Five Russian GRU Officers And One Civilian Charged For Conspiring To Hack Ukrainian Government

Press Release

Defendants Are Alleged to Have Committed the Cyber Hack in Advance of Russia's Invasion of Ukraine; Also Targeted Twenty-Six NATO Countries; Indictment Part of International Coordinated Effort OPERATION TOY SOLDIER

Note: Concurrent with the return of the indictment, the U.S. Department of State's Rewards for Justice program is offering a reward of up to $10 million for information on any of the defendants' locations or their malicious cyberactivity. Anyone possessing such information should contact Rewards for Justice here.

Greenbelt,Maryland - In an indictment unsealed today, a grand jury in Maryland charged six computer hackers, all of whom were residents and nationals of the Russian Federation (Russia), with conspiracy to commit computer intrusion and wire fraud conspiracy. Five of the defendants were officers in Unit 29155 of the Russian Main Intelligence Directorate (GRU), a military intelligence agency of the General Staff of the Armed Forces. The sixth individual was a civilian already under indictment for conspiracy to commit computer intrusion and is now also charged with wire fraud conspiracy.

The indictment alleges that these GRU hackers and their co-conspirator engaged in a conspiracy to hack into, exfiltrate data from, leak information obtained from, and destroy computer systems associated with, the Ukrainian Government in advance of the Russian invasion of Ukraine. The Defendants did so in order to sow concern among Ukrainian citizens regarding the safety of their government systems and personal data in advance of the Russian invasion of Ukraine. The Defendants' targets included Ukrainian Government systems and data with no military or defense-related roles. Later targets included computer systems in countries around the world that were providing support to Ukraine, including twenty-six NATO countries.

"Today's superseding indictment underscores our commitment to using all the tools at our disposal to pursue those who would do us and our allies around the world harm," said United States Attorney for the District of Maryland Erek L. Barron. "Cyber intrusion schemes such as the one alleged threaten our national security, and we will use all the technologies and investigative measures at our disposal to disrupt and track down these cybercriminals."

"The GRU's WhisperGate campaign, including targeting Ukrainian critical infrastructure and government systems of no military value, is emblematic of Russia's abhorrent disregard for innocent civilians as it wages its unjust invasion," said Assistant Attorney General Matthew G. Olsen of the National Security Division. "Today's indictment underscores that the Justice Department will use every available tool to disrupt this kind of malicious cyber activity and hold perpetrators accountable for indiscriminate and destructive targeting of the United States and our allies."

"Through strokes on a keyboard, the accused criminals used computers to cross into countries, hunting for weaknesses and seeking to harm. The FBI and our law enforcement partners, both national and international, will collectively defend against Russia's aggressive and illegal actions," said Special Agent in Charge William J. DelBagno of the FBI Baltimore Field Office. "We are united in identifying, prosecuting, and protecting against future crimes and vow to relentlessly hunt down and counter these threats."

"Since July 2021, the U.S. Department of State's Rewards for Justice (RFJ) program, administered by the Diplomatic Security Service (DSS), has offered a reward of up to $10 million for information leading to the identification or location of any person who, while acting at the direction or under the control of a foreign government, participates in certain malicious cyber activities against U.S. critical infrastructure in violation of the Computer Fraud and Abuse Act," said DSS Deputy Assistant Secretary for Threat Investigations and Analysis Paul Houston. "Under this reward offer, the RFJ program is seeking information leading to the location of these individuals, GRU's malicious cyber activity, or associated individuals and entities."

The defendants charged in the indictment are: Yuriy Denisov [Юрий Денисов], a colonel in the Russian military and a commanding officer of Cyber Operations for Unit 29155; four lieutenants in the Russian military assigned to Unit 29155 who worked on cyber operations: Vladislav Borovkov [Владислав Боровков], Denis Denisenko [Денис Денисенко], Dmitriy Goloshubov [Дима Голошубов], and Nikolay Korchagin [Николай Корчагин]; and a civilian co-conspirator, Amin Sitgal [Амин Стигал].

According to court documents, in January 2022, the Defendants conspired to use a U.S.-based company's services to distribute malware known in the cybersecurity community as "WhisperGate" to dozens of Ukrainian government entities' computer systems and destroy those systems and related data in advance of the Russian invasion of Ukraine. The United States government previously joined with allies and partners in May 2022 to attribute this cyber-attack to the Russian military and to condemn the attack and similar destructive cyber activities against Ukraine.

On January 13, 2022, the Defendants attacked multiple Ukrainian government networks, including the Ukrainian Ministry of Internal Affairs, the State Treasury, the Judiciary Administration, the State Portal for Digital Services, the Ministry of Education and Science, the Ministry of Agriculture, the State Service for Food Safety and Consumer Protection, the Ministry of Energy, the Accounting Chamber for Ukraine, the State Emergency Service, the State Forestry Agency, and the Motor Insurance Bureau. The Defendants infected computers on these and other networks with the WhisperGate malware, which was designed to look like ransomware. However, as the indictment alleges, WhisperGate was actually a cyberweapon designed to completely destroy the target computer and related data.

In conjunction with these attacks, the Defendants compromised several of the targeted Ukrainian computer systems, exfiltrated sensitive data, including patient health records, and defaced the websites to read: "Ukrainians! All information about you has become public, be afraid and expect the worst. This is for your past, present and future." That same day, the Defendants offered the hacked data for sale on the internet.

In August 2022, the Defendants also hacked the transportation infrastructure of a Central European country that was supporting Ukraine. Beginning in August 2021, the Defendants also probed a variety of protected computer systems including those associated with twenty-six NATO member countries, searching for potential vulnerabilities. The indictment further alleges that from August 5, 2021 to February 3, 2022, the Defendants leveraged the same computer infrastructure they used in the Ukraine-related attacks to probe computers belonging to a federal government agency in Maryland in the same manner as they had initially probed the Ukrainian Government networks.

This indictment is part of an international effort, OPERATION TOY SOLDIER, to combat the malicious cyber activity by Unit 29155 of the GRU.

The indictment was announced by U.S. Attorney Barron, Assistant Attorney General Matthew G. Olsen of the Justice Department's National Security Division, and Special Agent in Charge William J. DelBagno of the Federal Bureau of Investigation, Baltimore Field Office.

U.S. Attorney Barron and Assistant Attorney General Matthew G. Olsen commended the FBI's Baltimore Field Office for its outstanding work and thanked the FBI's Milwaukee and Boston Field Offices for their support in the case. Mr. Barron thanked Assistant U.S. Attorneys Aaron S.J. Zelinsky and Robert I. Goldaris, who are prosecuting the case, with valuable assistance from the National Security Division's National Security Cyber Section.

For more information on the Maryland U.S. Attorney's Office, its priorities, and resources available to help the community, please visit www.justice.gov/usao-md and https://www.justice.gov/usao-md/community-outreach.

# # #

Contact

Updated September 5, 2024