In a series of indictments and sanctions announced Thursday, authorities in the United States and Britain accused two Russian intelligence officers of orchestrating a long-running hack-and-leak-operation aimed at meddling in U.S. and U.K. politics.
The men — identified as Andrey Stanislavovich Korinets and Ruslan Aleksandrovich Peretyatko — were indicted by the U.S. Justice Department and sanctioned by both the U.S. Treasury and the British government. The U.S. State Department announced a $10 million reward for information related to the men or their wider operation.
The U.S. government accused Korinets and Peretyatko of working under the Russian Federal Security Service (FSB) Center 18, targeting current and former employees of the U.S. government between October 2016 and October 2022 with various phishing and other intelligence-gathering activities.
Authorities in London accused the two men of targeting parliamentarians and the head of a prominent think tank, the Institute for Statecraft. They’re also accused of leaking stolen documents, including sensitive trade documents that were distributed online ahead of the 2019 U.K. general election, as part of an operation that began perhaps as early as 2015.
In an advisory published Thursday, the U.K.’s National Cyber Security Centre, the NSA, the FBI, the Cyber National Mission Force, the Cybersecurity and Infrastructure Security Agency, as well as agencies in Australia and New Zealand, detailed the tactics, techniques and procedures that the men and their wider group employed as part of their operations.
An indictment unsealed in a California federal court on Thursday alleges that the two men engaged in a “sophisticated, global ‘spear phishing’ campaign to target and gain unauthorized access and to maintain persistent access … into the computers and email accounts of targets in numerous countries, including [NATO] countries, particularly the [U.S.] and the [U.K.].”
According to the indictment, the men also targeted Ukraine as part of its work “for the benefit of the Russian government.”
The U.S. targets included former U.S. intelligence personnel, current and former State Department officials, including a retired U.S. ambassador, current and former Department of Defense officials, defense contractors and current employees at several of the Department of Energy’s 17 facilities across the U.S., according to the indictment.
The group that the men are associated with has been tracked by government and industry researchers, known variously as the Callisto Group, Star Blizzard, TA446, ColdRiver, TAG-53 and BlueCharlie. The group’s operations have been widely documented, including in a January 2023 report from Reuters that identified Korinets and his apparent role in the operations.
“COLDRIVER carries out global cyber espionage with a focus on Russia’s perennial interests like Western security and foreign policy. What sets them apart from many of their peers, and makes them particularly dangerous, is their willingness to leak hacked data for political purposes,” John Hultquist, the chief analyst at Google’s Mandiant Intelligence, said in an email.
“Russia’s military intelligence service, the GRU, has received the lionshare of the attention when it comes to election related activity, which is only natural given their history of serious incidents in the US and France, but this actor is one to watch closely as elections near,” Hultquist added. “The FSB clearly has an interest in political interference, and hacked emails are a powerful tool.”