US indicts Russian for cyberattacks meant to destroy Ukraine before invasion

A Russian national – whose father is also wanted by the feds for a different cybercrime – was indicted by a US grand jury for launching multiple WisperGate malware attacks against the Ukrainian government at least a month before the Russian invasion.

The US Department of Justice (DoJ) says the 22-year-old Russian citizen, Amin Timovich Stigal, was working directly with the Russian military’s cyber intelligence branch – known as the GRU – to carry out the destructive attacks.

A federal grand jury in Maryland returned the indictment against Stigal, who remains at large, on Tuesday. Alongside the indictment, the US Department of State’s Rewards for Justice program has offered up to $10 million for information on Stigal's location or cyber activities.

Stigal and members of the Main Intelligence Directorate of the General Staff (GRU) are said to have first targeted Ukrainian government systems on January 13th 2022, in advance of Russia’s full-scale invasion on February 24th that same year.

According to the DoJ, the defendant and his conspirators used the services of a US-based company to distribute the WisperGate wiper malware to dozens of computer systems belonging to Ukraine’s government and related agencies.

Amin Timovich Stigal wanted

WisperGate malware, which at first resembles ransomware, was designed to render targeted systems inoperable and destroy data. It is similar to the notorious NotPetya malware unleashed by Russia in 2017.

Originally discovered by Microsoft Threat Intelligence researchers in May 2022, the coordinated WhisperGate campaign led to the defacement of at least 70 government websites at the time, plastered with messages meant to instill fear among Ukrainians.

The malicious 'hack and destroy' campaign was later extended to computer systems in countries supporting Ukraine, including the United States.

Assistant Attorney General Matthew G. Olsen commented on the GRU's ongoing use of cyber tactics for "indiscriminate destruction and intimidation" and emphasized the Department's commitment to thwarting such malicious behavior and holding cybercriminals accountable, the DoJ announcement said.

Pre-invasion attacks started months earlier

Ukrainian government networks targeted in the pre-invasion WisperGate attacks included Ukraine's Ministry of International Affairs, the State Treasury, and State Emergency Services, as well as the Ministries of Education, Agriculture, Energy, and Sports, among others. By August, the same conspirators were said to have targeted the transportation infrastructure of one of Ukraine’s allies in Central Europe.

The Kremlin-backed hackers also were able to exfiltrate sensitive data from compromised systems, including patient health records, attempting to sell the stolen data online the same day, the DoJ said.

From August 2021 leading up to the invasion, the court documents allege the conspirators used the same WisperGate malware to break into a federal government agency in Maryland possibly to test of the malware's capabilities leading to the charges in the US.

“Cyber intrusion schemes such as the one alleged threaten our national security, and we will use all the technologies and investigative measures at our disposal to disrupt and track down these cybercriminals,” vowed US Attorney Erek L. Barron for the District of Maryland.

If convicted, Stigal could face up to five years in prison.

Family of hackers

In a strange twist, it appears Stigal’s father is also wanted by the US government for his own criminal hacking offenses.

Malware repository vx-underground unearthed the elder Stigal’s wanted poster, screenshotted the two men side by side in their respective pictures, and posted about it on X with the comment, "Families that commit state-sponsored-cyber-espionage stay together."

The father, 43-year-old Russian national Tim Vakhaevich Stigal, is wanted for “Conspiracy to Commit Computer Intrusion and Damage,” according to the US Secret Service Field Office in Newark, New Jersey, which looks to be in charge of the case.

According to the wanted poster, between April 2014 and March 2016, Tim Vakhaevich Stigal was “allegedly part of four separate conspiracies to traffic stolen payment card information from customers of at least three corporate victims,” all located in the US.

The Secret Service describes the elder Stigal as bald, graying, and at least 200 lbs., although its not clear how old the pictures are.

In one instance, the poster states that Stigal threatened to “impair the confidentiality of stolen personal data” of the customers if a ransom was not paid by the corporate victim.

The two men reportedly have numerous alias, including Timur Stigal, Tim Baxaenary Crura, "Key" for the father, and Amin Sta for his son.

By contrast, the younger Stigal’s picture is from 2022. He is said to have been born in Grozny, the capital Chechnya, has ties to the Republic of Dagestan,Russia, and speaks three languages – English, Russian, and Arabic.

The FBI states that Amin Stigal is 22 years old and born January 10, 2002, but is also known to use a fake birthdate of August 1, 1996, making him appear 6 years older than he really is.

Tips for either suspect can be submitted here for the US Department of State’s Rewards for Justice program.