2 Russian intel officers charged with hacking into U.S. and British government agencies

Two Russian intelligence officers have been indicted by the Justice Department as part of what prosecutors allege was a broad campaign to hack into U.S. and British government agencies in an effort to gather intelligence in the two countries — and to influence British politics.

Senior FBI and Justice Department officials sought to distinguish the alleged Russian hacking operation in the U.S. — targeting intelligence, defense and nuclear energy officials — from similar efforts by U.S. agencies to collect information in other countries through cyber intrusions. The Russian campaign crossed the line, they told reporters, by trying to influence British politics, including an election in 2019. They also noted that it was conducted by a unit of Russia’s Federal Security Service, or FSB, that was supposed to cooperate with other countries in combating cybercrime but was instead working with cybercriminals to steal secrets.

“What sets this apart from what one would refer to as legitimate intelligence gathering activities would be the weaponization of this information in furtherance of efforts to … influence democratic processes in one of our allies,” a senior Justice Department official said in a background briefing.

The officials said there was no evidence the campaign sought to interfere in American elections. But they said the Russians were able to compromise the email accounts of a number of American national security officials. They got in through a classic spear-phishing campaign, gaining the trust of the target and then sending a malicious link that allowed them to steal passwords.

“Once the Conspirators illegally obtained the targeted victims’ credentials, they were able to gain unauthorized access to their accounts and take valuable intelligence from their victims’ accounts at will, including intelligence related to United States defense, foreign affairs, and security policies, as well as nuclear energy related technology, research, and development,” the indictment said.

The indictment, returned this week by a federal grand jury in San Francisco, charged Ruslan Aleksandrovich Peretyatko, identified as an officer in the FSB Center 18, and Andrey Stanislavovich Korinets with conspiracy to commit computer fraud and abuse. The indictment also charged other unnamed conspirators.

“The Russian government continues to target the critical networks of the United States and our partners, as highlighted by the indictment unsealed today,” said Assistant Attorney General Matthew G. Olsen of the Justice Department’s National Security Division. “Through this malign influence activity directed at the democratic processes of the United Kingdom, Russia again demonstrates its commitment to using weaponized campaigns of cyber espionage against such networks in unacceptable ways.”

The State Department announced rewards of up to $10 million for information leading to the identification or location of the two Russian officers or their co-conspirators. Treasury’s Office of Foreign Assets Control, or OFAC, announced sanctions against Peretyatko and Korinets, as did Britain.

Kurt Sanger, a retired Marine and former senior official at U.S. Cyber Command, told NBC News he was concerned that the indictment described conduct that hewed close to traditional intelligence collection, and therefore posed a risk for U.S. personnel who engage in cyber espionage or offensive cyber operations. The worry is that Russia or China could begin filing criminal charges against U.S. cyber operators, making travel riskier for them.

“Any indictment that we issue, we need to think not only about what we do, but anything that could plausibly be described as close to what we do, because the Russians will be disingenuous,” he said. “I do think this is dangerous and it puts our operators in jeopardy.”

The indictment says the hacking campaign in the U.S. targeted current and former employees of the intelligence community, Defense and State departments, defense contractors and Energy Department facilities between at least October 2016 and October 2022. It says the conspirators — known publicly as “Callisto Group” — targeted military and government officials, think tank researchers and staff and journalists in the U.K. and elsewhere — and that information from certain of these targeted accounts was leaked to the press in Russia and Britain in advance of the latter’s elections in 2019. 

British officials described a yearslong campaign by the FSB to influence British institutions and the 2019 election by leaking hacked material — a campaign they said was not successful.

“Despite their repeated efforts, they have failed,” British Foreign Secretary David Cameron said in a statement.

The conspirators allegedly used “spoofed” email accounts designed to look like personal and work-related email accounts of its targets, and also sent sophisticated looking emails that appeared to be from email providers suggesting users had violated terms of service. These messages were designed to trick victims into providing their email account credentials to false login prompts. Once the hackers fraudulently obtained the victim’s credentials, they were able to access the victims’ email accounts at will.

In addition to the name “Callisto Group,” FSB Center 18 is known by cybersecurity investigators as “Dancing Salome” by Kaspersky Labs, “STAR BLIZZARD” by Microsoft Threat Intelligence Center, and “COLDRIVER” by Google’s Threat Analysis Group.

Officials acknowledged it would be difficult to get the two Russian defendants into a U.S. courtroom, but they said the indictment nonetheless sent an important message.

“Certainly, we have no expectation that Russia will send these individuals here to face the U.S. Justice system,” a senior FBI official said. “If they do travel to a country that cooperates with U.S. legal process, they stand the risk of being extradited to the United States to face these charges. And certainly we believe that is important for us to put out there publicly, that you cannot conduct these sorts of operations against democracy and expect to be able to travel freely throughout the world.”