As cyber threats from state-sponsored actors continue to grow, vigilance is crucial—even against less sophisticated actors. During this year’s Cybersecurity Awareness Month, attention turns to Operation Toy Soldier, an initiative that led to the indictment of several members of Russia’s GRU Unit 29155. This group targeted computer systems in the U.S. and 25 other NATO countries, underscoring the persistent threat of cyber attacks on critical infrastructure. Read the full story below to understand how nations are tackling these cybersecurity challenges.
In an indictment unsealed recently, a grand jury in Maryland charged six computer hackers, all of whom were residents and nationals of the Russian Federation (Russia), with conspiracy to commit computer intrusion and wire fraud conspiracy. Five of the defendants were officers in Unit 29155 of the Russian Main Intelligence Directorate (GRU), a military intelligence agency of the General Staff of the Armed Forces. The sixth individual was a civilian already under indictment for conspiracy to commit computer intrusion and is now also charged with wire fraud conspiracy.
Note: Concurrent with the return of the indictment, the U.S. Department of State’s Rewards for Justice program is offering a reward of up to $10 million for information on any of the defendants’ locations or their malicious cyberactivity. Anyone possessing such information should contact Rewards for Justice here.
The indictment alleges that these GRU hackers and their co-conspirator engaged in a conspiracy to hack into, exfiltrate data from, leak information obtained from and destroy computer systems associated with the Ukrainian Government in advance of the Russian invasion of Ukraine. The defendants did so in order to sow concern among Ukrainian citizens regarding the safety of their government systems and personal data. The defendants’ targets included Ukrainian Government systems and data with no military or defense-related roles. Later targets included computer systems in countries around the world that were providing support to Ukraine, including the United States and 25 other North Atlantic Treaty Organization (NATO) countries.
“The GRU’s WhisperGate campaign, including targeting Ukrainian critical infrastructure and government systems of no military value, is emblematic of Russia’s abhorrent disregard for innocent civilians as it wages its unjust invasion,” said Assistant Attorney General Matthew G. Olsen of the National Security Division. “Today’s indictment underscores that the Justice Department will use every available tool to disrupt this kind of malicious cyber activity and hold perpetrators accountable for indiscriminate and destructive targeting of the United States and our allies.”
“The FBI and its international partners are relentless in our commitment to thwarting GRU attacks across the globe and bringing to justice those responsible for these criminal acts,” said FBI Deputy Director Paul Abbate. “Our work protecting against cyber threats in a rapidly evolving landscape continues, including deployment of all tools in our arsenal to defend our infrastructure and impose costs on those who target it.”
“Since July 2021, the U.S. Department of State’s Rewards for Justice (RFJ) program, administered by the Diplomatic Security Service (DSS), has offered a reward of up to $10 million for information leading to the identification or location of any person who, while acting at the direction or under the control of a foreign government, participates in certain malicious cyber activities against U.S. critical infrastructure in violation of the Computer Fraud and Abuse Act,” said DSS Deputy Assistant Secretary for Threat Investigations and Analysis Paul Houston. “Under this reward offer, the RFJ program is seeking information leading to the location of these individuals, GRU’s malicious cyber activity or associated individuals and entities.”
“Today’s superseding indictment underscores our commitment to using all the tools at our disposal to pursue those who would do us and our allies around the world harm,” said U.S. Attorney Erek L. Barron for the District of Maryland. “Cyber intrusion schemes such as the one alleged threaten our national security, and we will use all the technologies and investigative measures at our disposal to disrupt and track down these cybercriminals.”
“Through strokes on a keyboard, the accused criminals used computers to cross into countries, hunting for weaknesses and seeking to harm. The FBI and our law enforcement partners, both national and international, will collectively defend against Russia’s aggressive and illegal actions,” said Special Agent in Charge William J. DelBagno of the FBI Baltimore Field Office. “We are united in identifying, prosecuting and protecting against future crimes and vow to relentlessly hunt down and counter these threats.”
The defendants charged in the indictment are: Yuriy Denisov [Юрий Денисов], a colonel in the Russian military and a commanding officer of Cyber Operations for Unit 29155; four lieutenants in the Russian military assigned to Unit 29155 who worked on cyber operations: Vladislav Borovkov [Владислав Боровков], Denis Denisenko [Денис Денисенко], Dmitriy Goloshubov [Дима Голошубов] and Nikolay Korchagin [Николай Корчагин]; and a civilian co-conspirator, Amin Sitgal [Амин Стигал].
According to court documents, on Jan. 13, 2022, the defendants conspired to use a U.S.-based company’s services to distribute malware known in the cybersecurity community as “WhisperGate,” which was designed to look like ransomware, to dozens of Ukrainian government entities’ computer systems. However, as the indictment alleges, WhisperGate was actually a cyberweapon designed to completely destroy the target computer and related data in advance of the Russian invasion of Ukraine. Ukrainian government networks subjected to this attack included the Ukrainian Ministry of Internal Affairs, State Treasury, Judiciary Administration, State Portal for Digital Services, Ministry of Education and Science, Ministry of Agriculture, State Service for Food Safety and Consumer Protection, Ministry of Energy, Accounting Chamber for Ukraine, State Emergency Service, State Forestry Agency and Motor Insurance Bureau.
In conjunction with these attacks, the defendants compromised several of the targeted Ukrainian computer systems, exfiltrated sensitive data, including patient health records and defaced the websites to read: “Ukrainians! All information about you has become public, be afraid and expect the worst. This is for your past, present and future.” That same day, the defendants offered the hacked data for sale on the internet.
The U.S. government previously joined with allies and partners in May 2022 to attribute this cyber-attack to the Russian military and to condemn the attack and similar destructive cyber activities against Ukraine.
In October 2022, the defendants also hacked the transportation infrastructure of a Central European country that was supporting Ukraine. Beginning in August 2021, the defendants also probed a variety of protected computer systems including those associated with 26 NATO member countries, searching for potential vulnerabilities. The indictment further alleges that from Aug. 5, 2021, to Feb. 3, 2022, the defendants leveraged the same computer infrastructure they used in the Ukraine-related attacks to probe computers belonging to a federal government agency in Maryland in the same manner as they had initially probed the Ukrainian Government networks.
This indictment is part of an international effort, Operation Toy Soldier, to combat the malicious cyber activity by Unit 29155 of the GRU. Accompanying today’s announcement, the FBI and 12 other partners, representing governments of nine countries, released a Joint Cybersecurity Advisory to enhance network defense efforts against Unit 29155’s malicious cyber activities.
The FBI Baltimore Field Office is investigating the case with assistance from FBI Milwaukee and Boston Field Offices.
Assistant U.S. Attorneys Aaron S.J. Zelinsky and Robert I. Goldaris for the District of Maryland are prosecuting the case with valuable assistance from the National Security Division’s National Security Cyber Section.