The U.S. has indicted four Russian government employees for their role in cyberattacks targeting hundreds of companies and organizations in the energy sector worldwide between 2012 and 2018.
“The Department of Justice unsealed two indictments today charging four defendants, all Russian nationals who worked for the Russian government, with attempting, supporting and conducting computer intrusions that together, in two separate conspiracies, targeted the global energy sector between 2012 and 2018.” reads a press release published by DoJ. “In total, these hacking campaigns targeted thousands of computers, at hundreds of companies and organizations, in approximately 135 countries.”
The two indictments, one from June 2021 and one from August 2021, are charging one employee of the Russian Federation Central Scientific Research Institute of Chemistry and Mechanics (TsNIIKhM) and three officers of Russia’s Federal Security Service (FSB).
According to the June 2021 indictment, an employee of the Russian Ministry of Defense research institute, Evgeny Viktorovich Gladkikh, and his co-conspirators attempted to damage critical infrastructure outside the US. The attacks caused two separate emergency shutdowns at a foreign targeted facility. The group also attempted to hack the systems of a US company operating critical infrastructure in the United States.
“According to the indictment, between May and September 2017, the defendant and co-conspirators hacked the systems of a foreign refinery and installed malware, which cyber security researchers have referred to as “Triton” or “Trisis,” on a safety system produced by Schneider Electric, a multinational corporation. The conspirators designed the Triton malware to prevent the refinery’s safety systems from functioning (i.e., by causing the ICS to operate in an unsafe manner while appearing to be operating normally), granting the defendant and his co-conspirators the ability to cause damage to the refinery, injury to anyone nearby, and economic harm.” continues the DoJ. “However, when the defendant deployed the Triton malware, it caused a fault that led the refinery’s Schneider Electric safety systems to initiate two automatic emergency shutdowns of the refinery’s operations.”
On August 2021, the US DoJ charged three FSB officers (Pavel Aleksandrovich Akulov, Mikhail Mikhailovich Gavrilov, and Marat Valeryevich Tyukov), working in Military Unit 71330 or ‘Center 16.’ (aka Dragonfly, Berzerk Bear, Energetic Bear, and Crouching Yeti).
Between 2012 and 2017, the Dragonfly APT conducted multiple attacks targeting ICS or Supervisory Control and Data Acquisition (SCADA) systems used in the energy industry, including oil and gas firms, nuclear power plants, as well as utility and power transmission companies.
According to the indictment, the campaigns against the energy sector campaign involved two phases. In the first phase, which took place between 2012 and 2014, the nation-state actor was tracked as “Dragonfly” or “Havex” and engaged in a supply chain attack, compromising OT networks system manufacturers and software providers deploying the “Havex” implant.
The attackers also launched spear-phishing and “watering hole” attacks that allowed them to instal malware on more than 17,000 unique devices in the United States and abroad, including ICS/SCADA controllers used by power and energy companies.
In the second phase, which took place between 2014 and 2017, the APT group tracked as “Dragonfly 2.0” focused on more targeted attacks on specific energy sector entities and individuals and engineers who worked with ICS/SCADA systems. The group targeted more than 3,300 users at more than 500 U.S. and international companies and entities, in addition to U.S. government agencies such as the Nuclear Regulatory Commission.
“In some cases, the spearphishing attacks were successful, including in the compromise of the business network (i.e., involving computers not directly connected to ICS/SCADA equipment) of the Wolf Creek Nuclear Operating Corporation (Wolf Creek) in Burlington, Kansas, which operates a nuclear power plant. Moreover, after establishing an illegal foothold in a particular network, the conspirators typically used that foothold to penetrate further into the network by obtaining access to other computers and networks at the victim entity.” states the DoJ.
DoJ warns of attacks from Russia-linked APT groups against critical infrastructure on a global scale.
CISA, the FBI, and the U.S. Department of Energy also published a joint cybersecurity advisory detailing tactics, techniques, and procedures (TTPs) of indicted state-sponsored Russia-lineìked threat actors.
“This joint Cybersecurity Advisory (CSA)—coauthored by the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Department of Energy (DOE)—provides information on multiple intrusion campaigns conducted by state-sponsored Russian cyber actors from 2011 to 2018 and targeted U.S. and international Energy Sector organizations. CISA, the FBI, and DOE responded to these campaigns with appropriate action in and around the time that they occurred.” reads the joint advisory.
(SecurityAffairs – hacking, Russian government employees)