$10 Million Offered to Russian Accused of Involvement in 'WhisperGate' Malware Attack on Ukraine

Federal authorities are offering a reward of up to $10 million for information on the whereabouts of a Russian national they say was linked to a massive cybersecurity attack on Ukrainian government computer systems before Russia invaded the country.

The planned attack, known as “WhisperGate,” also targeted one of Ukraine’s central European allies and included attempts to investigate U.S. government facilities in Maryland, according to an indictment unsealed Wednesday morning.

Subscribe to The Post Most newsletter to get the most important and interesting stories from The Washington Post.

A federal grand jury this week indicted Russian national Amin Stigal, accusing him of conspiring to commit fraud by hacking and destroying computer systems.

The U.S. District Court in Maryland issued an arrest warrant for Stigal, 22, who prosecutors say remains at large.

“The Department of Justice will continue to support Ukraine on all fronts as it fights Russia’s war of aggression, including by holding accountable those who support Russia’s malicious cyber activities,” U.S. Attorney General Merrick Garland said in a statement announcing the indictment.

The Russian Embassy in Washington did not immediately respond to a request for comment.

In the indictment, federal authorities accuse Stigal of collaborating with Russian military intelligence officers from the Main Intelligence Directorate of the General Staff to carry out the agency’s cyberattack operations in foreign countries. Stigal and the military officers concealed their ties to the Russian government by using false identities, a network of computers around the world and cryptocurrency.

The WhisperGate campaign began about a month before Russia’s invasion of Ukraine in February 2022, according to court documents, when Stigal, at the request of the Russian military, hacked into the computers of dozens of Ukrainian government entities, including those dealing with “critical infrastructure,” agriculture, education, science and emergency services.

The attack used software designed to look like a ransomware attack (which blocks access to files until a ransom is paid), but in fact the files were completely deleted, according to the indictment. WhisperGate also stole and leaked personal data, including the medical records of thousands of Ukrainians, in a move federal authorities said was intended to “create concern among Ukrainian citizens” about the safety and security of their government’s systems.

In October 2022, Stigal and the Russian military also hacked into the transportation infrastructure of a central European country, not named in court documents, that had supported Ukraine with civilian and military aid after the invasion, according to the indictment.

Federal prosecutors also alleged that from December 2020 to the present, the Russian military scanned protected government computers around the world — including in Maryland — as a “preliminary step toward unauthorized access.”

The Maryland activities included Stigal and the Russian military investigating U.S. government websites hosted on protected computers 63 times, according to court documents. Prosecutors said the investigation was similar to what is used elsewhere to identify vulnerabilities.

The indictment does not specify whether the investigation into American systems in Maryland was successful.

The WhisperGate malware attacked Ukrainian computer systems by first deleting files on targeted computers, according to court documents, and then issuing a ransom note demanding a payment of $10,000 in bitcoin to recover the data that had already been erased.

In January 2022, federal prosecutors alleged that the website of Ukraine’s national portal of digital services was hacked to display a message in Polish, Russian, and Ukrainian that read: “Ukrainians! All information about you has become public, be afraid and expect the worst. This concerns your past, present, and future.”

Hours after that attack, prosecutors say Stigal and the military attempted to sell the data, which included criminal records and patient health information.

The reward for information on Stigal’s whereabouts, set at $10 million, is being administered by the State Department’s Rewards for Justice fund.

“Cybercriminals who attack our allies should know that we will pursue them to the fullest extent of the law,” said Maryland U.S. Attorney Erek Barron. “Computer intrusions like the one alleged threaten our national security, and we will use every technology and investigative measure at our disposal to disrupt and track these cybercriminals.”