The US Federal Bureau of Investigation (FBI) is now offering $10 million for information that could aid the capture of Amin Timovich Stigal, a Russian hacker from Chechnya who, alongside Russian intelligence, launched a cyberattack campaign against Ukrainian institutions a month prior to Moscow’s 2022 full-scale invasion.
Stigal, age 22, was also behind a cyberattack on transportation infrastructure in an unspecified Central European country and US government systems in Maryland.
The cyberattack on Ukraine, also known as WhisperGate, used a data wiper disguised as ransomware targeting dozens of Ukrainian government and government-affiliated institutions in January 2022.
It rendered systems inoperational and demanded a ransom of $10,000 in cryptocurrency to recover the data when in reality, the data was wiped from the computers regardless of payment.
The institutions targeted include Ukraine’s Ministry of International Affairs, the State Treasury, the Judiciary Administration, the State Portal for Digital Services (Diia), the Ministry of Education and Science, the Ministry of Agriculture, the State Service for Food Safety and Consumer Protection, the Ministry of Energy, the Accounting Chamber for Ukraine, the State Emergency Service, the State Forestry Agency and the Motor Insurance Bureau.
Stigal and his co-conspirators also leaked on the darknet the data it had supposedly obtained.
“The Conspirators also stole and leaked through online platforms the personal data of thousands of Ukrainian civilians, including medical records. The purpose of the attack was, in part, to sow concern among Ukrainian citizens regarding the safety of their Government’s systems and their personal data in advance of the Russian attack of Ukraine,” read the US court indictment.
The US indictment also said Stigal “knowingly and intentionally” conspired with Russia’s Main Directorate of the General Staff of the Armed Forces (GRU) in the cyberattack, where his group attempted to conceal the GRU connection by using false identities and making false statements.
The indictment said Stigal and his group probed the Ukrainian government services, including the e-government portal Diia, between August 2021 and January 2022 before launching the cyberattacks.
They then tried to sell the data of 13.5 million alleged Diia users for $80,000 on the darknet.
However, the Ministry of Digital Transformation told Ukrainian tech outlet DOU that Diia only had 1.5 million users at the time, and the data on the darknet was likely “a compilation of various databases that were merged much earlier from private companies.” Ukraine’s cyber police department also denied the report at the time.
Therefore, it’s not immediately clear if Stigal and his group actually managed to obtain data from Ukraine’s Diia portal during the 2022 hack.
Cyberattacks have been commonplace in the war in Ukraine in what some have termed “hybrid warfare,” which range from simple distributed denial-of-service (DDoS) attacks that disrupt operations to extensive campaigns that damage cyber infrastructure through back-end access.
According to Microsoft, a list of hacker groups are known to be associated with various branches of Russian intelligence services.