Scribd Logo
Carica

Benvenuto in Scribd!

  • US v. Andrienko Indictment

    Caricato da

    Russell Brandom
    14K visualizzazioni50 pagine
    US v. Andrienko indictment

    Titolo originale

    US v. Andrienko indictment

    Copyright

    © © All Rights Reserved

    Formati disponibili

    PDF o leggi online da Scribd

    Hai trovato utile questo documento?

    Questo contenuto è inappropriato?

    Segnala questo documento
    US v. Andrienko indictment

    Copyright:

    © All Rights Reserved
    Scarica in formato PDF o leggi online su Scribd
    Segnala contenuti inappropriati
    14K visualizzazioni50 pagine

    US v. Andrienko Indictment

    Caricato da

    Russell Brandom
    US v. Andrienko indictment

    Copyright:

    © All Rights Reserved
    Scarica in formato PDF o leggi online su Scribd
    Segnala contenuti inappropriati
    di 50
    B34 UNITED STATES DISTRICT. COURT. WESTERN DISTRICT OF PENNSYLVANIA UNITED STATES OF AMERICA v Criminal No. 20- 3/6, ‘YURIY SERGEYEVICH ANDRIENKO, ISUSC. $§ 371, 1030(@)2Y0), SERGEY VLADIMIROVICH DETISTOV, 1O30{@\SKA), 3559(@)(1) PAVEL VALERYEVICH FROLOV, (Conspiracy) ANATOLIY SERGEYEVICH KOVALEV, 18 USC. § 1349 ARTEM VALERYEVICH OCHICHENKO, and (Conspiracy to Commit Wire Fraud) PETR NIKOLAYEVICH PLISKIN, I8US.C. § 1343 (Wire Fraud) 18 USC. § 1030(@X5)(A) and Defendants, 1030(6\4)(B) (Damage to Computers) IS USC § DBA Cggrvate ently FILED ~ TSUSC. $2 (Aiding and Abeting) oer 18 2ne0 [UNDER SEAL] CLERK US, DISTRICT COURT ou WEST. DIST, OF PENNSYLVANIA SaTRTAa) NT ONE, (Conspiracy to Commit an Offense Against the United States) ‘The grand jury charges: 1. Atall mes relevant othe indictment, fom atleast in and around November 2015 through ia and around October 2019, the Russian Federation (“Russia”) operated a military inteligence agency called the Main Intelligence Directorate ofthe General Staff of the Armed Forces *GRU"), The GRU was headquartered in Moscow, Russia, and was comprised of multiple us, inetuding Miltary Unit 74455, which was also known within the GRU as the “Main Center for Special Technologies” (aso Known as “GTSST") and by eybersecuiy researchers as Sandworm Team, Telebots, Voodoo Bear, and Iron Viking. Military Unit 74855 was primarily located at 22 Kirova Sireet, Khimbi, Moscow, Russia, a building referred to within the GRU as “the Tower” 2. Defendants YURIY SERGEYEVICH ANDRIENKO. (Opmit Cepreenisr Anapneuxo), SERGEY VLADIMIROVICH DETISTOV (Cepreli Bnanexponus lerucros), PAVEL VALERVEVICH FROLOV (Tlaven Bazepsesn ¢ponos), ANATOLIY SERGEYEVICH KOVALEV (Anstomsit Cepreemwt Kosases), ARTEM VALERYEVICH OCHICHENKO (Aprea Banepsenis Ounsenxo), and PETR NIKOLAYEVICH PLISKIN (Hlerp Husonaeni Matesi) were GRU officers working for Military Unit 74455 who knowingly and intentionally conspired with each other and with persons known and unknown to the grand jury (collectively, the “Conspirators") o deploy destructive malware and take other disruptive actions, forthe strategic benefit of Russia, through unauthorized access to vietim computers. This included ‘oberenbled mlcious actions aimed a supyonting bowler Russie govenmeat efforts— regardless of the consequences to innocent parties and eniticl infiastuture worldwide—to ‘undermine, retaliate against, or otherwise destabilize: (I) Ukraine; @2) the country of Georgias (3) France's elections (8) fonts to hold Russia accountable forts use of a weapons-grade nerve agent on foreign soi; and (5) the 2018 Winter Olympics after a Russian government-sponsored doping effort led to Russian athletes being unable to partpate under the Russian a THE VICTIMS 5, Among the vitims targeted by Military Unit 74455 were thousands of U.S. and international corporations, organizations, and political campaigns and partes; foreign ‘governments; entities and corporations associated with the 2018 Winter Olympic Games; and their respective employees, ‘The vietms included: ‘Ukraine, though the Conspiators” deployment in and around December 2015 and December 2016 of destructive “BlackEnergy" “KilIDisk” and “Industroyer” malware against companies supporting Ukraine's electic power grid and agsinst Ukraine's Ministry of Finance and State Treasury Service; Franc, through speaephishing campaigns in and around April and May 2017 targeting local gaverament ents, political parties, and campaigns, including now-French President Emmanuel Mecron’s “La Republique En Marche!” political pany in connection with Macroa's 2017 presidential campsian; Hundreds of worldwide vietims ofthe “NotPetya” malware atacks in and round June 2017, nchding: (1) vlan ertcal infrastructure, such asthe Heritage Valley Health System, located in Sewickley, Pennsylvania, and ‘Beaver, Pennsylvania in the Westem Distt of Pennsylvania, which had approximately 80 affected medical facilites; (2) a Fedix Corporation subsidiary, INT Express BV, which was one ofthe worlds largest express delivery companies; and (3) large U.S. pharmaccuical manulactrer, ‘which together had nearly $1 billion in losses resulting from the atacks; Intemational vetins asovited with the 2018 Winter Olympic: Games, fncluding: (I) Olympic partners and athletes, Republic of Korea (also known as South Korea) goverment agencies, and the Intemational Otsmpie Commitee (OC), which the Conspiators tart throweh spearphishing campaigns from in and around December 2017 unt in and acound February 2018; (2) South Korean nationals and inteational visitors to South Korea, whom the Conspimtors targeted with malicious mobile pplication in and around Decembec 2017 and January 2018; and (3) the 2018 Winter Olympic Games more generally, through the deployment of estructve “Olympic Destroyer” malware against computer systems used by the Olympic Games’ information technology vendor and the PycongChang Organizing Committe forthe 2018 Olympic & Paralympic Winter Games (“PyeongChang Organizing Committee”) in and around February 2018; Intemational and! government organizations investigating the poisoning of ‘former GRU ott and his daughter in the United Kingdom, through, among other conduct, a spearphishing campaign in and around April 2018, targeting the Organisation for the Prohibition of Chemical Weapons OPCW”) and the United Kingdom's Defence Science and Technology Laboratory DSTI"); and “The country of Georgia and Georgian non-government organizations and rrivate companies, including through @ spearphishing campaign in and around Fanuary 2018 targeting » Georgian media outlet and eyber attack in and around October 2019 that defaced approximately 15,000 websites ‘and disrupted service to some ofthese websites. THE DEFENDANTS. 4, Defendant YURIY SERGEYEVICH ANDRIENKO was a Russian military intelligence officer assigned to Military Unit 74485, ANDRIENKO, together with PAVEL: VALERYEVICH FROLOV, SERGEY VLADIMIROVICH DETISTOV, and PETR NIKOLAYEVICH PLISKIN, developed components of the NotPetya malvae. ANDRIENKO, together with PLISKIN, also developed components ofthe Olympic Destroyer malware 5. Defendant SERGEY VLADIMIROVICH DETISTOV was @ Russian military intelligence officer asigned to Miltary Unit 74435, During his tenure with the uni, DETISTOV held the position of captain, DETISTOV developed components of the NotPetya malware and prepared infrastructure fora spearphishing campaign targeting the 2018 Winter Olympics. 6, Defendant PAVEL VALERYEVICH FROLOV wasa Russian military intelligence officer assigned to Miltary Unit 74453. FROLOV developed components of the NoxPetya ‘malware and the malware tha the Conspiatrs we against Ukraine's Minisy of Finance and State Treasury Service. 7. Defendant ANATOLIY SERGEYEVICH KOVALEV was « Russian wiltey intelligence officer asigned to Military Unit 7445S, KOVALEV sent spearphishing emails targeting a wide varity of entities and individuals, including those associated with French local szovernment entities, politcal parties, and campaigns; che 2018 Winter Olympics; the DSL; and 4 Georgian media eniy,, KOVALEV also engaged in spearphishing campaigns for apparent personal profi, including campuigns targeting large Russian real estate companies, auto dealers, and eryptocurteney miners, as well as eryptocurrency exchanges located outside of Russia, KOVALEV is a charged defendant in federal indictment number 18-CR215 in the District of Columbia 8. Defendant ARTEM VALERVEVICH OCHICHENKO served as a Russian nitty intelligence officer in Military Unit 74455. OCHICHENKO developed malicious emul attachments and sent spearpishing emils containing those attachments to individuals working for the 2018 Winter Olympics’ oficial timekeeping pariners and their subsidiaries OCHICHENKO was also involved inthe Consprators targeting ofthe Georgian goverument and other Georgian entities in 2019, 9, Defendant PETR NIKOLAYEVICH PLISKIN served a a Russian military intelligence officer in Military Unit 74455 ftom the beginning af the conspiracy until in and around June 2018, During his tenure with the unit, PLISKIN served in a supervisory tole as a Development Team Lead/IT manager. PLISKIN developed components of the NotPerya end Olympic Destroyer malware. (Gsuages of defendants ANDRIENKO, DETISTOV, FROLOV, KOVALEV, OCHICHENKO, end PLISKIN are attached as Exhibit.) ONJECT OF THF CONSPIRAC 10. The object of the conspiracy was to deploy destrctve malware and take other Aisrupive actions, forthe strategie benefit of Russa, through unauthorized acces (“hacking”) of victim computers MANNER D MEANS OF THE CONSPIRACY. 11, In furtherance of the conspiracy, ANDRIENKO, DETISTOV, FROLOV, KOVALEV, OCHICHENKO, PLISKIN, and others known and unknown to the grand jury procured, maintained, and utlized servers, email accounts, maliious mobile applications, and related hacking infastrvture to engage in spearphishing campaigns and other network intrusion methods against computers used by the victims, Also in furtherance of the conspiracy, ANDRIENKO, DETISTOY, FROLOV, and PLISKIN developed and deployed destuctve ralware against victim entities around the world, including in the Westem Distict of Pennsylvania. 12, Inder to avoid detection by law enforcement, security reseatchers, and vitins, and to mask theit GRU afiliation and location in Russia, the Conspirators used a variety of fictitious names and personas, as well as online infastucture (inluding servers, domains, czyplocurency, email accounts, social media accounts, and other online services) provided by companies inthe United States and elsewhere. The Conspiators used this infrastructure fora wide range of conduct in fetheranee ofthe conspiracy, including to: (1) communicate, research, and probe victim computer nesworks; (2) register malicious websites and domains with names simicking legitimate ones; (3) send spearphishing emails; (4) store and distribute additional malware; (5) manage malware; (6) transfer stolen data; and (7) negatively influence the public perception of some of the victims, The Consprators reused some ofthe same inftastructre to target multiple itis organizations and idviduals 13, Te further mask their identities and conduct and to facilitate the purchase and the leasing of infastructure (such as servers and domain names) used in their hacking activity Conspirators puid for infrastructure using eryptocurtencies, such as bitcoin, and often leased infrastructure from resellers rather than leasing infastructure directly from hosting companies. ‘The Conspirators also used numerous operational accounts in ftitious names fo purchase and ease iniastctre 4, ‘The Consprator registered domain names and ereated URLs for use in their tacking activities that were designed 1 mimic or “spoof” thos of legitimate websites tat vetims ‘were familiar with, including email login pages, online filesharing and storage websites, and password reset pages, Examples inclale msroleconvofice conf (which mimicked a website belonging to Microsoft) and jeojang.ga (with respect to which the Conspirators created the subdomain mafra.gokejeojana.ga, which mimicked a website belonging. tothe Korean Ministry of Agriculture, Food, and Rural Affirs, 158484), The Conspimtors use each ofthese domain ames in connection with spearphishing campaigns targeting entities and individuals associated withthe 2018 Winter Olympics 15, The Conspirators typically initiated their hacking activities by researching the victim organizations, including thee computer networks and employees. This research provided technical and biographical information tha the Conspirators could exploit in subsequent intrusion sctiviies (eg, spearphishing campaigns). 16, The Conspirators crafted thei spearphishing emails to trick unvsting reipiens i piving the Conspiatrs access to their computers or account credentials (e.g, usernames and passwords), The Conspiratos crafted these emails o resemble emails fom tustworty senders, such a emi providers or colleagues, and encourage the respons to click on hyperlinks in the messages. Other spearphishing emai crafted by the Conspiratos attached documents containing smalvvare that, when opened and executed by the vitims, infected victims" computers 17, The Conspirtors sed malware and hacking tools such as “BlackEnergy” “Industoyer,”“Kilisk,” “NotPetya,” and “Olympic Destroyer” to hack into victim computers and networks, maintain command and contol over such computers and networks, seal network teens, obtain access to sensitive and private data, and render such computers and networks inoperable To craft their malware, the Conspitators customized publily available malware and hacking tool, and, in some instances, purposely attempted to mimic the malware of other backing groups-—including the Lazarus Group state-sponsored hacking team inthe Democratic People's Republic of Korea (which is also known as North Korea)—as part of @ * se flag” cpertion. Tae Conspiratrs also created cern malware components from serateh, including ‘components enabling the Conspirators to conduct the destuctve portions oftheir attacks 18, After hacking into vietim computers, the Conspirators performed a variety of umctions designed to ideniy, collet, package and view targeted data on victims” computes, including stealing credentials that allowed the Consptatrs to move laterally and exponentially ttroughoutvietims’ computer networks. The Conspizators also overwrote files and erased data from vitim computers. 19, Inaddition, both during and afer operational activity, the Conspirators made efforts to cover thei tacks by deleting information from their operational accounts and deleting data on servers they controled or had compromised COMPUTER INTRUSIONS AND OTHER OVERT ACTS, ‘The 2015 and 2016 Atacks Targeting Ukraine's Fectric Power Grid 20. On oF about December 23, 2015, the Conspiators hacked into the computer systems belonging to three Ukrainian energy distribution companies, interacted remotely with control systems in dozens of power distribution substations used by these companies, and sucessfully disrupted the supply of electricity to more than 225,000 Ukrainian customers ions for this attack commenced in and around late spring 2015, when 21, The prepa the Conspirators used spesrphishing emis to obtain acess into the three energy distribution companies’ computer systems and then used destructive mabvare against the computer systems The spearpishing campaign targeted the companies’ information technology staff and sytem administrators sing emails ataching malware- laced fils. b. Onve they had obtained acess to the victims’ computer systems, the Conspiators used a particular variant of malware called “BlackEnergy" to steal use credentials, The Conspiators used the stolen eredenals to access the Supervisory Control and Data Aequsition SCADA") networks atthe Ukrainian energy distribution companies, The Conspirators also used destructive malware called “KillDisk" atthe conclusion of the attacks to delete computer event logs and other files and reboot the infected computers. Once rebooted, the infeted computers were inoperable 22. Almost a year later, on ar about December 17,2016, the Conspirators conducted a ‘computer intsion against a Ukrainian clectric transmission company (“Electeie Compacy 1") lectie Company 1's computer network had been compromised by the Conspirators since in and around April 2016. In furtherance ofthe attack, the Conspirators used malware—which was later ‘named “Industroyer by cybersecurity researchers—that was specifically designed to attack power arids by exining control of electrical substation switches and circuit breakers 23. The malware included a disk wiper plugin that the Conspiratars used to delete Ftectre Company 1's key system files with certain file extensions (including common extensions such as zip and exe, as well as file extensions specific tothe brand of industrial control syslem used by Eletic Company 1), thus rendering Electric Company 1's computer operating systems inoperable, In addition, the Conspiators’ deployment ofthe malware distpted the supply ofelectricity to Kies, Ukraine, for approximately one hour. ‘The December 2016 Attacks Against Ukraine's ‘Ministy of Finance and State Treasury Service 24, Onorabout December 6, 2016, while Ukraine was preparing end-of-year pension payments as well as the following year's budget, the Conspirators deployed destutive malware against Ukraine's Ministry of Finance and State Treasury Service. As a result ofthe attack, the State Treasury Service's repional subdivisions were disconnected from the State Treasury Service's automated payment system, preventing the exceution of approximately 150,000 electronic transactions. Ta addition, the attack temporrily disabled the Minis of Finance's information and telecommunication infastrcture. 25, The attack aginst the Siate Treasury Service began in and around October 2016 ‘with a spearphishing campaign that targeted the Service's system administrators The spoarphishing campaign utilized emils containing a malware laced Microsoft Excel file called “Mor ritcal TT neods_ eng xl.” b, TheStute Teasry Service's computer network was compromised by in and around October 2016 afer a system administrator forthe Service opened the Microsoft Excel file an enabled macros forthe Sle. Allowing the ‘macros to run resulted in the execution of the malware-laced file u 26. “explorer.exe” on the employee's computer, which ultimately established unauthorized, covert enerypted communication between the computer and athied-party service used by the Consprators. The Conspirators thereafter used a dedicated network connection between the State Treasury Service and Ukraine's Ministry of Finance to obtain ‘unauthorized access to the Ministry of Finance’s computer network. On oF about December 6, 2016, the Conspirators deployed an updated version of the KillDisk malwere—which was very similar 10 the version of the KilDisk malware the CConspirators used in the December 2015 cyber attacks against Ukraine's electric power grid—t: (1) delete the infected computers’ Windows event logs; (2) delete all of the files that matched a list of file extensions hardcoded into the malware; and (3) overwrite portions of the infected ‘computers’ hard drives, thus rendering the computers inoperable 4. Once exceued the KillDsk malware wed three diferent options t invoke different behaviors: (1) an option to set a specifi date and time to execute the malbvare’s destructive mode; (2) an option to specify a desired delay, in minutes, before exceuting the destructive mode; nd (3) an option to specify desired functionality, including the malware's destructive mode. Once the K.illDisk malware verified which options were selected, it prepared the infected computer system for file destruction. b. To do this, the KillDisk malware prepared several locations in the computer's memory for overvniting files by allocating a set area in the computer's memory. ‘The KillDisk malware filled the first allocated memory location with zeros and filled the second and third allocated ‘memory locations with the repeated tem “mrROBOT” and “fSOciery respectively, which reference the television show “Me, Robot.” After the three allocated memory locations were filled with zero, “msROO7,” and 4S 0cie7y* the KlDsk malware obtained a computeesystem privilege that alowed ito ocess all avaiable files onthe compromised computer system. FROLOV and other Conspirators designed the Killisk malware such that the third option could ereat an art image ofthe “fuociey" mask roms “Mr. Robot.” The KillDisk malware didnot store an image of the “fsciety smask within the malware, Instead, FROLOV designed the malware to draw the image in real time on the infected computer's sereen, The “ociety ‘mask was computed from the follow bitmap array embedded in the (Once the “foociety” mask image was drawn in memory, the malware displayed the image on the vietim’s computer soreen on top of all other graphical windows: The third option could also enable KillDisk w destvy all les on the infected computer that ended with one of more than 100 different fle extensions, ‘To destroy each file on compromised computers, KillDisk: (1) overwnote the entre file with zeros, (2) deleted the file and then recreated it withthe same name, and (3) populated the file with the repeating string “meROBO7” or “YS0eie7y" as deeribed above, ‘To determine which string to populate, KillDik generated a random number if the number was ‘odd, “mrRObO7” was writen, and if the mamaber was even, “ESOsie7)" was writen, Afterall of the files were destroyed, KillDisk rebooted the ‘compromised computer systems, which were inoperable because the malwate had destroyed all ofthe key system files. £. The Consprators designed KillDisk to attempt to clear the event logs on compromised computers in onder to make it more difficult for forensic investigators o obtain digital evidence Interference inthe 2017 French Elections 27. From on or about Apel 3, 2017, through on or aout May’3, 2017 (during the days leading up tothe May 7, 2017, presidential election in France), the Conspirstors conducted seven speatphishing campaigns targeting, more than 100 individuals who were members of now- President Macron's “La République En Marche!” ("En Marche!") political party, other French politicians and high-profile individuals, and several email addresses associated with local Freneh ‘governments. ‘The topies of these campaigns included public security announcements regarding terrorist attacks, email account lockouts, software updates for voting machines, journalist scoops sal eybervecutity fon political scandals, En Marche! press relaionships, and En Marche! in recommendations, 28. KOVALEV participated in some of these campaigns, For example, on or about April 21, 2017, KOVALEV developed and tested a technique for sending spearphishing emails themed around file sharing through Google Docs. KOVALEV then crafted a malware-laced document entitled “Qui_peut_parler_aux journalists dacx” (wich translates to “Who ean talk 10 jouraliss”) that purported to list nine En Marche! staff members who could talk to journalists tibout the previous day's terorist attack on the Champs-Flysées in Paris. Laer that day, the Conspirators used an email account that mimicked the name of then-candidate Macron’s press seoretary to send a Google Docs-themed spearphishing email to approximately 30 En Marche! staff members or advisors, which purported to share this document, 29, From on or about April 12, 2017, until on or about April 26, 2017, a GRU- controlled social medi aesount communicated with various French individuals fering to provide them with ternal document fom En Mache! thatthe user(s) of the sccount claimed to possess. 30. On or about May 3 and May 5, 2017, unidentiied individuals began to leak documents purporting tobe fom the En Marche! campsign’s emi accounts ‘The NotPetya Malware At 31. On or about June 27, 2017—on the eve of Ukraine's Constitution Day, which commemorates the county's departure from the Soviet Union —the Conspiators executed a series of malware attacks to render inoperable the computer systems used by Ukrainian organizations, inctuding banks, newspapers, and electricity companies. The malware used in the atacks was later named “NotPetya” by eybersecurity researchers. Because the NotPetya malware was designed 9 spread to connected networks belonging to other vietims, the attacks also rendered inoperle computer systems belonging to vietms in other counties, including in the United States 32, In particular, the NotPetys malware compromised computer systems at wo hospitals, 60 physician offices, and 18 community satelite facilities belonging to the Heritage Valley Health System (“Heritage Valley”), which, a all times during the conspizacy, is located in Sewickley, Pennsylvania, and Beaver, Pennsylvania, inthe Westem District of Pennsylvania All of Heritage Valley's intemet trafic was routed through servers located in the Western District of Pennsylvania, and all ofthe resulting damage and its effects, including those to mission-critical ‘computer systems, impacted Heritege Valley’s healtheare professionals and patients in the ‘Wester District of Pennsylvania, 33. The Conspirators designed NotPetya to masquerade as ransomware, a {pe of malware that eneryps and blocks access to victim's computer system and/or files until the vita paysa ransom. In partiula, the Conspizators designed the NotPetya malware o emulate ready existing ransomware call “Petya” However, the purported rarsomare purpose of NotPetya vas a ruse. Unlike Petya hich displayed a ransom note on infocted computers demanding money and where, pon payment ofthe ransom, the computers could be derypted—the NotPetya malware operated such tht, even if victims paid the ransom ($300 worth of bitin), the CConspitators would nat be sbe to decrypt and recover the victim computer files. 34, The Conspiratars disseminated the NotPetya malware using a popular Ukranian secounting sofiwaze called M.EDoe that was wsed 10 facilitate the communication of tx information to the Ukrainian government. ‘The software was periodically updated through an update server (ite “Update Server), THe Compiralors commence the NePetya atlacks on of about June 27,2017, when they rerouted interme aie from (1) computers attempting to update the M.EDDoe software via the Update Server 10 (2) a Frane-based server eontolled by the CConspirstots. This France-based server delivered the malware 1 the vietim computers that connected 10 it 35, Bach organization that conducts business in Ukraine has nique legal entity identitier called an EDRPOU number (Kon €JIPHOY), which is similar to a tax identification ruber i the United States, The Update Server hosted a website (the “Centfcation Website") that was used to check whether a company had a valid certifiate for verifying electronic signatures, Entering a company's EDRPOU number into the Certification Website would reveal ‘whether the company had a valid certificate as well asthe name of the entity associated witha siven EDRPOU number 36. Beginning in and around April 2017, the Conspratrs, including ANDRIENKO, PLISKIN, nd FROLOV, fumiliarized themselves withthe EDRPOU and M.E-Doe, including by ‘querying the EDRPOU website snd computer language sts specific tothe Ukrainian alphabet 37. The ME.Doc software on customer networks periodically connected othe Update Server to check for new software updates. The Consprators gained access to the software code for the M.E-Doc software prior to the NotPeya attacks, which allowed the Consprators to surtepiously add malicious functionality w the files containing the software updates (the “Update Files"). The Conspirators modified Update Files on or about April 14, 2017; May 15, 2017; and June 21, 2017, Computes eesiving ME-Doc software updates downloaded these Update Fes, but the NotPetya malware ile was not pushed to these computes by the Conspraors uni on or about June 27,2017 On or about April 14,2017, the Conspirators published the fist malicious Upylate File to the M.E,Doe Update Server. Before publishing the Update File, the Conspiators added computer code into the file to collect a lis of all EDRPOUs associated with computers using the M.E.Doe software thet ad dowloaded the Update File ‘The malicious Update File sso caused victim computers to send web request fo the Update Server containing @ cookie comprised of (1) the EDRPOU list, and (2) the computer uscmame that was logged into the computer that was running the M.E.Doe software. Once the Conspirators| redirected web trafic ftom the Update Server tothe Conspirators’ France- based server on June 27, 2017, the Conspirators received this information fiom incoming web request. © On or about June 21, 2017, the Conspirators published another malicious software update tothe Update Server. This Update File closely resembled the Apel 2017 version and would ultimately deliver the NotPetya malware Tn some instances, the Conspirators accessed the Update Server using the Certification Website to query EDRPOU numbers in order to identify organizations that had downloaded a malicious Update File 38. On or about June 27, 2017, from approximately 1:14 pum, to 3:31 pam, Moscow Time, the June 21,2017, Update File delivered the NotPetya malware to computes that atempted to receive the software update fom the Update Server. 4. The malware was delivered to these computers while the Conspirators temporarily rerouted network trafic hound forthe Update Server to the France-based server contlled bythe Consprators. As a esl, computers attempiing to receive the software update instead connected 10 the CConspicator’ server in France and downloaded the malware. b. Once vietim computers downloaded the malicious Uplate File and the CConsprators routed the network trafic, iti computes could remotely receive and execute commands ftom the Canspirators. With these ‘commands, the Conspirators could perform a variety of actions with respect to the vitims’ computer systems, including obtaining sytem information and accessing, modifying, creating, and executing files. [As designed by the Conspiratrs, once the malware was downloaded onto computer, i alempred to escalate its privileges and determine whether patticular antivirus processes were ranning on the computer, The malware then allempied to identify other computers on the same network to potentially compromise; ifthe malware had obtained a particular system rivilge it siempted to extract and execute credential stealing program and/or escalate its privileges 10 achieve later movement to other computer onthe network ‘Once the malware file was copied to vitin computes, one of two methods vas used to execute the malware. FKOLOV and other Conspitators coded the mallvaze such tha, both methods eed, the malware spread self © other victim computers using either the exploit FtemalBlue or teralRomance, which allowed the Conspiratrs’ malware to eovertly connect to the computers without valid credentials, After vetim computers were confirmed 1 be vulnerable to cither the EtemalRomance or Eteralbue exploit, the malware would copy itslfto and execute on those computers The Conspirators programmed the malware such that, after atempting luteal movement within the compromised compulr’s network, the malware searched for files ending with dozens of different file extensions 20 and began enerypting those files on the compromised computer, On files were enerypted, the malware created a text fle inside every folder that contained encrypted files. The tex file contained the NotPetyaransom not, Which was later displayed on victim computers as in the example below DETISTOV and other Conspirators coded the malwaxe such that, after the ‘malware encrypted the fils, it restarted the compromised computer using a DETISTOY and other Conspiratos also programmed the malware such that, depending on the type of operating syste and after the malware identified files that were enerypted, it would try various ways to make it ‘more difficult for forensic investigators to obtain digital evidence, including by deleting logs. 39. On orabout June 27, 2017, st approximately 7:23 am, Eastern Daylight Time, the first computer in the Heritage Valley Health System's computer network became infected by the [NotPetya malware, ‘The infection ogeusted as the result of a connection between the Heritage ‘Valley computer and the computer network of another entity that had itself been infected by the NotPetya malware, By stealing and using Heritage Valley user credentials to self propagate, the smalwvace then spread fiom the initial infected Heritage Valley computer to other computers on Heritage Valley's computer network 40. For the next several hours, Heritage Valley's computer hard drives were encrypted: ‘workstations were locked; patient ist, patient medical history information, physical examination files, and prior laboratory records were inaccessible (so pre-operative laboratory work needed to be redone); and Heritage Valley's servers were inaccessible. ‘The attack slso caused Heritage Valley to tose aocess tos mission-critical computer systems (suc as those relating to cardiology, ‘nuclear medicine, radiology, and surgery) for approximately one week and other administrative computer systems for almost one month, In addition to disrupting Heritage Valley's provision of

    Potrebbero piacerti anche