U.S. Charges 7 Russian Intelligence Officers With Hacking 40 Sports And Doping Groups

Oct 4, 2018
Originally published on October 4, 2018 11:25 pm

Updated at 2 p.m. ET

A federal grand jury in Pennsylvania has indicted seven Russian military intelligence officers, accusing them of hacking into U.S. and international anti-doping agencies and sports federations and of accessing data related to 250 athletes from about 30 countries.

Announcing the charges Thursday morning, the Justice Department also said the hackers' targets included Westinghouse Electric Corporation, the Organization for the Prohibition of Chemical Weapons, and a Swiss lab that was testing for an exotic poison used in the attempted assassinations of former KGB agent Sergei Skripal and his daughter.

The officers, part of Russia's foreign military intelligence agency GRU, allegedly published stolen information under the phony auspices of a group called the Fancy Bears' Hack Team.

A U.S. magistrate judge in the Western Pennsylvania district ordered arrest warrants to be issued for the officers, all of whom are currently believed to be in Russia.

Moscow is denying the accusations, with the Russian foreign ministry saying, "The West's spy mania is gaining momentum," according to state-run Tass media.

The U.S. investigators say the hackers acquired the data through cyberattacks on networks and officials at roughly 40 anti-doping agencies and sporting organizations. The alleged victims range from the International Olympic Committee and the World Anti-Doping Agency to the IAAF (the International Association of Athletics Federations) and FIFA, soccer's governing body.

In some cases, the hackers modified data before releasing it. And in addition to their surreptitious operations, the Justice Department says, the hackers who released athletes' data "exchanged e-mails and private messages with approximately 186 reporters in an apparent attempt to amplify the exposure and effect of their message."

The GRU officers worked hard to obscure their tracks. According to the indictment, they mainly used bitcoin to pay for technical equipment and to register domain names, and they used "hundreds of different email accounts, in some cases using a new account for each purchase."

The DOJ says Russia began its Olympics operation in retaliation for a damning World Anti-Doping Agency's report released one month before the 2016 Rio Olympics, which found the country had used a systematic campaign to cheat doping tests, in actions that centered on the 2014 Sochi Winter Olympics. Within days of that report, Russia began trying to hack into WADA, the U.S. Anti-Doping Agency and other agencies, according to the Justice Department.

The charges include conspiracy, wire fraud conspiracy, wire fraud, aggravated identity theft and conspiracy to commit money laundering. The case directly relates to Thursday's announcement by Dutch authorities who say they disrupted at least one cyber operation aimed at the OPCW.

Some of the hackers had been "caught red-handed" trying to infiltrate the OPCW in the Netherlands earlier this year, said Assistant Attorney General John Demers of the DOJ's National Security Division.

Three of the seven defendants who were charged on Thursday had been charged in indictments by the office of special counsel Robert Mueller in July. The two sets of indictments share conspirators and methods, Demers said, along with what he called the same strategic goal: Russia's "disinformation operations aimed at muddying or altering perceptions of the truth."

Once Russia was exposed, Demers added, the embarrassed country "fought back by retaliating against the truth tellers, and against the truth itself."

In July, the Justice Department indicted 12 GRU officers, accusing them of crimes related to the hacking of the Democratic National Committee's emails, state election systems and other targets in 2016.

In Thursday's press release, the Justice Department listed the seven Russians' names and ages: Aleksei Sergeyevich Morenets, 41; Evgenii Mikhaylovich Serebriakov, 37; Ivan Sergeyevich Yermakov, 32; Artem Andreyevich Malyshev, 30; and Dmitriy Sergeyevich Badin, 27 — whom the Justice Department says were assigned to Military Unit No. 26165 — along with GRU officers Oleg Mikhaylovich Sotnikov, 46, and Alexey Valerevich Minin, 46.

Federal prosecutors say that Yermakov, Malyshev, Badin and others used fake identities and proxy servers as they "researched victims, sent spearphishing emails, and compiled, used and monitored malware command and control servers."

If the networks and data that the officers wanted couldn't be cracked remotely, the Justice Department says, the Russian officers would travel to other countries, where they hacked into Wi-Fi networks — and shared access with their conspirators in Russia.

Russian officers traveled to Brazil for the 2016 Summer Olympics in Rio de Janeiro — and they succeeded in infiltrating vital accounts, the DOJ says, adding that the hackers captured the credentials of an Olympics anti-doping official and used them to get into the WADA database.

The hackers also used a Wi-Fi network to steal the credentials of "a senior USADA anti-doping official," allowing them to read emails that included "summaries of athlete test results and prescribed medications."

Some of the activity is from nearly four years ago: One of the Russians charged, Yermakov, traveled to the U.S. in November 2014, when he "performed reconnaissance of Westinghouse Electric Company's ... networks and personnel" in Pennsylvania, the Justice Department said.

The Russians were interested in the Pittsburgh nuclear power company because it was supplying nuclear fuel to the Ukraine, according to the indictment.

The U.S. announced the criminal charges on the same day Britain's National Cyber Security Centre and the Dutch Defense Ministry laid out new charges against the GRU, accusing the service of attacks with targets ranging from the U.S. election to the World Anti-Doping Agency and an international chemical weapons watchdog.

Russia's military intelligence agency, the GRU, used a trunkful of electronics to attack the Organization for the Prevention of Chemical Weapons in April, Dutch officials said on Thursday.

Dutch authorities escorted four Russian intelligence officers out of the country hours after the car they had rented was found parked near the OPCW's building in The Hague, its trunk full of gear for hacking Wi-Fi networks. A large antenna was sitting on top of the equipment, which was on and running, using a battery that had been placed in the trunk.

The four officers had entered the Netherlands on diplomatic passports, according to the Dutch Defense Ministry, which said the British intelligence service had worked with it to disrupt the operation.

"This cyber operation against the OPCW is unacceptable," said Dutch Defense Minister Ank Bijleveld. "By revealing this Russian action, we have sent a clear message: Russia must stop this."

Russia's ambassador to the Netherlands was summoned to underline that message, she said.

Dutch and British officials laid out the charges against the GRU on Thursday, listing the group's attempts to steal information, disrupt or otherwise influence a number of high-profile targets, from the International Olympic Committee to Russia's central bank and two Russian media outlets.

"Bringing the concrete findings of intelligence services into the public arena is an unusual step," Bijleveld said. But the Dutch government was exposing the officers, she said, "since this will hamper any further attempts at international operations."

The U.S. contacted law enforcement in the Netherlands about the case in August, the Dutch defense ministry said.

The attack on the OPCW took place in April, as the organization was working to analyze the Novichok attack on Sergei Skripal in England, the officials said. At the time, the group was also poised to study a chemical weapons attack in Syria, the officials said.

"This was not an isolated act," British Ambassador to the Netherlands Peter Wilson said at a briefing about the espionage on Thursday. "The unit involved, known in the Russian military as Unit 26165, has sent officers around the world to conduct brazen close-access cyber operations."

Citing the OPCW's mission of combating some of the world's most horrible weapons, Wilson said Russia's attack reflects "complete disregard for this vital mission."

Britain says Russia's military intelligence agency, the GRU, attacked a wide range of civilian and political targets in what it calls a "flagrant violation of international law."

In response, the Russian Embassy in London, which has embraced an adversarial relationship with the British government, said that U.K. accusations of GRU cyberattacks "are nothing but crude disinformation, aimed at confusing the British and world public opinion."

A laptop that was confiscated from the officers held a trove of information about their past activities, including a record of connecting to a Wi-Fi network at a hotel in Lausanne, Switzerland, in September 2016, as the World Anti-Doping Agency was holding a conference at the hotel. A laptop was compromised, and the APT 28 malware infection that resulted spread widely, eventually compromising the IP addresses of the International Olympic Committee, Wilson said.

And Wilson added, in a chilling note, one of the officers had "also conducted malign activity in Malaysia," in an operation that targeted the inquiry into Malaysia Airlines Flight MH17, the airliner that crashed in eastern Ukraine after being hit by a missile. Hours earlier, it had taken off from Amsterdam.

Both the Netherlands and Australia say Russia is to blame for the deaths of the nearly 300 people who were aboard MH17. Wilson said that the operation in Malaysia targeted the police as well as the attorney general's office.

Copyright 2018 NPR. To see more, visit http://www.npr.org/.

MARY LOUISE KELLY, HOST:

The U.S. joined European governments today in accusing a group of Russian military intelligence officers of more cyber mischief. The indictment from the U.S. Justice Department describes hacks against sports stars and against anti-doping agencies in the U.S. and in Canada. It also says Russians targeted a Dutch group that was studying the poison used to try and kill a former Russian spy.

NPR national justice correspondent Carrie Johnson was at the Justice Department today, as she is most days, and she is back here in the studio now with details. Hey, Carrie.

CARRIE JOHNSON, BYLINE: Hi, Mary Louise.

KELLY: OK, so tell me more about the Russian intelligence officers being charged and why now. What's the timing?

JOHNSON: Yeah, the defendants are seven current Russian military officers. Today's charges include conspiracy and money laundering. A few of the defendants are also charged with wire fraud or identity theft. Court papers say some of the cyberactivity here started in 2014 when allegations about Russia cheating to avoid drug tests for the Olympics first came to light. But some of the behavior extended up till this summer in 2018.

KELLY: Oh, so it's - this is very current.

JOHNSON: Yeah, when the hackers were in touch with reporters who wanted access to documents these hackers got their hands on.

KELLY: Now, I gather all of these seven Russian officers are in Russia. And there is no U.S. extradition treaty in place. So why bother charging them?

JOHNSON: Well, FBI officials point out sometimes they get lucky. These guys travel to European countries where there are extradition treaties in place. But even if that doesn't happen, the DOJ says its practice of naming and shaming does make a difference because it shows the hackers America knows how to find them and describe what they did. And sometimes other parts of the government impose sanctions on individual hackers or the people who fund them. The assistant attorney general for national security, John Demers, told reporters that Russia launched this cyber effort because it was embarrassed by allegations that its athletes were evading drug tests.

(SOUNDBITE OF ARCHIVED RECORDING)

JOHN DEMERS: Embarrassed by that truth, Russia fought back by retaliating against the truth-tellers and against the truth itself.

JOHNSON: Now, Mary Louise, the Justice Department says it's exposing those activities and that this indictment tells the real story.

KELLY: I was asking you earlier about the timing of these charges, Carrie, and I have another question along those lines. The U.S. announced these charges just hours after Britain and the Netherlands announced their own accusations against Russians. Is that coincidence or coordinated?

JOHNSON: Very much coordinated. The Justice Department actually thanked its international law enforcement partners for their help at the press conference here in D.C. today. They highlighted how the Dutch were actually able to disrupt a hacking plot in April where four Russian men carrying diplomatic passports traveled to the Hague and rented a car and then filled it with electronic equipment. They parked that car next to the Organization for the Prohibition of Chemical Weapons. The goal was to penetrate the Wi-Fi networks there. But the Dutch were on to them, so the men abandoned that car and left the country. And this was at the same time this organization, the OPCW, was examining a substance used to poison a former Russian military intelligence officer and his daughter in the U.K. this year.

KELLY: This is the Sergei Skripal case.

JOHNSON: Exactly.

KELLY: OK. I mean, here's my big question, which is, what do these charges tell us, if anything, about the ongoing effort to protect U.S. elections? I mean, this is all, you know, something we're talking about still because of 2016 and hacks against Democratic servers and institutions. Are we any closer to knowing about efforts to protect the upcoming midterms from further Russian interference?

JOHNSON: The DOJ wouldn't touch that question today. But there is something worth pointing out here. The new indictment does include three of the same people accused earlier this year of hacking the 2016 presidential election, which begs the question, are they at it again? If so, the U.S. government has just singled them out all over again. And one unusual thing stood out this morning. The DOJ actually had a warning for news media both here and around the world. Be careful, they said, about using material that comes from these hacks. It can be false or misleading, or the hackers can have a sinister motive, as the Russian government allegedly did in this case.

KELLY: NPR's Carrie Johnson, thank you.

JOHNSON: My pleasure. Transcript provided by NPR, Copyright NPR.