The US Justice Department on March 24 announced indictments against four Russian government agents accused in two hacking schemes targeting hundreds of companies and organizations in around 135 countries between 2012-2018, including two separate emergency shutdowns at one facility in Saudi Arabia.
The DoJ unsealed two indictments, one from June 2021 and one from August 2021, charging one employee of the Russian Federation Central Scientific Research Institute of Chemistry and Mechanics (TsNIIKhM) and three officers of Russia's Federal Security Service (FSB).
According to indictments, between May and September 2017 Evgeny Viktorovich Gladkikh, a computer programmer at TsNIIKhM, together with co-conspirators compromised the computer systems of an unnamed foreign refinery and installed the Triton (Trisis) malware on a safety system made by Schneider Electric. The malware was meant to disrupt the safety systems, which would allow the attackers to cause damage to the refinery, injury to anyone nearby, and economic harm.
“However, when the defendant deployed the Triton malware, it caused a fault that led the refinery’s Schneider Electric safety systems to initiate two automatic emergency shutdowns of the refinery’s operations,” the DoJ said.
Between February and July 2018, the conspirators unsuccessfully attempted to hack into similar refineries in the US, according to the indictment.
Three other defendants, charged in August 2021, Pavel Aleksandrovich Akulov, Mikhail Mikhailovich Gavrilov, and Marat Valeryevich Tyukov, were officers in Military Unit 71330 or 'Center 16' of the FSB, also known as “Dragonfly,” “Berzerk Bear,” “Energetic Bear,” and “Crouching Yeti.”
Between 2012 and 2017, the three hackers and their associates, conducted hacking operations, including supply chain attacks, against entities related to the global energy sector, including oil and gas firms, nuclear power plants, and utility and power transmission companies. The hackers targeted the software and hardware that controls equipment in power generation facilities, known as ICS or Supervisory Control and Data Acquisition (SCADA) systems.
The first campaign, known as “Dragonfly” or “Havex,” took place between 2012 and 2014 and involved supply chain attacks seeking to compromise the computer networks of ICS/SCADA system manufacturers and hide the Havex malware within legitimate software updates.
The second campaign (“Dragonfly 2.0”) involved spearphishing attacks targeting specific energy sector entities and individuals and engineers who worked with ICS/SCADA systems.
“Russian state-sponsored hackers pose a serious and persistent threat to critical infrastructure both in the United States and around the world,” US Deputy Attorney General Lisa Monaco said. “Although the criminal charges unsealed today reflect past activity, they make crystal clear the urgent ongoing need for American businesses to harden their defences and remain vigilant.”
Cybersecurity Help’s statement on the critical situation in Ukraine
On February 24, people in many cities and towns across Ukraine woke up to the sounds of explosions and artillery fire, as the Russian Federation launched a full-scale invasion of the country. Such actions are unacceptable, political ambitions of any man aren’t worth of blood, tears, and destruction of millions of lives. We give our full support to the Ukrainian people in these hard times. No more war! Слава Україні!