Cyber’s Most Wanted: FBI Is Hunting 10 Russian Threat Actors
Who are some of the most wanted Russian hackers and cyber threat actors? A partial list from the FBI includes six Russian military intelligence (GRU) officers, three members of the Energetic Bear threat actor group, and one computer programmer employed by an affiliate of the Russian Ministry of Defense. They represent 10 of the agency’s Cyber’s Most Wanted list of suspects.
Cyber Most Wanted: Russian GRU Officers and Destructive Cyberattacks
“The Department [of Justice] has charged these Russian officers with conducting the most disruptive and destructive series of computer attacks ever attributed to a single group,” said former Assistant Attorney General for National Security John C. Demers. Here are the six people he is talking about:
According to the FBI, all six are officers in Unit 74455 of the Russian military intelligence agency called the Main Intelligence Directorate (GRU). These individuals and their co-conspirators are known to the threat research community by the monikers: “Sandworm Team,” “Telebots,” “Voodoo Bear,” and “Iron Viking.”
The group is allegedly behind the following destructive, disruptive, or otherwise destabilizing cyberattack campaigns:
1. Georgian Companies and Government Entities
In recent years, the GRU officers are also accused of being involved with these attacks:
A 2018 spear phishing campaign targeting a major media company
A 2019 campaign to compromise the network of Georgian Parliament
Also in 2019, they carried out a wide-ranging website defacement campaign
2. Nerve Toxin Poisoning Investigations
The group allegedly participated in the April 2018 spear phishing campaigns targeting investigations into the nerve agent poisoning of former Russian military officer and double agent for the British intelligence Sergei Skripal, his daughter, and several U.K. citizens.
As part of this effort, the threat actors are also suspected of phishing Netherlands-based Organisation for the Prohibition of Chemical Weapons (OPCW) and the United Kingdom’s Defence Science and Technology Laboratory (DSTL).
Also, during the 2018 winter Olympics, spear phishing campaigns and malicious mobile applications targeted South Korean citizens and officials, Olympic athletes, partners, visitors, and International Olympic Committee officials.
With a list of alleged “accomplishments” like this, it’s easy to understand why these six GRU officers are on the FBI cyber most wanted list. And the FBI warns these threat actors “should be considered armed and dangerous, an international flight risk, and an escape risk.”
This same group is accused of the December 2017 through February 2018 intrusions into computers supporting the 2018 PyeongChang Winter Olympic Games. This campaign culminated in the destructive malware attack against the opening ceremony, using malware known as Olympic Destroyer.
In June 2017, destructive malware attacks using NotPetya impacted much of the world. The campaigns infected computers worldwide, including hospitals and other medical facilities, a FedEx Corp. subsidiary, TNT Express B.V.; Danish shipping giant Maersk, a large U.S. pharmaceutical manufacturer and others. Combined losses were estimated at approximately $1 billion from the attacks. The U.S. and U.K. publicly blamed Russia for this attack.
During April and May 2017, the group played a part in spear phishing campaigns and related hack-and-leak efforts that targeted French President Macron’s “La République En Marche!” political party, French politicians, and local French governments, prior to the 2017 French elections.
From December 2015 through 2016, the threat actors allegedly launched several destructive malware attacks against Ukraine’s Ministry of Finance, State Treasury Service, and its electric power grid. The attacks on the grid resulted in mass blackouts. The attacks used trojan and wiper malware, such as BlackEnergy, KillDisk, and Industroyer. A subsequent attack on Ukraine’s electrical power grid in 2022 used an updated version called Industroyer2. An in-depth analysis is provided in our threat research report, Malware Rebooted - How Industroyer2 Takes Aim at Ukraine Infrastructure.
Cyber Most Wanted: The Three Energetic Bears
The U.S. Department of Justice (DOJ) also shared information about four employees of the Russian Government who appear on the FBI Cyber’s Most Wanted list. These threat actors are charged with attempting, supporting and conducting computer intrusions that, over the course of a two-phased operation, targeted the global energy sector between 2012 and 2018. In total, the operation targeted hundreds of organizations, across approximately 135 countries.
The charges allege that three of the Russian nationals are members of a Russian intelligence operational unit known in the cybersecurity community by the moniker “Energetic Bear” and many other names, including “Dragonfly,” “Berserk Bear,” “DYMALLOY”, “IRON LIBERTY”, and “Crouching Yeti.” The unit is part of an entity called Center 16 in the Russian Federal Security Service (FSB), which is a branch of the Russian Intelligence Services (RIS). The chart below makes this somewhat confusing link to the Russian government easier to understand.
According to the U.K. government, Center 16 has targeted systems essential for energy, healthcare, finance, education and local/national governments. This has been a concerted campaign over many years and across a wide range of countries in Europe, the Americas and Asia. Further details of specific examples of FSB Center 16 activity can be found here.
If we look at Energetic Bear specifically, the threat actor group has, according to MITRE, targeted defense and aviation companies, government entities, companies related to industrial control systems, and critical infrastructure sectors worldwide via supply chain, spear phishing, and drive-by compromise attacks.
The Long Game: Why Nation-State Threat Actors Want Access to Critical Infrastructure
As for the three alleged Energetic Bear members, we mentioned earlier that they are accused of conducting a two-phased operation that targeted the global energy sector. According to the FBI, the first phase involved the deployment of custom malware known as Havex, which infected more than 17,000 unique devices in the United States and other nations.
The second phase included targeted compromises of energy sector entities, individuals, and engineers who worked with ICS (industrial control systems) and SCADA (supervisory control and data acquisition) systems. This included a 2017 intrusion into of the business network of a nuclear power plant in Kansas.
An FBI special agent who investigated the Kansas case said there was no evidence of data exfiltration, and it appeared the goal was to gain and maintain access. “Meaning that, at a later date, they could have used this access to affect or damage the energy grid or other critical operations within the United States,” the agent explained.
Collectively, these intrusions could have had a devastating impact on energy delivery worldwide.
Cyber Most Wanted: The Russian Researcher
The Department of Justice also indicted Evgeny Gladkikh, an employee of a research entity within the Russian Ministry of Defense, on charges that he used Triton malware to successfully infiltrate and compromise critical safety equipment within a foreign natural gas refinery, and then subsequently attempted to attack similar facilities in the United States.
According to the FBI, the malware was designed to disable safety controls on physical equipment without alerting employees monitoring that equipment. In the attack on the foreign natural gas refinery, the malware caused the safety system to briefly shut down on two occasions and had the potential to cause an explosion, or the release of a toxic gas, by affecting the plant’s sulfur recovery efforts and burner management mechanisms.
Responding to Nation-State and APT Cyberattacks
This look at some of the Russian threat actors on the FBI’s Cyber’s Most Wanted list speaks to the sophistication of advanced persistent threat (APT) and nation-state threats. These sophisticated and highly targeted attacks require specialized, decisive and active response efforts, often requiring the assistance of experienced responders. That’s why the BlackBerry Incident Response (IR) team just finished a special three-part report called 13 Deadly Sins of APT Incident Response. The report is based on more than a hundred years of collective IR experience and is full of unique and actionable insights that can help you prepare for — and respond to — sophisticated cyberattacks.