The United States has expanded its pursuit of Russia’s elite cyberwarriors, with a newly unsealed indictment targeting five members of Russia’s military intelligence agency, the GRU. The indictment, revealed on Thursday, charges the operatives with launching cyberattacks on Ukrainian government institutions and American companies in the run-up to Russia’s invasion of Ukraine in February 2022. This marks a significant development in the U.S. government’s efforts to hold Russian military intelligence accountable for their cyberwarfare operations, which played a crucial role in the lead-up to the conflict.
The State Department, in coordination with its international allies, has also announced a reward of up to $60 million for information leading to the capture of these individuals. This reward surpasses the $25 million bounty once placed on Osama bin Laden after the September 11 attacks, underscoring the gravity with which these cyberattacks are viewed by the U.S. government.
WhisperGate: The Cyber Precursor to War
The cyberattack campaign, known as “WhisperGate,” began in early 2022 and was aimed at crippling Ukraine’s government, disrupting NATO operations, and undermining confidence in American firms. According to U.S. officials, WhisperGate represented the opening salvos of Russia’s eventual invasion of Ukraine. The GRU’s cyber operatives targeted essential Ukrainian infrastructure, including financial systems, emergency services, healthcare institutions, and government agencies, with the intent to destabilize the country before tanks rolled in.
“The WhisperGate attack in January 2022 could be considered the first shot of the war,” said William J. DelBagno, the special agent in charge of the FBI’s Baltimore field office. The malware deployed in the attack delivered a chilling message to Ukraine, instructing its victims to “be afraid and expect the worst.”
But despite the GRU’s intent to inflict maximum damage, a coordinated defense effort led by U.S. Cyber Command, alongside tech giants like Microsoft, Google, and Amazon, managed to thwart the worst of the damage. Ukrainian governmental operations were swiftly migrated to the cloud, ensuring the continuity of key services. This rapid digital defense, orchestrated with assistance from American private firms, played a critical role in keeping Ukraine operational in the face of a massive cyber onslaught.
Operation Toy Soldiers: The Pursuit of Russian Hackers
In response to these cyberattacks, U.S. law enforcement agencies launched “Operation Toy Soldiers,” an extensive investigation aimed at identifying and neutralizing the GRU’s cyber operatives. On Thursday, the U.S. Department of Justice charged five GRU members for their roles in the WhisperGate attacks. These operatives were part of Unit 29155, a highly specialized division within the GRU responsible for destabilizing nations across Europe. This same unit had previously been linked to Russian interference in the 2016 U.S. elections and other disruptive operations across the globe.
One notable figure indicted in connection with these attacks was Amin Stigal, a civilian hacker who U.S. officials allege worked on behalf of the Russian government. Stigal’s involvement highlights the Kremlin’s ongoing relationship with criminal hackers, who provide technical expertise in exchange for protection and cover for the GRU’s military intelligence activities.
“The inclusion of civilian hackers like Stigal shows how Russia continues to provide a safe haven for criminals in exchange for their support in military cyber operations,” said Matthew Olsen, the assistant attorney general for national security.
The charges against the GRU operatives cover a range of activities, from targeting critical infrastructure in Ukraine to scanning government systems in the United States for vulnerabilities. One of the attacks even targeted a Maryland-based government agency, although U.S. officials declined to specify the name of the agency involved. Given that both the National Security Agency (NSA) and U.S. Cyber Command operate out of Fort Meade, Maryland, the location of the attack adds another layer of complexity to the situation.
How WhisperGate Played into the Ukraine Invasion
The timing of the WhisperGate cyberattacks, just weeks before Russia’s physical invasion of Ukraine in February 2022, reveals the intricate coordination between cyber and military operations in modern warfare. Intelligence gathered by Microsoft in January 2022 indicated that Russian hackers were embedding malicious code within Ukrainian systems, signaling an imminent cyber assault. Tom Burt, Microsoft’s chief of trust and safety, had warned at the time, “A cyberattack first, the land attack next.”
On February 23, 2022, Microsoft’s cybersecurity division observed the activation of destructive “wiper” code embedded in Ukrainian systems. This malicious software was designed to wipe data, rendering critical government and infrastructure systems unusable. Coupled with this digital strike, Russian tanks were soon seen advancing toward Kyiv.
Despite Russia’s efforts to blind Ukraine’s government systems, a combination of quick intervention from private tech firms and support from global allies prevented a total collapse. Microsoft, Google, and Amazon shifted Ukrainian governmental functions to cloud-based systems, allowing continuity in essential operations. Meanwhile, SpaceX’s Elon Musk provided Ukraine with Starlink terminals to keep communication lines open, helping to ensure that Ukraine could withstand the initial waves of both cyber and physical attacks.
This strategic defense is widely regarded as one of the key reasons why Ukraine managed to survive the early stages of the invasion. The successful digital defense mounted by Ukraine and its allies demonstrated the evolving nature of cyberwarfare and the importance of cybersecurity in modern conflicts.
A Broader Context: The GRU’s History of Cyber Aggression
The GRU’s involvement in the WhisperGate campaign comes as no surprise. The intelligence agency has been at the forefront of Russia’s cyber operations for years, having played a central role in interfering with the 2016 U.S. elections. GRU operatives have also been linked to various cyber campaigns aimed at destabilizing Europe, including attacks on power grids and government institutions.
In fact, during President Joe Biden’s first and only face-to-face meeting with President Vladimir Putin in June 2021, cyberattacks were a key topic of discussion. Biden warned Putin that further ransomware attacks against U.S. infrastructure would not be tolerated, signaling the growing importance of cyber defense in diplomatic relations.
However, by late 2021, it became clear that the GRU had continued to plan its next major cyberattack. With tensions rising between Russia and Ukraine, GRU hackers ramped up their efforts to compromise Ukrainian systems, laying the groundwork for the WhisperGate attacks.
U.S. Cyber Defenses Respond: Shutting Down Russian Influence Networks
In addition to the indictment of the GRU operatives, the U.S. Justice Department has taken steps to neutralize Russia’s broader disinformation and cyber influence campaigns. On Wednesday, officials announced the takedown of 32 websites tied to the “Doppelgänger network,” a Russian operation that spread pro-Russian propaganda through fake news sites designed to mimic legitimate media outlets.
The Doppelgänger network had been amplifying disinformation about the war in Ukraine and seeking to sow discord among NATO allies. By targeting this network, U.S. authorities are sending a clear message to Russia: cyberattacks and information warfare will be met with swift action.
A Message to the GRU and the World
Although it is unlikely that the indicted GRU members will be apprehended anytime soon, U.S. officials have vowed to continue pursuing them. Matthew Olsen stressed that the charges send a strong message to the GRU and its operatives: “We are on to you; we have penetrated your systems.” The reward of up to $60 million for their capture also demonstrates the seriousness with which the U.S. views these cyber threats.
In addition to serving as a warning to Russia, the indictment offers valuable insights for cybersecurity professionals worldwide. The information disclosed in the charges highlights the vulnerabilities that the GRU targeted, providing a blueprint for how organizations can better protect themselves against similar attacks in the future.
Conclusion: The Evolving Landscape of Cyberwarfare
The U.S. indictment of five Russian GRU members for their involvement in the WhisperGate cyberattacks underscores the growing role of cyberwarfare in global conflicts. As Russia continues to use cyberattacks as a tool of statecraft, the United States and its allies are stepping up their efforts to defend against these digital assaults.
WhisperGate, which served as the prelude to Russia’s invasion of Ukraine, revealed just how intertwined cyber and physical warfare have become. In this new era of conflict, the ability to defend critical infrastructure from digital threats is just as important as traditional military capabilities. For Ukraine, the resilience of its digital infrastructure—supported by the U.S. and private companies—proved vital in its fight for survival.
As cyberwarfare continues to evolve, the lessons learned from the WhisperGate attacks will shape the future of international security, diplomacy, and defense strategies.
How We Verify Our Reporting
-
Our team of visual journalists analyzes satellite images, photographs, videos and radio transmissions to independently confirm troop movements and other details.
-
We monitor and authenticate reports on social media, corroborating these with eyewitness accounts and interviews.