Source: United States Department of Justice Criminal Division
Remarks as Prepared for Delivery
Thank you joining us this afternoon.
I am Matt Olsen, the Assistant Attorney General for National Security at the Department of Justice. I am joined today by the U.S. Attorney Erek Barron for the District of Maryland and Special Agent in Charge William DelBagno of the FBI Baltimore Field Office.
Today, we are announcing a superseding indictment against five officers of the Russian military intelligence agency, known as the GRU, and one civilian Russian cyber-criminal for their campaign to conduct cyber intrusions.
The superseding indictment adds to charges made public in June of this year against the Russian civilian, Amin Stigal. As alleged, the defendants are responsible for, among other malicious cyber activity, carrying out the series of destructive computer attacks, commonly referred to in the cybersecurity community as the “WhisperGate” campaign, which targeted computers in Ukraine shortly before Russia’s invasion in February 2022. More generally, the indictment alleges conspiracies related to cyber intrusions targeting victims in the United States, in Ukraine and elsewhere.
This WhisperGate campaign included the targeting of civilian infrastructure and Ukrainian computer systems wholly unrelated to the military or national defense, including government agencies responsible for emergency services, the judiciary, food safety and education.
Seeking to sap the morale of the Ukrainian public, the defendants also stole and leaked the personal data of thousands of Ukrainian civilians, including by posting individual patient heath information and other sensitive private data for sale online, and then taunting their victims.
They attempted to cover their tracks by pretending to be criminals engaged in ransomware attacks — leaving behind ransom notes demanding Bitcoin payments to return data from victim systems that the perpetrators knew had been destroyed and could not be recovered. Indeed, Stigal’s involvement demonstrates the Russian government’s continued willingness to provide a haven for cybercriminals in exchange for such criminals being “on call” to provide support and deniability for its military and intelligence services.
These conspirators did not limit their activities to Ukraine. They targeted computers around the world and used computer infrastructure of an unwitting U.S.-based company to conduct the WhisperGate attacks. The conspirators went on to target computer systems in other nations supporting Ukraine in its fight for survival, such as one alleged instance of targeting a European country’s transportation infrastructure. Ultimately, their targets included computer systems in 26 NATO partners, including the United States.
Before I turn it over to U.S. Attorney Barron to discuss this case in more detail, I will note that we are announcing today’s charges alongside the concurrent actions of our partners.
The U.S. Department of State is offering a Rewards for Justice reward of up to $10 million for information on the defendants. Over a dozen domestic and foreign partners have issued a joint cyber security advisory regarding the group’s cyber activities. And Estonia also has announced criminal charges against several individuals involved in the same hacking activity, including two of the same defendants.
The Justice Department stands united with our partners and allies in supporting the Ukrainian people in the wake of Russia’s unlawful and unjust invasion. The National Security Division will continue to use every tool in the department’s arsenal – including our private and international partnerships – to identify the individuals, take down the infrastructure and expose the tools and techniques propping up the Russian Government and carrying out its wide-variety of malicious and destabilizing activities.
When it comes to countering Russia’s cyber-enabled malicious activities, National Security Division prosecutors are operating as a force multiplier for prosecutors and agents throughout the country. They are emphasizing prevention and, since Russia’s invasion, have conducted multiple court-authorized takedowns of the GRU’s and other Russian botnets and malware networks. This includes the April 2022 Cyclops Blink operation to remove the GRU’s malware from infected C2 devices, successfully dismantling the GRU botnet and remediating thousands of infected devices, which Russia could have otherwise deployed against Ukraine and its allies. In May 2023, they executed the court-authorized removal of the FSB’s “Snake” malware from hundreds of computer systems in at least 50 countries, undermining the FSB’s global espionage apparatus. And, just a few months ago, the National Security Cyber Section spearheaded the court-authorized takedown of a network of hundreds of compromised routers that the GRU had set up as the successor to Cyclops Blink. Even as our cyber adversaries evolve and adjust tactics, we are rising to counter them every step of the way.
We are also bringing this proactive posture to disrupting cyber-enabled foreign malign influence operations as well. Just yesterday, the Attorney General announced the department’s “Doppelganger” takedown operation to seize 32 internet domains used by the Russian government and its proxies to impersonate legitimate U.S. and foreign media organizations and perpetrate a covert campaign to interfere in the 2024 U.S. presidential election. This followed an action a few months ago to take down a Russian intelligence-operated, AI-enhanced bot farm that was similarly used to disseminate disinformation and sow discord in the U.S. and elsewhere.
I want to thank U.S. Attorney Barron and the prosecutors in the U.S. Attorney’s Office for the District of Maryland, and the FBI’s Baltimore Field Office, Milwaukee Field Office and Boston Field Office. Their dedication and partnership in disrupting this serious activity illustrates the department’s commitment to meeting national security and cybersecurity threats with action.