Oct 19, 2020

DOJ Press Conference Transcript October 19: Charges Against Russian Officers

DOJ Press Conference Transcript October 19: Charges Against Russian Officers
RevBlogTranscriptsPress Conference TranscriptsDOJ Press Conference Transcript October 19: Charges Against Russian Officers

The Department of Justice held a press conference on October 19 to announce charges against Russian officers for cyberattacks. Read the transcript of the briefing here.

Transcribe Your Own Content

Try Rev and save time transcribing, captioning, and subtitling.

Speaker 1: (00:01)
… today, we’re going to announce charges against the GRU, which is the Russian military intelligence organization. The speakers there’ll be four, and then we’ll have a Q&A period. The speakers will be John Demers, the Assistant Attorney General for National Security, followed by the FBI Deputy Director, David Bowdich, followed by Scott Brady, who’s a US Attorney for the Western District of Pennsylvania. And then the last speaker will be Michael Christman, he’s the FBI Special Agent in Charge from the Pittsburgh office. Now following the formal speaking announcements and brief remarks, and then the Q&A, the speakers will leave the stage, both the webcast and the pool camera will go off, and then we’ll have a telephonic background briefing with those media who remain on the Chorus call.

Speaker 1: (00:49)
So there’ll be about a minute delay between the end of the press conference, and the start of that backgrounder to go through the 50 page indictment that’s being announced today.

Speaker 1: (00:59)
Operator, I would ask that you give instructions now on how reporters can queue up so when we do go to the Q&A period, we can go directly into that without a pause. And I will be back in about a minute with the speakers. Thank you.

Speaker 2: (01:14)
Thank you. Should you need assistance, please signal a conference specialist by pressing star, then zero on your telephone keypad. To ask a question, you may press star, then one on your telephone keypad. Again, star then one to ask a question. To withdraw your question, please press star, then two. Please limit yourself to one question. Please note, this event is being recorded.

John Demers: (02:12)
Good afternoon. Today we announced criminal charges against the conspiracy of Russian military intelligence officers who stand accused of conducting the most disruptive and destructive series of computer attacks ever attributed to a single group. I’m joined here today in this announcement by FBI Deputy Director, Dave Bowdich, by the US Attorney for the Western District of Pennsylvania Scott Brady, and by the special agent in charge of the Pittsburgh Field Office, Mike Christman.

John Demers: (02:47)
In the past three months alone, the department has charged computer intrusions or taken legal action related to the activities of China, Iran, and North Korea. Each of these cases charged significant and malicious conduct that we have called out in part to reinforce norms of responsible nation state behavior in cyberspace. But as this case shows, no country has weaponized its cyber capabilities as maliciously and irresponsibly as Russia, wantonly causing unprecedented collateral damage to pursue small tactical advantages and fits of spite. The defendants in this case were all members of the military unit 74455 of the Russian main intelligence directorate known as the GRU. The department previously charged members of this same unit, also known to cyber security researchers as the Sandworm Team for their role in Russia’s efforts to interfere with the 2016 US elections.

John Demers: (03:55)
We make no election interference allegations here, rather today’s charges illustrate how unit 74455’s election activities were but one part of the work of a persistent sophisticated hacking group, busy sabotaging perceived enemies or detractors of the Russian Federation, regardless of the consequences to innocent bystanders or their destabilizing effect.

John Demers: (04:27)
Six current and former officers in unit 74455 are accused of the following disruptive and destructive attacks alleged in the indictment.

John Demers: (04:37)
In December of 2015 and 2016, the conspirators launched destructive malware attacks against the electric power grid in the Ukraine. These were the first reported destructive malware attacks against the control systems of civilian critical infrastructure. These attacks turned out the lights and turned off the heat in the middle of the Eastern European winter as the lives of hundreds of thousands of Ukrainian men, women, and children went dark and cold.

John Demers: (05:07)
From there, the conspirators destructive path still putatively aimed at the Ukraine, widened to encompass virtually the whole world in what is commonly referred to as the most destructive and costly cyber attack ever. The conspirators unleashed the NotPetya malware, although it masqueraded as ransomware designed to extort money, this was a false flag. The conspirators designed the malware to spread with devastating and indiscriminate alacrity, bringing down entire networks in seconds, and searching for remote computer connections through which to attack additional innocent victims, all without hope of recovery or repair. The entirely foreseeable result was that the worm quickly spread globally, shutting down companies and inflicting immense financial harm.

John Demers: (05:57)
This irresponsible conduct impaired the ability of companies in critical sectors, such as transportation and healthcare to provide services to the public, not only in the Ukraine, but as far away as Western Pennsylvania. As alleged, for just three US-related victims, three of at least hundreds of victims worldwide, the damages exceeded one billion dollars.

John Demers: (06:23)
Rather than express remorse for the damage they inflicted against victims worldwide, the conspirators callously celebrated their success.

John Demers: (06:33)
Next, the conspirators turned their sights on the winter Olympics, a forum where the international community, despite recurring conflict comes together to celebrate the common pursuit of physical prowess and mental toughness. The conspirators, feeling the embarrassment of international penalties related to Russia’s state-sponsored doping program, that is cheating, took it upon themselves to undermine the games. Their cyber attack combined the emotional maturity of a petulant child with the resources of a nation state.

John Demers: (07:06)
They conducted spear phishing campaigns against South Korea, the host of the winter games, as well as the International Olympic Committee, Olympic partners and athletes. Then during the opening ceremony, they launched the Olympic Destroyer malware, which deleted data from thousands of computers supporting the games, rendering them in operable. Although the conspirators took steps to pin the Olympic Destroyer attack on North Korea, this second false flag attempt failed. Cybersecurity researchers ultimately attributed the attack to the Sandworm team as do we today.

John Demers: (07:42)
These destructive and disruptive malware attacks and related preparations were not the conspirators’ only malicious conduct alleged in the indictment. The conspirators also supported hack and leak operations in the days leading up to the 2017 French elections. And the conspirators continued their disrupting attacks as recently as October 19th, targeting government and non-

John Demers: (08:03)
… as recently as October 19th, targeting government and non-government websites in the country of Georgia. Today’s allegations in their entirety provide a useful lens for evaluating Russia’s offer two weeks ago for a reset in cyber-relations between Russia and the United States. Russia is certainly right that technologically sophisticated nations that aspire to lead have a special responsibility to secure the world order and contribute to widely accepted norms, peace, and security. That’s what we’re doing here today. But this indictment lays bare Russia’s use of its cyber capabilities to destabilize and interfere with the domestic, political, and economic systems of other countries, thus providing a cold reminder of why its proposal is nothing more than dishonest rhetoric and cynical and cheap propaganda. Before I wrap up my remarks, I’d like to thank the team of prosecutors and FBI agents whose diligence and perseverance has led to these charges and to the kind of evidence that we can use to prove these charges in open court.

John Demers: (09:10)
I’d like to express the department’s appreciation for assistance from the private sector, such as Cisco’s Talos Intelligent Group, Facebook, Google, and Twitter, in investigating and disrupting this cyber threat. We also appreciate the hard work and dedication of our four foreign law enforcement and intelligence partners in countries including the Ukraine, Georgia, South Korea, the United Kingdom, and New Zealand, who have also pursued these conspirators after attacks and intrusions within their own countries or otherwise assisted in our investigation. All of these partnerships send a clear message that responsible nations and the private sector are prepared to work together to defend against and disrupt significant cyber threats. Now I’ll turn the podium over to the US Attorney from the Western district of Pennsylvania to go over the charges in more detail. Scott.

Scott Brady: (10:13)
Thank you, John. Good afternoon. I’m Scott Brady. I’m the US Attorney for the Western district of Pennsylvania. Today, my colleagues and I are pleased to announce that a federal grand jury in Pittsburgh, Pennsylvania returned a seven count indictment charging six Russian military intelligence officers for their roles in some of the most destructive, most costly, and most egregious cyber attacks ever known. The defendants were all officers within military Unit 74455 of the Russia Main Intelligence Directorate, also known as the GRU. Unit 74455 is well known to the Department of Justice and to the FBI. For among other things, its role in Russia’s efforts to interfere in the 2016 us elections, portions of which were initially investigated by the Western district, Pennsylvania with our partners from the national security division and the FBI’s Pittsburgh field office. The indictment unsealed today reveals the Russian government’s global campaign of disruption, interference, and destabilization against strategic adversaries across three continents. As outlined by AIG dimmers, the crimes committed by these defendants and Unit 74455 are truly breathtaking in their scope, scale, and impact. AAG Demers spoke to the broader geopolitical implications of the GRU’s campaign. I want to speak for a moment about the victims in this case. While the alleged perpetrators of these crimes were Russian government officials, the victims who suffered real harm as a result of these crimes were often ordinary citizens and businesses around the world. These are citizens and businesses that rely on such things as electricity for warmth during a cold Ukrainian winter, a reliable banking system as a foundation for a stable economy, untainted elections free from interference by foreign adversaries, the opportunity to participate in a traditionally nonpolitical event like the Olympics, and access to fundamentally sound hospitals for life-saving medical care to name just a few. The devastating crimes allegedly committed by these defendants and Unit 74455 co-conspirators harmed ordinary people around the world, including in my district in Western Pennsylvania. As a result of the NotPetya malware attack, Heritage Valley Health Systems, which provides health care to tens of thousands in Western Pennsylvania, lost access to their mission-critical computer systems, such as those used for cardiology, nuclear medicine, radiology, and surgery.

Scott Brady: (12:51)
Their hard drives at 80 medical facilities were encrypted. Workstations were locked. Patient lists, medical patient history, examination files, and laboratory records were inaccessible. While Heritage Valley spent more than 2 million responding to and recovering from the attack, the disruption of critical health care to patients cannot be quantified monetarily. Additionally, a FedEx subsidiary spent approximately 400 million responding to and recovering from NotPetya attack on its computer systems, and a large US pharmaceutical manufacturer spent in excess of 500 million. And these are just three of the hundreds of victims of NotPetya worldwide. These are not acts of traditional spying against governments. Instead, these are crimes committed by Russian government officials against real victims who suffered real harm. My colleagues and I on this stage have an obligation to hold accountable those who commit crimes no matter where they reside, and no matter for whom they work, in an effort to seek justice on behalf of the victims of these crimes.

Scott Brady: (13:59)
Let me talk briefly about the charges and the seven count indictment. The defendants are charged in count one with engaging in an ongoing and wide-ranging conspiracy to hack into computers, steal information such as network credentials, and cause significant damage to the networks through the deployment of malicious code, otherwise known as malware. The defendants are charged at count two with conspiracy to commit wire fraud. This offense consists of conspiring to use stolen authentication credentials to gain access to, and move laterally within, victim’s networks, as well as the transmission of spear phishing emails designed to deceive the victim and to clicking on a malicious link or attachment to gain unauthorized access to victims’ computer networks.

Scott Brady: (14:45)
Counts three and four charged the defendants with substantive counts of wire fraud associated with the transmission of the NotPetya malware through the computer systems of Heritage Valley Health Systems in the Western district of Pennsylvania using stolen authentication credentials to move to other parts of the network. Count five charges the defendants with a substantive count of computer fraud relating to the transmission of the NotPetya malware on the heritage Valley health system computer network, and causing damage to that network. Finally, count six and seven charged the defendants with aggravated identity theft. That means they illegally obtained identifying information, including usernames and passwords used by real persons, and exploited it to further their hacking activity. All of the countries named in the indictment share the ideals of a free society based on national sovereignty, ordered liberty, the rule of law, and free and fair elections. For these reasons, they also share a common threat, Russia, a country will stop at nothing to destroy those ideals and instill a sense of instability in its adversaries. The indictment unsealed today was only made possible by the willingness of countries to come together and share information and evidence associated with these attacks.

Scott Brady: (16:02)
… and share information and evidence associated with these attacks. In the Western District of Pennsylvania, in conjunction with our partners at NSD and FBI, we continue to develop this new paradigm involving unprecedented levels of collaboration with our foreign law enforcement partners in the ongoing fight against cybercrime, whether committed by transnational organized crime groups or nation-state groups, such as the Russian GRU.

Scott Brady: (16:25)
In closing, I want to thank the Assistant US Attorneys from my office and the trial attorneys from the National Security Division for their incredible work on this case. We in the Western District of Pennsylvania value the long and trusted working relationship with NSD under AAG Demers’ leadership. I also want to thank all the agents from the FBI’s Pittsburgh, Oklahoma, and Atlanta field offices, the FBI legal attache offices around the world who contributed to this investigation, FBI Cyber Division at FBI Headquarters, and the assistance we received from our foreign partners, from victims, and from those in cybersecurity private industry. Now I will turn the podium over to FBI Deputy Director, David Bowdich.

David Bowdich: (17:08)
Good afternoon. We’re here to turn a spotlight on the numerous destructive cyber attacks which are perpetrated by the GRU, which as you’ve heard is the Russian military’s intelligence agency. This activity went well beyond traditional intelligence collection. The GRU targeted the global energy sector, the international political groups, hospitals, and even the Olympics. Time and again, Russia has made it clear they will not abide by accepted norms, and instead they intend to continue their destructive and destabilizing cyber behavior. Of course, this threat is not new. We’ve been fighting the cyber threat for years now, addressing hack after hack, as our adversaries continue to escalate their crimes and use their capabilities not just to gather intelligence, but also to disrupt, degrade, and destroy. We investigate one major hack only to uncover another one. We are particularly concerned when nation-state adversaries target our critical infrastructure and our intellectual property, both here at home and abroad.

David Bowdich: (18:44)
These actors we’re talking about today are alleged to have developed and deployed the NotPetya disruptive malware, which wreaked havoc across the entire globe. NotPetya is considered one of the most destructive cyber attacks ever. Victims included a hospital in Pennsylvania, as you’ve heard already. The cyber attack crippled that hospital’s operations. I’ll not repeat what the US Attorney went through earlier, but in the end, as he mentioned, that included more than $2 million in damages to a hospital in the state of Pennsylvania. The indictment also alleges this group was responsible for the Olympics, the Olympic Destroyer malware, which knocked the official 2018 Winter Olympics’ website offline and prohibited attendees from even being able to gain their event tickets. These actors conducted these brazen attacks from the safety of their own country, but that does not mean that we should not and will not pursue them and hold them accountable.

David Bowdich: (19:56)
Whether you’re a cyber criminal turning profit from hacking, or a Russian military intelligence officer who is intent on taking down infrastructure, these attacks will not be tolerated. We will continue to work in tandem with our partners to impose risks and consequences on these actors however we can, whether it’s through indictments or other means. In this case, we brought the investigative resources and expertise of three different field offices, as you heard earlier. The Pittsburgh Field Office of the FBI, the Atlanta Field Office of the FBI, and the Oklahoma City Field Office of the FBI. We brought them all together to attribute these attacks to the GRU.

David Bowdich: (20:41)
We also want to thank the nation’s tech giants, which includes Google, Cisco, Facebook, and Twitter, for all stepping up and helping us with this investigation. This is more common, that we work hand in hand with our private sector partners today, than ever before. We’re going to continue to work together with our partners, both at home and abroad, in law enforcement and in the private sector, to stop brazen cybercrime and hold these people accountable.

David Bowdich: (21:13)
One thing I do want to take time to do is thank the FBI agents and analysts and those employees that worked very diligently on this investigation. I also want to take the time to thank all the Assistant United States Attorneys, and from a headquarters perspective, the Department of Justice here, and the FBI Headquarters Cyber Division personnel who worked very tirelessly on this investigation. These investigations, as I’ve mentioned before, they are arduous, and they take diligence, and they take tenacity to get them over the finish line. We’re not yet there, but we are to the point of indictment, and that’s why we’re here today. The cyber threat continues to be daunting, but when we bring the right people, the right tools, and the right authorities, our adversaries, we believe, are no match to what we can accomplish together.

David Bowdich: (22:09)
Next up, I’d like to introduce our Special Agent in Charge of our Pittsburgh Office, Mike Christman.

Mike Christman: (22:22)
Good afternoon. Again, my name is Mike Christman. I’m the Special Agent in Charge of the FBI Pittsburgh Office. I know you’ve heard a lot about this investigation already and the great work being done by our international partners and our private sector partners. I wanted to echo those same sentiments. I also wanted to thank the Department of Justice National Security Division, and US Attorney Scott Brady, and his team in the Western District of Pennsylvania. US Attorney Brady and his team have been proactive in adopting a global approach to take down cyber criminal networks whose impact extends well beyond Pittsburgh, and across the globe, for that matter. I would also like to thank FBI Headquarters and the role the FBI Pittsburgh Division played in the investigation and commend the Atlanta and Oklahoma City FBI offices for their work. Multiple field offices, multiple investigations coming together to form a joint coherent strategy.

Mike Christman: (23:33)
This investigation is Team FBI at its best. It displayed the exceptional talent and dedication of our teams in Pittsburgh, Atlanta, and Oklahoma City, who worked seamlessly and spent years tracking these members of the GRU. I can’t say enough about the work of these three offices. Agents in Pittsburgh, utilizing cutting edge investigative techniques and analytics to secure the charges that we’re discussing here today.

Mike Christman: (24:03)
… to secure the charges that we’re discussing here today, charges that were made possible by leveraging the tremendous experience and expertise of agents in Atlanta regarding energy and the NotPetya attacks, as well as the expertise of agents in Oklahoma City regarding Russian GRU actors. The GRU is a persistent adversary, actively engaging in espionage and destructive attacks. These cyber attacks are unmatched in their destructive manner, and disregard for public safety and innocent victims. In fact, NotPetya was the most destructive cyber attack in history, with approximately 10 billion in damages and over 300 victims worldwide. This case demonstrates what’s possible when international, private sector, and law enforcement partners all work together. Together we are uniquely positioned to identify criminal actors and overcome obstacles posed by borders and boundaries. Going forward, the FBI will continue coordinated efforts and commit to combating these threats through enhanced global partnerships, intelligence dissemination, and shared expertise and resources. Thank you.

Speaker 3: (25:22)
All right. We will have Pete Williams start with our first question.

Pete Williams: (25:38)
Thank you, Mr. Demers, can you tell me about the timing of this news conference today? These attacks have long been attributed to the GRU. So is there a significance to the timing of these charges coming just two weeks before the US presidential election?

John Demers: (25:54)
Not particularly in that regard. We undertake these investigations, as the deputy director said, they take quite some time, as you can see from these posters, we don’t attribute them to countries or military intelligence units, we attribute them to individuals in those countries. And when the investigation has matured and we’re ready, according to the principles of federal prosecution, then we bring the cases.

Speaker 3: (26:23)
Our next question is from Eric Tucker with the Associated Press.

Eric Tucker: (26:30)
That none of these six is currently in custody. And I apologize if I missed discussion with that earlier. And can you, and this might be for you Mr. Demers, or somebody else, talk a little bit about the legal framework that allows the Justice Department to bring charges against hacks that are on non-American targets.

John Demers: (26:48)
Well, what we’re charging is a conspiracy. That conspiracy conducted a series of computer intrusions that harmed American victims and American companies. And then as part of that conspiracy, we can charge overt acts of that conspiracy that also were targeted and affect people in other countries. I don’t know, Scott, if you.

Speaker 3: (27:13)
Christopher Bing from Reuters will now be the next question.

Christopher Bing: (27:18)
Yeah. Thank you for doing this. I just wanted to ask about a component of this news that was talked about by your British colleagues who mentioned that the 2021 Summer Games was also being targeted by these hackers. I didn’t notice that in the indictment. And I wanted to know if Justice Department was aware of this targeting that’s more recent. Thank you.

John Demers: (27:40)
Well, I think at this press conference, we’re going to stick to what we’ve charged with just back into the Winter Games and we’ll take them as they come.

Speaker 3: (27:51)
Next question from Jake Gibson from Vox.

Jake Gibson: (27:57)
Hello? Can you hear me?

John Demers: (28:00)
Yes.

Jake Gibson: (28:00)
All right. Sorry. So is there any evidence, I know it probably is not part of this indictment, but I figured I should ask anyway, do you have any evidence about GRU are you actively trying to hack or negative actions towards the 2020 American elections?

John Demers: (28:21)
Well, as you said, that’s not part of this indictment. With respect to the elections that are coming up, we haven’t seen anything that caused us to question what we’ve, I think, repeatedly said, and what the intelligence community has repeatedly said that Americans should be confident that a vote cast for their candidate will be counted for that candidate.

Speaker 3: (28:47)
Next question is Andy with CBS.

Andy: (28:53)
Hi, thanks for the question.

Andy: (28:55)
Going off with was just asked actually, a lot of private industry computer folks talk about Sandworm, which was this unit being a big concern coming up on the election in the US. And I’m wondering, John, I heard what you just said, obviously, but is there any evidence or have you guys taken any action against Sandworm or related groups in the last few weeks or months?

John Demers: (29:20)
Well, I’m not going to go beyond what I just said in that regard. Thanks though.

Speaker 3: (29:27)
Our last question will be from Tim [inaudible 00:29:29] with Cyber Scoop.

Tim: (29:33)
… this is anywhere in the 50 page indictment, still working my way through it, but can you talk about what Facebook and Twitter did to help with this?

John Demers: (29:40)
I don’t know, Dave do you want to do that?

Speaker 4: (29:47)
I’ll take it. Listen, we’re not going to get into specifics of what the companies do to help us, sorry. We’re not going to get into the specifics of what the companies to help us. I will simply leave it at they did help us in a very significant manner, which we are fortunate enough to enjoy that partnership in more and more cyber investigations.

Speaker 3: (30:13)
This now concludes the formal press conference. All cameras will now be turned off. We will-