice in these cases and we will continue to protect the American people from\r\nhackers and disinformation.\"\r\n“The investigation leading to the indictments announced \r\nhttps://www.justice.gov/archives/opa/pr/us-charges-russian-gru-officers-international-hacking-and-related-influence-and\r\nPage 1 of 6\n\nt\r\noday is the FBI at its best,” said FBI Director Christopher Wray. “The actions of these seven hackers, all working\r\nas officials for the Russian government, were criminal, retaliatory, and damaging to innocent victims and the\r\nUnited States’ economy, as well as to world organizations. Their actions extended beyond borders, but so did the\r\nFBI’s investigation. We worked closely with our international partners to identify the actors and disrupt their\r\ncriminal campaign - and today, we are sending this message: The FBI will not permit any government, group, or\r\nindividual to threaten our people, our country, or our partners. We will work tirelessly to find them, stop them, and\r\nbring them to justice.”\r\n“We want the hundreds of victims of these Russian hackers to know that we will do everything we can to hold\r\nthese criminals accountable for their crimes,” said U.S. Attorney Brady.  State actors who target U.S. citizens and\r\ncompanies are no different than any other common criminal:  they will be investigated and prosecuted to the\r\nfullest extent of the law.”\r\nThe defendants, all Russian nationals and residents, are Aleksei Sergeyevich Morenets, 41, Evgenii Mikhaylovich,\r\nSerebriakov, 37, Ivan Sergeyevich Yermakov, 32, Artem Andreyevich Malyshev, 30, and Dmitriy Sergeyevich\r\nBadin, 27, who were each assigned to Military Unit 26165, and Oleg Mikhaylovich Sotnikov, 46, and Alexey\r\nValerevich Minin, 46, who were also GRU officers. \r\nThe indictment alleges that defendants Yermakov, Malyshev, Badin, and unidentified conspirators, often using\r\nfictitious personas and proxy servers, researched victims, sent spearphishing emails, and compiled, used, and\r\nmonitored malware command and control servers. \r\nWhen the conspirators’ remote hacking efforts failed to capture log-in credentials, or if the accounts that were\r\nsuccessfully compromised did not have the necessary access privileges for the sought-after information, teams of\r\nGRU technical intelligence officers, including Morenets, Serebriakov, Sotnikov, and Minin, traveled to locations\r\naround the world where targets were physically located.  Using specialized equipment, and with the remote\r\nsupport of conspirators in Russia, including Yermakov, these close access teams hacked computer networks used\r\nhttps://www.justice.gov/archives/opa/pr/us-charges-russian-gru-officers-international-hacking-and-related-influence-and\r\nPage 2 of 6\n\nby victim organizations or their personnel through Wi-Fi connections, including hotel Wi-Fi networks.  After a\r\nsuccessful hacking operation, the close access team transferred such access to conspirators in Russia for\r\nexploitation.\r\nAmong other instances, the indictment alleges that following a series of high-profile independent investigations\r\nstarting in 2015, which publicly exposed Russia’s systematic state-sponsored subversion of the drug testing\r\nprocesses prior to, during, and subsequent to the 2014 Sochi Winter Olympics (according to one report, known as\r\nthe “McLaren Report”), the conspirators began targeting systems used by international anti-doping organizations\r\nand officials.  After compromising those systems, the defendants stole credentials, medical records, and other data,\r\nincluding information regarding therapeutic use exemptions (TUEs), which allow athletes to use otherwise\r\nprohibited substances.\r\nUsing social media accounts and other infrastructure acquired and maintained by GRU Unit 74455 in Russia, the\r\nconspiracy thereafter publicly released selected items of stolen information, in many cases in a manner that did not\r\naccurately reflect their original form, under the false auspices of a hacktivist group calling itself the “Fancy Bears’\r\nHack Team.”  As part of its influence and disinformation efforts, the Fancy Bears’ Hack Team engaged in a\r\nconcerted effort to draw media attention to the leaks through a proactive outreach campaign.  The conspirators\r\nexchanged e-mails and private messages with approximately 186 reporters in an apparent attempt to amplify the\r\nexposure and effect of their message. \r\nEach defendant is charged with one count of conspiracy to commit computer fraud and abuse, which carries a\r\nmaximum sentence of five years in prison, one count each of conspiracy to commit wire fraud and conspiracy to\r\ncommit money laundering, both of which carry a maximum sentence of 20 years.  Defendants Morenets,\r\nSerebriakov, Yermakov, Malyshev, and Badin are each also charged with two counts of aggravated identity theft,\r\nwhich carries a consecutive sentence of two years in prison.  Defendant Yermakov is also charged with five counts\r\nof wire fraud, which carries a maximum sentence of 20 years.\r\nDefendants Yermakov, Malyshev, and Badin are also charged defendants in federal indictment number CR 18-215\r\nin the District of Columbia, and accused of conspiring to gain unauthorized access into the computers of U.S.\r\npersons and entities involved in the 2016 U.S. presidential election, steal documents from those computers, and\r\nstage releases of the stolen documents to interfere with the 2016 U.S. presidential election.\r\nAccording to the indictment:\r\nContext of the Hacking and Related Influence and Disinformation Efforts\r\nIn July 2016, the World Anti-Doping Agency’s (WADA) Independent Person Report (the “First McLaren Report”)\r\nwas released, describing Russia’s systematic state-sponsored subversion of the drug testing process prior to,\r\nduring, and subsequent to the 2014 Sochi Winter Olympics.  This investigation had the support of advocates for\r\nclean sports, including the United States Anti-Doping Agency (USADA), the Canadian Centre for Ethics in Sport\r\n(CCES, Canada’s anti-doping agency). Eventually, in some instances only after arbitration rulings by the\r\nInternational Court of Arbitration for Sport (TAS/CAS), approximately 111 Russian athletes were excluded from\r\nthe 2016 Summer Olympic Games, in Rio de Janeiro, Brazil, by a number of international athletics federations,\r\nincluding track-and-field’s International Association of Athletics Federations (IAAF).  The International\r\nhttps://www.justice.gov/archives/opa/pr/us-charges-russian-gru-officers-international-hacking-and-related-influence-and\r\nPage 3 of 6\n\nParalympic Committee (IPC) further imposed a blanket ban of Russian athletes from the 2016 Paralympic Games,\r\nwhich were also held in Rio.\r\nIntrusion Activities in Rio de Janeiro, Brazil\r\nDays after the release of the First McLaren Report and the International Olympic Committee’s and IPC’s\r\nsubsequent decisions regarding the exclusion of  Russian athletes, the conspirators prepared to hack into the\r\nnetworks of WADA, the United States Anti-Doping Agency (USADA), and TAS/CAS.   The conspirators,\r\nincluding specifically defendants Yermakov and Malyshev, procured spoofed domains (which mimicked\r\nlegitimate WADA and TAS/CAS domains) and other infrastructure, probed such entities’ networks, and\r\nspearphished WADA and USADA employees.  Although Yermakov and Malyshev are both alleged to have\r\nprepared to send spearphishing e-mails to TAS/CAS, the indictment does not allege that organization was\r\ncompromised.\r\nLikely as a result of the conspirators’ failure to capture necessary log-in credentials, or because those victim\r\naccounts that were successfully compromised did not have the necessary access privileges for the sought-after\r\ninformation, defendants Morenets and Serebriakov, in at least one instance with the remote support of Yermakov,\r\ndeployed to Rio to conduct hacking operations targeting and maintaining persistent access to Wi-Fi networks used\r\nby anti-doping officials.  As a result of these efforts, in August 2016, the conspirators captured that IOC official’s\r\ncredentials and thereafter used them, and another set of credentials belonging to the same official to gain\r\nunauthorized access to an account in WADA’s ADAMS database and medical and anti-doping related information\r\ncontained therein. (The broader ADAMS database was not compromised in the intrusion.) \r\nAlso in 2016, a senior USADA anti-doping official traveled to Rio de Janeiro for the Olympics and Paralympic\r\ngames.  While there, the USADA official used Wi-Fi at the hotel and other Wi-Fi access points in Rio to remotely\r\naccess USADA’s computer systems and conduct official business.  While the USADA official was in Rio,\r\nconspirators successfully compromised the credentials for his or her USADA email account, which included\r\nsummaries of athlete test results and prescribed medications.\r\nIntrusion Activities in Lausanne, Switzerland\r\nIn mid-September 2016, WADA hosted an anti-doping conference in Lausanne, Switzerland.  On September 18,\r\n2016, defendants Morenets and Serebriakov traveled to Lausanne with equipment used in close access Wi-Fi\r\ncompromises.  On or about September 19, 2016, Morenets and Serebriakov compromised the Wi-Fi network of a\r\nhotel hosting the conference and leveraged that access to compromise the laptop and credentials of a senior CCES\r\nofficial staying at the hotel. Other conspirators thereafter used the stolen credentials to compromise CCES’s\r\nnetworks in Canada, using a tool used to extract hashed passwords, the metadata of which indicated it was\r\ncompiled by Badin.\r\nIntrusion Targeting Anti-Doping Officials at Sporting Federations\r\nIn December 2016 and January 2017, conspirators successfully compromised the networks of IAAF and the\r\nFédération Internationale de Football Association (“FIFA”) and targeted computers and accounts used by each\r\norganization’s top anti-doping official.  Among the data stolen from such officials were keylogs, file directories,\r\nhttps://www.justice.gov/archives/opa/pr/us-charges-russian-gru-officers-international-hacking-and-related-influence-and\r\nPage 4 of 6\n\nanti-doping policies and strategies, lab results, medical reports, contracts with doctors and medical testing labs,\r\ninformation about medical testing procedures, and TUEs.\r\nRelated GRU Influence and Disinformation Operations\r\nOn September 12, 2016, shortly after the compromise of the IOC official’s ADAMS credentials, but before the\r\ncompromise of USADA’s and CCES’s networks, conspirators claiming to be the hacktivist group Fancy Bears’\r\nHack Team used online accounts and other infrastructure procured and managed by Unit 74455, as well as the\r\nwebsite fancybears.net, to publicly release TUEs, other medical information, and emails stolen from anti-doping\r\nofficials at WADA, USADA, CCES, IAAF, FIFA, and approximately 35 other anti-doping agencies or sporting\r\norganizations.  In some instances, the WADA documents were modified from their original form.  Ultimately, the\r\nFancy Bears’ Hack Team released stolen information that included private or medical information of\r\napproximately 250 athletes from almost 30 countries.\r\nThe conspirators’ release of the stolen information was, in some instances, accompanied by posts and other\r\ncommunications that parroted or supported themes that the Russian government had used in its official narrative\r\nregarding the anti-doping agencies’ investigative findings.  From 2016 through 2018, the conspirators engaged in\r\na proactive outreach campaign, using Twitter and e-mail to communicate with approximately 186 reporters about\r\nthe stolen information.  After articles were published, conspirators used the Fancy Bears’ Hack Team social media\r\naccounts to draw attention to the articles in an attempt to amplify the exposure and effect of their message.\r\nOther Targets of the Conspiracy\r\nThe conspiracy is also alleged to have targeted other entities in the Western District of Pennsylvania and abroad\r\nthat were of interest to the Russian government.  For example, as early as November 20, 2014, Yermakov\r\nperformed reconnaissance of Westinghouse Electric Company’s (WEC) networks and personnel.  In the following\r\nmonths, Yermakov and conspirators created a fake WEC domain and sent spearphishing emails to WEC\r\nemployees’ work and personal email accounts, which were designed to harvest the employees’ log-in credentials.\r\nMore recently, in April 2018, Morenets, Serebriakov, Sotnikov, and Minin, all using diplomatic passports, traveled\r\nto The Hague in the Netherlands in furtherance of another close access operation targeting the Organisation for the\r\nProhibition of Chemical Weapons (OPCW) computer networks through Wi-Fi connections.  All four GRU officers\r\nintended to travel thereafter to Spiez, Switzerland, to target the Spiez Swiss Chemical Laboratory, an accredited\r\nlaboratory of the OPCW which was analyzing military chemical agents, including the chemical agent that the\r\nUnited Kingdom authorities connected to the poisoning of a former GRU officer in that country.  However,\r\nMorenets, Serebriakov, Sotnikov, and Minin were disrupted during their OPCW hacking operation by the Militaire\r\nInlichtingen- en Veiligheidsdienst (MIVD), the Dutch defense intelligence service.  As part of this disruption,\r\nMorenet’s and Serebriakov’s abandoned the Wi-Fi compromise equipment, which they had placed in the trunk of a\r\nrental car parked adjacent to the OPCW property.  Data obtained from at least one item of this equipment\r\nconfirmed its operational use at multiple locations around the world, including connections to the Wi-Fi network\r\nof the CCES official’s hotel in Switzerland (the dates the conspirators conducted the Wi-Fi compromise of the\r\nsenior CCES official’s laptop at the same hotel), and at another hotel in Kuala Lumpur, Malaysia in December\r\n2017.\r\nhttps://www.justice.gov/archives/opa/pr/us-charges-russian-gru-officers-international-hacking-and-related-influence-and\r\nPage 5 of 6\n\nSource: https://www.justice.gov/archives/opa/pr/us-charges-russian-gru-officers-international-hacking-and-related-influence-and\r\nhttps://www.justice.gov/archives/opa/pr/us-charges-russian-gru-officers-international-hacking-and-related-influence-and\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://www.justice.gov/archives/opa/pr/us-charges-russian-gru-officers-international-hacking-and-related-influence-and"
	],
	"report_names": [
		"us-charges-russian-gru-officers-international-hacking-and-related-influence-and"
	],
	"threat_actors": [],
	"ts_created_at": 1775441501,
	"ts_updated_at": 1775791277,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/f6f6c4c1d9a48d4554a6b499dbc92863d52510f7.pdf",
		"text": "https://archive.orkl.eu/f6f6c4c1d9a48d4554a6b499dbc92863d52510f7.txt",
		"img": "https://archive.orkl.eu/f6f6c4c1d9a48d4554a6b499dbc92863d52510f7.jpg"
	}
}