close
close

Russian accused of cybersecurity attack on Ukraine before war invasion

Federal authorities are offering a reward of up to $10 million for information on the whereabouts of a Russian national they believe was involved in a large-scale cyberattack on Ukrainian government computer systems prior to Russia’s invasion of the country.

The planned attack, known as “WhisperGate,” also targeted a Central European ally of Ukraine and included an attempt to spy on U.S. government facilities in Maryland, according to an indictment unsealed Wednesday morning.

This week, a federal grand jury indicted Russian national Amin Stigal, charging him with conspiracy to commit fraud by hacking and destroying computer systems.

The U.S. District Court in Maryland issued an arrest warrant for 22-year-old Stigal, who prosecutors say is still at large.

“The Department of Justice will continue to stand with Ukraine on all fronts in its fight against Russia’s war of aggression, including by holding accountable those who support Russia’s malign cyber activities,” U.S. Attorney General Merrick Garland said in a statement announcing the charges.

The Russian embassy in Washington did not immediately respond to a request for comment.

In the indictment, federal authorities allege that Stigal worked with Russian intelligence officers from the General Staff’s Main Intelligence Directorate to carry out the agency’s cyberattacks abroad. Stigal and the military officers concealed their connection to the Russian government by using false identities, a worldwide computer network and cryptocurrencies.

The WhisperGate campaign began about a month before Russia’s invasion of Ukraine in February 2022, according to court documents, when Stigal, on behalf of the Russian military, hacked the computers of dozens of Ukrainian government agencies, including those dealing with “critical infrastructure,” agriculture, education, science and emergency services.

The attack campaign used software designed to look like a ransomware attack — which blocks access to files until a ransom is paid — but in fact deleted the files entirely, according to the indictment. WhisperGate also stole and published personal information, including the medical records of thousands of Ukrainians — which federal authorities said was intended to “sow concern among Ukrainian citizens” about the security of their government’s systems.

In October 2022, Stigal and the Russian military also hacked the transportation infrastructure of a Central European country not named in court documents that had provided civilian and military assistance to Ukraine after the invasion, the indictment says.

Federal prosecutors also alleged that from December 2020 to the present, the Russian military scanned protected government computers around the world – including in Maryland – as a “first step in gaining unauthorized access.”

The activities in Maryland included Stigal and the Russian military “browsing” U.S. government websites hosted on protected computers 63 times, according to court documents. The probe was the same tactic used elsewhere to identify vulnerabilities, prosecutors said.

It is not clear from the indictment whether the search of the US systems in Maryland was successful.

The WhisperGate malware attacked Ukrainian computer systems by first deleting the files on the targeted computers and then creating a ransom note demanding a payment of $10,000 in bitcoins to restore the already deleted data, according to court documents.

In one incident in January 2022, federal prosecutors alleged that the website of Ukraine’s state-run digital services portal was hacked to display a message in Polish, Russian and Ukrainian that read: “Ukrainians! All information about you has become public, be afraid and expect the worst. This concerns your past, present and future.”

According to prosecutors’ allegations, Stigal and the military attempted to sell the data, including criminal records and patient health information, within hours of the attack.

The reward of up to ten million dollars for information leading to Stigal’s whereabouts is being administered through the U.S. State Department’s Rewards for Justice fund.

“Malicious cyber actors who attack our allies should know that we will pursue them to the fullest extent of the law,” said Erek Barron, the U.S. Attorney for Maryland. “Cyber ​​intrusions like the alleged one threaten our national security, and we will use every technology and investigative measure at our disposal to disrupt and track down these cyber criminals.”