$10M offered for Russian accused in ‘WhisperGate’ malware attack on Ukraine

Federal authorities are offering a reward of up to $10 million for information on the whereabouts of a Russian national who they say is connected to a sprawling cybersecurity attack on Ukrainian government computer systems ahead of Russia’s invasion of the country.

The planned attack, known as “WhisperGate,” also targeted one of Ukraine’s Central European ally nations and included attempted probes of U.S. government facilities in Maryland, according to an indictment unsealed Wednesday morning.

Subscribe to The Post Most newsletter for the most important and interesting stories from The Washington Post.

A federal grand jury indicted Russian national Amin Stigal this week, charging him with conspiring to commit fraud by hacking and destroying the computer systems.

The U.S. District Court in Maryland issued an arrest warrant for Stigal, 22, who prosecutors said remains at large.

“The Justice Department will continue to stand with Ukraine on every front in its fight against Russia’s war of aggression, including by holding accountable those who support Russia’s malicious cyber activity,” U.S. Attorney General Merrick Garland said in a statement announcing the indictment.

The Russian Embassy in Washington did not immediately respond to a request for comment.

In the indictment, federal authorities allege that Stigal worked with Russian military intelligence officers from the Main Intelligence Directorate of the General Staff to carry out the agency’s cyberattack operations in foreign countries. Stigal and the military officers concealed their connection to the Russian government by using fake identities, a network of computers across the world and cryptocurrency.

The WhisperGate campaign began about a month before Russia’s February 2022 invasion of Ukraine, according to court documents, when Stigal, at the behest of the Russian military, hacked the computers of dozens of Ukrainian government entities, including those that deal with “critical infrastructure,” agriculture, education, science and emergency services.

The attack campaign used software designed to look like a ransomware attack - which is when access to files is blocked until a ransom fee is paid - but in fact, the files were deleted altogether, according to the indictment. WhisperGate also stole and leaked personal data, including the medical records of thousands of Ukrainians - which federal authorities said was meant to “sow concern among Ukrainian citizens” regarding the safety and security of their government’s systems.

In October 2022, Stigal and the Russian military also hacked the transportation infrastructure of a Central European country, which is not named in court documents, that had supported Ukraine through civilian and military aid after the invasion, according to the indictment.

Federal prosecutors also alleged that, from December 2020 through the present day, the Russian military has been scanning protected government computers across the globe - including in Maryland - as a “preliminary step toward gaining unauthorized access.”

The activity in Maryland included Stigal and the Russian military “probing” U.S. government websites hosted by protected computers 63 times, according to court documents. The probing was the same tactic used in other places to identify vulnerabilities, prosecutors said.

The indictment did not say whether the probing of U.S. systems in Maryland was successful.

The WhisperGate malware attacked Ukrainian computer systems by first deleting the files on the targeted computers, according to court documents, then producing a ransom note that demanded a payment of $10,000 in bitcoin to retrieve the data that had already been wiped.

In one incident in January 2022, federal prosecutors alleged that Ukraine’s website for the State Portal for Digital Services was hacked to display a message in Polish, Russian and Ukrainian that read: “Ukrainians! All information about you has become public, be afraid and expect the worst. This is for your past, present and future.”

Within hours of that attack, prosecutors allege that Stigal and the military tried to sell the data, which included criminal records and patient health information.

The reward for information on Stigal’s location, set at up to $10 million, is being managed through the State Department’s Rewards for Justice fund.

“Malicious cyber actors who attack our allies should know that we will pursue them to the full extent of the law,” said Erek Barron, the U.S. attorney in Maryland. “Cyber intrusion schemes such as the one alleged threaten our national security, and we will use all the technologies and investigative measures at our disposal to disrupt and track down these cybercriminals.”

Related Content

He wanted to throw an Idaho town’s first Pride. Angry residents had other ideas.

The pope’s right-hand man is reshaping the church, becoming a target

How the migrant crisis tested schools 2,000 miles from the southern border