The Department of Justice charged four Russian nationals for extensive hacking campaigns against critical infrastructure entities across the globe.
Two separate indictments were unsealed Thursday that alleged the defendants targeted the energy-sector organizations across the globe with critical infrastructure attacks between 2012 and 2018. As described in the allegations, one campaign involved hacking industrial control systems (ICS) and operational technology, which had the potential for "catastrophic effects."
The first unsealed indictment against 36-year-old Evgeny Viktorovich Gladkikh, a member of the Russian Ministry of Defense, revealed he was initially charged in June 2021. Those charges include conspiracy to cause damage to an energy facility, which carries a maximum sentence of 20 years.
Gladkikh and his unnamed co-conspirators are accused of deploying the infamous Trisis or Triton malware against ICS systems in energy targets between May and September 2017. The indictment claims the defendants installed the malware on a safety system produced by Schneider Electric.
The indictment appears to refer to a notorious incident in 2017, when the ICS of a petrochemical plant in Saudi Arabia was hit by Triton. Though the Saudi Arabian company is not named in the indictment, it does refer to the targeted refinery as foreign and includes the alleged tampering of the system's safety settings.
"The conspirators designed the Triton malware to prevent the refinery's safety systems from functioning, granting the defendant and his co-conspirators the ability to cause damage to the refinery, injury to anyone nearby and economic harm," the DOJ release said.
The attack ended unsuccessfully after the emergency shutdown controls were triggered. The following year, FireEye attributed the development and deployment of the malware to the Russian government.
The DOJ claims the defendants deployed additional unsuccessful attacks between February and July 2018, this time against U.S. companies.
The release asserts the defendant's motives were to "compromise the safety of energy facilities." By disabling the refinery's safety systems, the attackers could have triggered an explosion.
In an interview with SearchSecurity in 2018, Dragos CEO Robert Lee said, "If you look at the Trisis malware in Saudi Arabia, there's no polite or easy way to say it: Whoever designed that capability was intending to kill people."
The second indictment was brought against Pavel Aleksandrovich Akulov and two co-conspirators, Mikhail Mikhailovich Gavrilov and Marat Valeryevich Tyukov. All three are Russian Federal Security Service (FSB) officers. A grand jury indicted the trio in August, accusing them of being members of the Russian state-sponsored hacking unit known as Dragonfly, which also targeted energy companies and critical infrastructures.
The indictment claims the defendants intended to target "the software and hardware that controls equipment in power generation facilities, known as ICS or Supervisory Control and Data Acquisition (SCADA) systems." Additional accusations include supply chain attacks and hacking the networks of oil and gas firms in the U.S., but more notably nuclear power plants.
"Access to such systems would have provided the Russian government the ability to, among other things, disrupt and damage such computer systems at a future time of its choosing," the release said.
The use of spearphishing was highlighted in the indictment, a tactic that appears to have been successful in some attacks against U.S. and international companies such as the Nuclear Regulatory Commission. The indictment claims the defendants even gained access inside the networks of the Wolf Creek Nuclear Operating Corporation in Burlington, Kan.
The release also mentioned a "Dragonfly 2.0 phase" where the actors gained access to credentials by deploying hidden malware in websites visited by energy-sector engineers. In 2018, the Department of Homeland Security provided details of electrical grid attacks carried out by Russian groups like Dragonfly 2.0.
The DOJ applauded Schneider and Wolf Creek for its assistance in the investigation, noting Schneider's "public outreach and education efforts following the overseas Triton attack."
An alert by the Cybersecurity and Infrastructure Security Agency was issued simultaneously with the indictments and offered ICS best practices and mitigations, as well as further technical details into Russian actors' tactics, techniques and procedures when targeting the energy sector.
One week prior to the unsealed indictments, President Joe Biden signed a federal law that requires critical infrastructure entities to report cyber attacks in 72 hours.