The US Justice Department has indicted four Russian government officials in a year-long hacking campaign targeting critical infrastructure, including a US nuclear power plant and a petrochemical plant in Saudi Arabia.
The first indictment, dated June 2021, accuses 36-year-old Evgeny Viktorovich Gladkikh, a Russian Defense Ministry programmer, and two associates of planning to hack into industrial control systems, critical equipment that keeps industrial facilities running. facilities. Gladkikh is said to be behind the infamous Triton malware that was used to attack a petrochemical plant in Saudi Arabia in 2017. The hackers used malware in an attempt to disable factory security systems designed to prevent dangerous situations that could lead to leaks or explosions. Triton was first attached to Russia in October 2018.
The Justice Department said that after a failed plan to blow up a plant in Saudi Arabia, hackers attempted to break into the computers of a company that operated equally important infrastructure facilities in the US.
The second indictment, filed in August 2021, with several attacks targeting the energy sector since 2012, lists Pavel Alexandrovich Akulov, Mikhail Mikhailovich Gavrilov and Marat Valeryevich Tyukov as all alleged members of military unit 71330 of the Russian FSB. and 2017. Hackers, better known to security researchers as Dragonfly, Energetic Bear, and Crouching Yeti, attempted to gain access to the computer networks of companies in the international energy sector, including oil and gas companies, nuclear power plants, and utilities. and energy transmission companies, the report said.
During the first phase of their attacks, which took place between 2012 and 2014, the attackers compromised the networks of industrial control equipment manufacturers and software vendors and then concealed the Havex malware in software updates. This, along with spearfishing and watering holes—a form of attack that targets users by infecting the websites they visit frequently—allows attackers to install malware on more than 17,000 unique devices in the US and abroad.
The second phase, Dragonfly 2.0, ran from 2014 to 2017 and targeted over 3,300 users across over 500 U.S. and international organizations, including the United States. Government Nuclear Regulatory Commission and Wolf Creek Nuclear Operating Corporation.
“Russian-sponsored hackers pose a serious and ongoing threat to critical infrastructure in the United States and around the world,” said US Deputy Attorney General Lisa Monaco. “While the criminal charges disclosed today are a reflection of past activity, they make clear that there is an urgent need for U.S. companies to step up their defenses and remain vigilant.”
John Hultquist, vice president of intelligence analytics at Mandient, said the allegations provide insight into the FSB’s role in Russia’s state-sponsored hacking efforts and are a “warning shot” for Russian intelligence teams carrying out these devastating cyberattacks. “These actions are personal in nature and are aimed at ensuring that everyone who works in these programs knows that they will not leave Russia anytime soon,” he said.
But Hultquist warned that hackers would likely retain access to those networks. “Notably, we have never seen this entity perform destructive attacks, but dig into critical infrastructure vulnerable to future contingencies,” he told gaming-updates. “Our concern with recent developments is that this could be the unexpected development we’ve been waiting for.”
Casey Brooks, a senior Dragos fighter who names the group behind the Triton malware “Xenotime,” told gaming-updates that the accusations likely won’t stop the hackers.
“These task forces are well resourced and can perform complex operations on an ongoing basis. While the allegations detail the activities of these implementation teams, their scope is much broader,” Brooks said. “For example, we know that for xenotim this is only part of their overall activity. It is important to understand that these groups are still active and that accusations from these adversaries are unlikely to interfere with future operations. ,
The accusations come three days after President Joe Biden warned of a growing Russian cyber threat against US companies in response to Western sanctions against Russia for its invasion of Ukraine. It comes just days after the Justice Department charged six hackers hired by Russian military intelligence, the GRU. The hackers, known as Sandworms, are blamed for five years of attacks, including the devastating NotPetya cyberattack that targeted hundreds of businesses and hospitals around the world in 2017, and the cyberattack that shut down Ukraine’s power grid.