The Department of Justice has unsealed indictments against four Russian nationals who it alleges are responsible for a huge number of intrusions at organizations in the energy sector around the world since 2012, including the Triton malware attack in 2017 and the Dragonfly supply chain attacks against ICS and SCADA system providers.
The indictments, coming during the ongoing Russian invasion of Ukraine, are meant to serve as a clear warning to offensive cyber operators in Russia. The United States federal government has issued a number of warnings and technical bulletins about ongoing and potential Russian cyberattacks in recent weeks, including a White House warning on Monday urging U.S. organizations to shore up their defenses. But the new indictments sound a different note entirely and show the breadth and depth of the U.S. knowledge of offensive Russian cyber operations. One man, Evgeny Viktorovich Gladkikh, whom the DoJ alleges is an employee of the State Research Center of the Russian Federation FGUP Central Scientific Research Institute of Chemistry and Mechanics, an affiliate of the Russian Ministry of Defense, was indicted for unsuccessful Triton malware attacks on oil refineries in the U.S.
“Russian state-sponsored hackers pose a serious and persistent threat to critical infrastructure both in the United States and around the world,” said Deputy Attorney General Lisa Monaco. “Although the criminal charges unsealed today reflect past activity, they make crystal clear the urgent ongoing need for American businesses to harden their defenses and remain vigilant.”
The attack that brought the Triton malware to light was outside the U.S., targeting a petrochemical plant in Saudi Arabia. The malware was designed specifically to interact with Schneider Electric Triconex Safety Instrumented System controllers. The attackers were able to gain access to the plant’s system, but a safety feature caused the malware to fail. Even so, the Triton malware became one of only a handful of known examples of malware tailored for ICS systems, and security researchers consider it a serious demonstration of Russia’s capabilities. The group responsible for that operation has been known for some time, and in October 2020 the Office of Foreign Asset Control sanctioned the State Research Center.
“Though the Central Scientific Research Institute of Chemistry and Mechanics, the state defense lab responsible for the TRITON malware, has been sanctioned, this is the first time individuals associated with the lab have been targeted. The indictments are personal and are meant to remind the people behind Russia’s cyber attack program that they can’t operate behind the shadows without repercussions,” said John Hultquist, vice president of intelligence analysis at Mandiant, who has tracked Russian threats for many years.
The DoJ indictment alleges that Gladkikh, along with unnamed co-conspirators, ran the attack on the Saudi refinery and also researched and ran the unsuccessful attacks on facilities in the U.S.
The second indictment alleges that three other Russian nationals, who are part of the FSB-affiliated APT group known variously as Energetic Bear and Crouching Yeti, ran a five-year-long campaign known as Dragonfly that was focused on compromising ICS and SCADA software supply chains using the Havex malware. The men charged in the indictment are Pavel Aleksandrovich Akulov, Mikhail Mikhailovich Gavrilov, and Marat Valeryevich Tyukov. Dragonfly was a two-stage operation. The first stage involved the attackers compromising the networks of ICS and SCADA software makers and then inserting Havex into the update pipelines. Once organizations downloaded the malicious updates, the attackers could then gain a foothold on those networks. More than 17,000 devices were infected as part of this campaign, the DoJ said.
"These actions are personal and are meant to signal to anyone working for these programs that they won’t be able to leave Russia anytime soon."
“In the second phase, which took place between 2014 and 2017 and is commonly referred to as 'Dragonfly 2.0,' the conspirators transitioned to more targeted compromises that focused on specific energy sector entities and individuals and engineers who worked with ICS/SCADA systems. As alleged in the indictment, the conspirators’ tactics included spearphishing attacks targeting more than 3,300 users at more than 500 U.S. and international companies and entities, in addition to U.S. government agencies such as the Nuclear Regulatory Commission,” the DoJ said in a statement.
One of those campaigns compromised the IT network of Wolf Creek Nuclear Operating Corp. in Kansas, but did not affect its SCADA systems. Security researchers have had information about the actors behind these attacks for some time, but this is the first time that the government has shown its hand on these attacks. The FBI and the Cybersecurity and Infrastructure Security Agency also published an advisory about these campaigns on Thursday.
“Until now, the details of the organization behind this activity have not been public. While we have significant details about the GRU operators who carry out disruptive and destructive cyber attacks, the FSB’s connection had not been yet been publicly exposed. The actor has been involved in repeated attempts to gain access to U.S. and European critical infrastructure across multiple sectors, including utilities, manufacturing, airports and others. We are concerned that while there have been significant remediation efforts after each of the intrusion campaigns, the actor may retain some access,” Hultquist said.
“Notably, we have never seen this actor actually carry out disruptive attacks, just burrow into sensitive critical infrastructure for some future contingency. Our concern with recent events is that this might be the contingency we have been waiting for.”
Though the chances of any of the Russians charged in the indictments being prosecuted in the U.S. are vanishingly low, that’s not really the point.
“These indictments are a warning shot meant for the organizations and individuals behind two of the three Russian intrusion groups who carry out disruptive cyber attacks. Individuals from the third group, Sandworm, have already been indicted. These actions are personal and are meant to signal to anyone working for these programs that they won’t be able to leave Russia anytime soon,” Hultquist said.