Russian military officers charged in Olympics hacking campaign

Performers form the shape of a dove at the opening ceremony of the PyeongChang Winter Olympics (by Kyodo News Stills via Getty Images)

US and UK authorities have accused Russia of conducting the “most disruptive and destructive” series of computer attacks ever attributed to a single group in wide-ranging charges that include the 2018 and 2020 Olympic Games.

The US Department of Justice (DoJ) has announced that a federal grand jury in Pittsburgh returned an indictment charging six hackers, all of whom were residents and nationals of Russia and officers in Unit 74455 of the Russian Main Intelligence Directorate (GRU), a military intelligence agency of the General Staff of the Armed Forces.

The GRU hackers and their co-conspirators are accused of engaging in computer intrusions and attacks to support Russian government efforts to undermine, retaliate against, or otherwise destabilise the Olympic Games, along with the 2017 French elections, the Ukrainian and Georgian governments and the UK investigation into the nerve agent poisoning of Sergei Skripal, his daughter, and several British citizens.

With regards to the Olympics, Russia is said accused of targeting the 2018 winter Olympic Games in PyeongChang as a means of retaliation for the ban on its athletes competing under their country’s flag following the uncovering of Russia’s high-profile, state-sponsored doping campaign.

The DoJ said the computer attacks used some of the world’s most destructive malware to date, including Olympic Destroyer, which disrupted thousands of computers used to support PyeongChang 2018. The indictment charges the defendants with conspiracy, computer hacking, wire fraud, aggravated identity theft, and false registration of a domain name.

According to the indictment, beginning in or around November 2015 and continuing until at least in or around October 2019, the defendants and their co-conspirators deployed destructive malware and took other disruptive actions, for the strategic benefit of Russia, through hacking.

From December 2017 through to February 2018, the defendants are said to have utilised spear phishing campaigns and malicious mobile applications targeting South Korean citizens and officials, Olympic athletes, partners, and visitors, and International Olympic Committee (IOC) officials.

Intrusions into computers supporting PyeongChang 2018 are said to have been made during this time, culminating in Olympic Destroyer being deployed for the destructive malware attack that hit the opening ceremony of the Games on February 9, 2018.

“No country has weaponised its cyber capabilities as maliciously or irresponsibly as Russia, wantonly causing unprecedented damage to pursue small tactical advantages and to satisfy fits of spite,” said Assistant Attorney General for National Security, John C. Demers.

“The department has charged these Russian officers with conducting the most disruptive and destructive series of computer attacks ever attributed to a single group, including by unleashing the NotPetya malware.”

U.S. Attorney Scott W. Brady for the Western District of Pennsylvania added: “For more than two years we have worked tirelessly to expose these Russian GRU officers who engaged in a global campaign of hacking, disruption and destabilisation, representing the most destructive and costly cyber-attacks in history.”

Following the DoJ announcement, the UK exposed what it claims was “malicious cyber activity” from the GRU against organisations involved in the 2020 Olympic and Paralympic Games before they were postponed.

The National Cyber Security Centre (NCSC) said the activity involved cyber reconnaissance by the GRU targeting officials and organisations involved in the Games, which had been due to take place in Tokyo from July 24 to August 9 before being put back a year due to the Covid-19 pandemic.

The NCSC said it “assesses with high confidence” that the attacks were carried out by the GRU’s Main Centre for Specialist Technologies (GTsST), also known as Sandworm and VoodooBear.

Paul Chichester, the NCSC’s director of operations, said: “These attacks have had very real consequences around the world – both to national economies and the everyday lives of people. We will continue to work with our allies to ensure that we are the hardest possible target for those that seek to cause disruption and harm in cyberspace.”

Tokyo 2020 said in a statement that “no significant impact” had been observed in its operations, adding it has been taking “countermeasures”.