In a statement, the Department of Justice claimed the six had acted against Ukraine, Georgia, elections in France, efforts to hold Russia accountable for use of a nerve agent in another country, and the 2018 PyeongChang Winter Olympics.
The DoJ said: "The charges contained in the indictment are merely accusations, however, and the defendants are presumed innocent unless and until proven guilty beyond a reasonable doubt."
Google and its threat analysis group, Cisco, including its Talos Intelligence Group, Facebook and Twitter assisted in the investigation.
The statement said the attacks had been spread over the period November 2015 to October 2019.
It provided the following details:
- Ukrainian government and critical infrastructure: From December 2015 through December 2016, there were destructive malware attacks against Ukraine’s electric power grid, Ministry of Finance, and State Treasury Service, using malware known as BlackEnergy, Industroyer, and KillDisk;
- French elections: Between April and May 2017, spearphishing campaigns and related infiltrate-and-leak efforts targeted French President Emmanuel Macron’s political party, French politicians, and local French governments before the 2017 French elections;
- Worldwide businesses and critical infrastructure: On 27 June 2017, attacks infected computers worldwide using malware known as NotPetya, including hospitals and other medical facilities in the Heritage Valley Health System in the western district of Pennsylvania; a FedEx Corporation subsidiary, TNT Express; and a large US pharmaceutical manufacturer, which together suffered nearly US$1 billion (A$1.4 billion) in losses from the attacks;
- PyeongChang Winter Olympics hosts, participants, partners and attendees: From December 2017 through February 2018, spearphishing campaigns and malicious mobile applications targeted South Korean citizens and officials, Olympic athletes, partners, and visitors, and International Olympic Committee officials;
- PyeongChang Winter Olympics IT systems): From December 2017 through February 2018, intrusions into computers supporting the 2018 PyeongChang Winter Olympic Games culminated in a 9 February 2018 attack against the opening ceremony, using malware known as Olympic Destroyer;
- Novichok poisoning investigations: From April 2018 spearphishing campaigns targeted investigations by the Organisation for the Prohibition of Chemical Weapons and the UK Defence Science and Technology Laboratory into the nerve agent poisoning of Sergei Skripal, his daughter, and several UK citizens; and
- Georgian companies and government entities: A 2018 spearphishing campaign targeted a major media company, a 2019 effort was made to compromise the parliament network and a wide-ranging website defacement campaign was carried out in 2019.
"No country has weaponised its cyber capabilities as maliciously or irresponsibly as Russia, wantonly causing unprecedented damage to pursue small tactical advantages and to satisfy fits of spite,” said Assistant Attorney-General for National Security, John C. Demers.
“Today the department has charged these Russian officers with conducting the most disruptive and destructive series of computer attacks ever attributed to a single group, including by unleashing the NotPetya malware. No nation will recapture greatness while behaving in this way.”
FBI deputy director David Bowdich said: “The FBI has repeatedly warned that Russia is a highly capable cyber adversary, and the information revealed in this indictment illustrates how pervasive and destructive Russia’s cyber activities truly are.
“But this indictment also highlights the FBI’s capabilities. We have the tools to investigate these malicious malware attacks, identify the perpetrators, and then impose risks and consequences on them. As demonstrated today, we will relentlessly pursue those who threaten the US and its citizens.”
Asked for his take on the charges, former NSA hacker Jake Williams said: "I think the timing of the announcement is interesting. I don't believe for a minute that it's any coincidence that we're seeing a tough-on-Russia move immediately before the election.
"That said, I'm not sure whether the indictments are timed to help the president [Donald Trump] or if they are an effort by the DoJ to salvage some reputation in the apparently increasingly likely chance that [Democrat candidate Joe] Biden wins.
"From a technology standpoint, I'm not sure there's really much in the indictment that wasn't already publicly known. Perhaps the most interesting part is the confirmation that a Russian APT tried to camouflage themselves as North Korean actors."
Chester Wisniewski, principal research scientist at Sophos, said the indictments were an interesting development in attempts by Western governments to rein in foreign adversary attacks.
"Sandworm has operated for more than 10 years and has played nearly every card in the attacker playbook," he said.
"They are accused of having used spearphishing, document exploits, password stealers, living-off-the-land tools, supply chain hijacking and destructive wipers, and have even pretended to be ransomware in efforts to create false flags for investigators. They have been a noisy operation and many of us have been expecting this day to come for some time."
Wisniewski, who has been working in the security sphere for a long time, added: "Another result of this noisiness is they have inadvertently popularised sophisticated nation-state level tactics to be copied by everyday criminals.
"While they did not pioneer all these methods, they certainly perfected them and exposed their usefulness in breaching organisations' defences. Considering the accused are members of the GRU, they are unlikely to ever be arrested. Three of the accused were previously indicted for other crimes and these indictments might prove to embolden them rather than curb their behaviour.
"We're no safer than we were yesterday, and we need to continue to bolster our defences to be prepared for Sandworm or any of the garden variety criminals they have inspired. Were they to be arrested, their replacements are already in training and the relentless thirst of nation-states to compromise and interfere with their adversaries goes undeterred."