Four Russian hackers led a global campaign targeting the energy sector between 2012 and 2018, including a nuclear power plant in Kansas and a potentially deadly attack on a refinery in Saudi Arabia, according to court papers unsealed by the Department of Justice yesterday.
The two indictments handed down last year by federal grand juries in Kansas and the District of Columbia describe Russian state-backed campaigns that targeted hundreds of companies and organizations across 135 countries.
Three hackers who worked for Russia’s intelligence arm are charged with having targeted nearly every corner of the energy world, including oil and gas, nuclear plants, companies operating electric grids, renewable energy producers and energy consultants, according to DOJ.
Pavel Aleksandrovich Akulov, 36; Mikhail Mikhailovich Gavrilov, 42; and Marat Valeryevich Tyukov, 39, were members of an elite unit of Russia’s Federal Security Service. Cybersecurity researchers knew the Russian unit as “Dragonfly” and “Energetic Bear,” among other names. For years, according to DOJ, the hackers worked to further Russia’s ongoing effort to “maintain surreptitious, unauthorized and persistent access” to energy industry computers.
Employees of the U.S. Nuclear Regulatory Commission were targeted, the indictment alleges. The hackers also gained access to the Wolf Creek Nuclear Operating Corp., which operates a nuclear power plant near Burlington, Kan.
The second indictment charges Evgeny Viktorovich Gladkikh, 36, with helping to unleash what has been described as the world’s most dangerous malware, known as Triton, while working at a research institute in Moscow. The State Department is offering $10 million for information on Gladkikh.
In 2020, the Treasury Department imposed sanctions against the leading research facility at Russia’s Military of Defense for its part in building the Triton malware (Energywire, Oct. 26, 2020).
Gladkikh was part of a broader Russian effort to hack industrial control systems like the kind used to run pipelines, power plants and refineries. Triton malware hit the radar of cybersecurity experts in 2017 after a hack on a foreign refinery that sought to disable safety systems. Both its sophistication and potentially catastrophic results raised alarms.
The malware targeted the safety controls and led to partial shutdowns at Saudi Arabia’s Petro Rabigh petrochemical and refinery complex, which E&E News first reported (Energywire, March 7, 2019).
The Biden administration decided to unseal the indictments as part of a larger effort to get the word out about Russian intentions to continue probing and looking for ways into U.S. critical infrastructure. In particular, U.S. intelligence says Russia is actively targeting energy and exploring options for a malicious attack (Energywire, March 22).
“Russian state-sponsored hackers pose a serious and persistent threat to critical infrastructure both in the United States and around the world,” said Deputy Attorney General Lisa Monaco in a statement. “Although the criminal charges unsealed today reflect past activity, they make crystal clear the urgent ongoing need for American businesses to harden their defenses and remain vigilant.”
Alongside the indictments, the Cybersecurity and Infrastructure Security Agency, the FBI and the Energy Department released an alert with technical descriptions of the Russian methods, including spearphishing and supply chain attacks.
Puesh Kumar, director of DOE’s Office of Cybersecurity, Energy Security and Emergency Response, urged the industry “to remain vigilant in light of Russia’s invasion of Ukraine.”
The campaign against the energy sector had two phases, according to DOJ. The 2012 to 2014 campaign used malware dubbed “Havex” to install malware on “17,000 unique devices in the United States and abroad, including ICS/SCADA controllers used by power and energy companies.”
The second phase of the global campaign, spanning from 2014 to 2017, began with the compromise of a Michigan construction company. The hackers used that access to create four email accounts to send malicious attachments to more than 3,300 accounts at more than 500 U.S. and international companies. Many of them were energy-focused, according to the indictment.
In the Wolf Creek hack, the three hackers pretended to be a job seeker, attaching a resume loaded with malware.