Three Revelations From the DOJ’s New Russian Hacking Indictment

Russian agents tried to hack a U.S. nuclear power company, anti-doping agencies and the missing Malaysia plane investigators

WASHINGTON — Federal prosecutors released a stunning new indictment Thursday that accuses seven Russian intelligence agents of trying to hack a slew of well-known organizations and companies around the world. Those targets include the World Anti-Doping Agency, FIFA, Westinghouse Electric Corporation (a Pennsylvania-based nuclear power company) and the Organisation for the Prohibition of Chemical Weapons.

What connects these seemingly disparate organizations? In one way or another, they all have been perceived as hostile or a threat to Russia, and so they came under attack from Russia’s intelligence agency, the GRU, over a period of several years.

The World Anti-Doping Agency was targeted for exposing Russia’s state-backed athlete performance-enhancing drug program, which led to a ban on Russian athletes participating in the 2016 Rio Summer Olympics. That ban was upheld by the Court of Arbitration for Sport, which also faced Russian cyberattacks, the indictment alleges.

According to the indictment, after FIFA began investigating doping by Russian soccer players, agents hacked into computers used by FIFA’s anti-doping team and stole confidential lab results, medical reports and contracts with doctors and medical testing labs.

This same group of Russian agents — who operated under the bogus name Fancy Bears’ Hack Team — targeted Westinghouse Electric Company, whose power plant designs are used for about half of the world’s active nuclear power plants. According to the indictment, Westinghouse has supplied Ukraine, Russia’s neighbor and geopolitical foe, with increasing amounts of nuclear fuel over the past decade.

Here are three of the most interesting details from the 41-page indictment, as well as joint announcements from overseas intelligence agencies investigating Russian cyberattacks.

The Cyberattacks Included On-the-Ground Espionage

Three of the seven Russian agents named in Thursday’s indictment were also indicted in July by Special Counsel Robert Mueller for the hack-and-dump operation that targeted the Democratic Party and Hillary Clinton’s campaign. Not surprisingly, some of the same tactics used to attack the Democrats — spear-phishing emails, covert malware programs, weaponizing stolen information — appear in Thursday’s new indictment. One of the Russian government’s goals, the indictment says, was to “publicize and expose individual sensitive medical information and drug testing results of athletes” and to “damage the reputations of clean athletes from various countries by falsely claiming that such athletes were using banned or performance-enhancing drugs.”

But if remote hacking didn’t achieve the intended result, Russian agents traveled in person to the location of a target and used in sophisticated equipment to carry out the hack. “These on-site operations,” the indictment says, “often involved targeting the computer networks used by victims organizations or their personnel through Wi-Fi connections, such as hotel Wi-Fi networks, in an effort to gain unauthorized access to the victims’ computer networks.”

Russian agents traveled to Rio de Janeiro to hack anti-doping officials and The Hague, Netherlands, to hack the Organization for the Prohibition of Chemical Weapons (OPCW), which was investigating the use of nerve agents in Syria and the alleged poisoning of a former Russian agent. In the case of OPCW, two agents “assembled and secreted technical hacking equipment” in the trunk of a rental car that they parked next to the OPCW’s building, the indictment says. That equipment “was capable of several techniques, including long-distance, surreptitious interception of Wi-Fi signals, as well as harvesting of Wi-Fi user credentials.”

Here’s a photo of that trunk set-up:

The U.S. Worked with the Brits and the Dutch to Bust the Russian Agents

In its announcement, the Justice Department said that they got help from the U.K. and the Netherlands in bringing the indictment. British and Dutch government agencies have also simultaneously announced their own findings after they investigated similar Russian espionage in their own countries.

The UK’s National Cyber Security Centre revealed what it called an “indiscriminate and reckless cyber attacks targeting political institutions, businesses, media and sport.” The British agency now says that it has strong evidence connecting Russian intelligence to the so-called BadRabbit ransomware attack, which disrupted services the Kyiv metro system, the Odessa airport, Russia’s central bank and two Russian media outlets, as well as attacks on the U.S. Democratic Party in 2016 and a small UK-based TV station that was not named.

At the same time, Dutch intelligence officials accused Russia of hacking the OPCW, located in The Hague. Those officials said that a laptop taken from one of the suspects in the OPCW hacking operation showed evidence of other cyberattacks in different countries, including an effort to interfere with the investigation in the disappearance of the Malaysia Airlines flight MH17 in 2014.

The Russian Hackers Were Successful — But Also Sloppy

The M.O. of the Russian agents named in Thursday’s indictment was similar to what the American public saw in 2016. Step one: Hack your targets. Step two: Steal their private info. Step three: Dump that information online in order to weaponize it to damage your enemies. In several instances, they succeeded at stealing troves of confidential information about drug testing, medical records and more.

But the agents appear to have been sloppy when it came to the dump part of their hack-and-dump. Operating under the phony name Fancy Bears’ Hack Team, the agents allegedly posted the confidential information they stole from various anti-doping agencies on the websites fancybear.net and fancybear.org and on affiliated social media accounts. They used cryptocurrency and fake names to purchase the tools needed to carry out their attacks.

According to the indictment, the agents didn’t do a very good job of hiding their tracks. “The conspirators publicly disseminated the stolen information using online accounts and other Infrastructure,” the indictment says. “These accounts and associated infrastructure were acquired and maintained by GRU Unit 74455.”

“So remarkable—and so unprofessional—that GRU did not outsource even the silly Fancy Bears Hack Team to a front organization,” Thomas Rid, a cybersecurity expert and professor at Johns Hopkins’ School of Advanced International Studies, tweeted.

Now, these once-secret agents, their tactics and even their faces are known to the world. The Dutch intelligence service, as part of its announcement, released a slide deck with surveillance photos and headshots of the Russian agents accused of hacking on Dutch soil. Enjoy: