PITTSBURGH – Seven Russians were indicted by a federal grand jury in Pittsburgh on charges relating to a criminal hacking campaign that included the theft and public dissemination of private medical records of 250 athletes, including U.S. Olympic athletes. According to the indictment, the Russian hackers targeted the athletes and major anti-doping organizations in retaliation for a ban on Russian athletes due to Russia’s state sponsored doping program. The Russian hacking also targeted western Pennsylvania employees of the Westinghouse Electric Corporation, as well as an organization and laboratory investigating Russia’s alleged use of chemical weapons.
According to the indictment, the defendants are all members of a Russian military intelligence agency based in Moscow known as the GRU:
Aleksei Sergeyevich Morenets
Evgenii Mikhaylovich Serebriakov
Ivan Sergeyevich Yermakov
Artem Andreyevich Malyshev
Dmitriy Sergeyevich Badin
Oleg Mikhaylovich Sotnikov
Alexey Valerevich Minin
All seven defendants are charged with conspiracy to illegally access and cause damage to computers in the United States and elsewhere, conspiracy to commit wire fraud, and money laundering conspiracy. All except Sotnikov and and Minin are also charged with aggravated identity theft. Finally, Yermakov is charged with multiple counts of wire fraud for attempting to hack into the personal email accounts of employees of Westinghouse.
The targets of the hacking activity included:
• Westinghouse Electric Corporation based outside Pittsburgh, Pennsylvania;
• the U.S. Anti-Doping Agency (USADA), headquartered in Colorado Springs, Colorado;
• the World Anti-Doping Agency (WADA), headquartered in Montreal, Canada;
• the Canadian Centre for Ethics in Sport (CCES), headquartered in Ottawa, Canada;
• the International Association of Athletics Federations (IAAF), headquartered in Monaco;
• The Court of Arbitration for Sport (TAS/CAS), headquartered in Lausanne, Switzerland;
• the Fédération Internationale de Football Association (FIFA), headquartered in Zurich, Switzerland;
• the Organisation for the Prohibition of Chemical Weapons (OPCW), an organization headquartered in The Hague, Netherlands, investigating the use of chemical weapons in Syria and the March 2018 poisoning of a former GRU officer in the United Kingdom with a chemical nerve agent; and
• the Spiez Swiss Chemical Laboratory located in Spiez, Switzerland, an accredited laboratory of the OPCW that analyzed the chemical agent connected to the poisonings of a former GRU officer and others in the United Kingdom.
United States Attorney Scott W. Brady emphasized his office’s focus on bringing justice to the victims of these crimes. “Through the tireless efforts and investigative work by our office and the FBI, we have exposed and charged an expansive criminal conspiracy of targeted cyber-attacks across three continents and seven countries. These cyber-attacks were designed to steal individuals’ and organizations’ most sensitive secrets and data. We want the hundreds of victims of these Russian hackers to know that we will do everything we can to hold these criminals accountable for their crimes. State actors who target US citizens and companies are no different than any other criminal: they will be investigated, prosecuted and held accountable for their actions.”
“Malicious cyber hackers will not be allowed to undermine, retaliate against or expose sensitive information that damages the reputations of innocent victims,” said FBI Pittsburgh Special Agent in Charge Robert Jones. “This type of behavior is simply unacceptable. These charges show the world the FBI has a robust cyber investigative team and Pittsburgh is an essential part of it. We also want to thank our international partners, including the Royal Canadian Mounted Police and the Dutch Intelligence Service (the MIVD), for their support and coordination to ensure the safety of our people and networks.”
The criminal hacking operation was conducted from an identified GRU Unit in Moscow, and by GRU members who traveled around the world to hack into nearby computers through “close access” operations. The indictment describes how the conspirators conducted several “on site” operations: in Rio De Janiero during and prior to the 2016 Olympic games, which compromised the email account of a USADA official; in Lausanne, Switzerland, resulting in the theft of login credentials from a CCES official; and, at The Hague in April 2018, in an attempt to hack into networks at OPCW. These on site operations often involved targeting Wi-Fi networks used by victim organizations or their personnel, including hotel Wi-Fi, in an effort to gain unauthorized access to the victims’ computer networks.
The defendants stole data from WADA, USADA, CCES, TAS/CAS, IAAF and FIFA which contained sensitive, private medical information for 250 athletes from 30 countries. They then released the data publicly, often in misleading ways, masquerading as the “Fancy Bears Hack Team” on the websites fancybear.net, fancybear.org and other social media accounts, as part of a misinformation campaign. The defendants’ intent was to unfairly damage the reputations of competitive athletes and to retaliate against international anti-doping officials who had exposed the Russian state-sponsored doping program. As part of this prosecution, the United States has seized the websites fancybear.net and fancybear.org and is seeking their forfeiture.
Defendants Morenets, Serebriakov, Malyshev and Badin face maximum penalties of 49 years in prison and a fine of up to $1.25 million. Defendants Sotkinov and Minin face maximum penalties of 45 years in prison and a $750,000 fine. Defendant Yermakov, who is the sole defendant charged in five wire fraud counts, faces a maximum sentence of 149 years imprisonment and a fine of $2.5 million. Under the Federal Sentencing Guidelines, the actual sentence imposed would be based upon the seriousness of the offenses and the prior criminal history, if any, of the defendant.