US offers $10 million reward for tips on Russian Sandworm hackers

ByMabel R. Acton

Apr 27, 2022 , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,

SandWorm

The U.S. is offering up to $10 million to identify or locate six Russian GRU hackers who are part of the notorious Sandworm hacking group.

This bounty is being offered as part of the Department of State’s Rewards for Justice program, which rewards informants for information leading to identifying or locating foreign government threat actors who conduct malicious cyber operations against U.S. critical infrastructure.

Today, the U.S. Department of State announced that they are seeking information on six Russian officers of the Main Intelligence Directorate of the General Staff of the Armed Forces of the Russian Federation (GRU) for their alleged role in malicious cyberattacks against U.S. critical infrastructure.

“GRU officers Yuriy Sergeyevich Andrienko (Юрий Сергеевич Андриенко), Sergey Vladimirovich Detistov (Сергей Владимирович Детистов), Pavel Valeryevich Frolov (Павел Валерьевич Фролов), Anatoliy Sergeyevich Kovalev (Анатолий Сергеевич Ковалев), Artem Valeryevich Ochichenko (Артем Валерьевич Очиченко), and Petr Nikolayevich Pliskin (Петр Николаевич Плискин) were members of a conspiracy that deployed destructive malware and took other disruptive actions for the strategic benefit of Russia through unauthorized access to victim computers,” the Department of State announced today.

Rewards of Justice seeking tips on alleged SandWorm hackers
Rewards of Justice seeking tips on alleged Sandworm hackers

In 2020, the Department of Justice indicted all six individuals for being part of the elite Russian hacking group known as Sandworm (also known as Team, Telebots, Voodoo Bear, and Iron Viking).

All six individuals were charged with conspiracy to conduct computer fraud and abuse, conspiracy to commit wire fraud, wire fraud, damaging protected computers, and aggravated identity theft.

Hacking activities associated with the Sandworm group include:

  • Destructive malware attacks against Ukraine’s electric power grid, Ministry of Finance, and State Treasury Service, using malware known as BlackEnergy, Industroyer, and KillDisk;
  • April and May 2017 spearphishing campaigns and related hack-and-leak efforts targeting French President Macron’s “La République En Marche!” (En Marche!) political party, French politicians, and local French governments before the 2017 French elections;
  • The 2017 destructive malware attacks that infected computers worldwide using malware known as NotPetya, including hospitals and other medical facilities in the Heritage Valley Health System (Heritage Valley) in the Western District of Pennsylvania; a FedEx Corporation subsidiary, TNT Express B.V.; and a large U.S. pharmaceutical manufacturer, which together suffered nearly $1 billion in losses from the attacks;
  • December 2017 through February 2018 spearphishing campaigns and malicious mobile applications targeting South Korean citizens and officials, Olympic athletes, partners, and visitors, and International Olympic Committee (IOC) officials;
  • December 2017 through February 2018 intrusions into computers supporting the 2018 PyeongChang Winter Olympic Games, which culminated in the Feb. 9, 2018, destructive malware attack against the opening ceremony, using malware known as Olympic Destroyer;
  • April 2018 spearphishing campaigns targeting investigations by the Organisation for the Prohibition of Chemical Weapons (OPCW) and the United Kingdom’s Defence Science and Technology Laboratory (DSTL) into the nerve agent poisoning of Sergei Skripal, his daughter, and several U.K. citizens; and
  • A 2018 spearphishing campaign targeting a major media company, 2019 efforts to compromise the network of Parliament, and a wide-ranging website defacement campaign in 2019.
  • The creation of the Cyclops Blink botnet using a vulnerability in WatchGuard Firebox devices. The U.S. government disabled this botnet before the threat actors used the malware to conduct attacks.
  • April 2022 attacks on a large Ukrainian energy provider with a new variant of the Industroyer malware for industrial control systems (ICS) and a new version of the CaddyWiper data destruction malware.

The Rewards of Justice has set up a Tor site at he5dybnt7sr6cm32xt77pazmtm65flqy6irivtflruqfc5ep7eiodiad.onion that can be used to submit tips about these threat actors anonymously, and others.

The Rewards of Justice is looking for information on other threat actors, including REvil ransomware, DarkSide ransomware,  North Korean cybercrime threat actors, and nation-state hackers targeting U.S. businesses and critical infrastructure sectors.