Live Threat Map
The Department of Justice has unsealed indictments against four Russian nationals who it alleges are responsible for a huge number of intrusions at organizations in the energy sector around the world since 2012, including the Triton malware attack in 2017 and the Dragonfly supply chain attacks against ICS and SCADA system providers.
The indictments, coming during the ongoing Russian invasion of Ukraine, are meant to serve as a clear warning to offensive cyber operators in Russia. The United States federal government has issued a number of warnings and technical bulletins about ongoing and potential Russian cyberattacks in recent weeks, including a White House warning on Monday urging U.S. organizations to shore up their defenses. But the new indictments sound a different note entirely and show the breadth and depth of the U.S. knowledge of offensive Russian cyber operations. One man, Evgeny Viktorovich Gladkikh, whom the DoJ alleges is an employee of the State Research Center of the Russian Federation FGUP Central Scientific Research Institute of Chemistry and Mechanics, an affiliate of the Russian Ministry of Defense, was indicted for unsuccessful Triton malware attacks on oil refineries in the U.S.
“Russian state-sponsored hackers pose a serious and persistent threat to critical infrastructure both in the United States and around the world,” said Deputy Attorney General Lisa Monaco. “Although the criminal charges unsealed today reflect past activity, they make crystal clear the urgent ongoing need for American businesses to harden their defenses and remain vigilant.”
The attack that brought the Triton malware to light was outside the U.S., targeting a petrochemical plant in Saudi Arabia. The malware was designed specifically to interact with Schneider Electric Triconex Safety Instrumented System controllers. The attackers were able to gain access to the plant’s system, but a safety feature caused the malware to fail. Even so, the Triton malware became one of only a handful of known examples of malware tailored for ICS systems, and security researchers consider it a serious demonstration of Russia’s capabilities. The group responsible for that operation has been known for some time, and in October 2020 the Office of Foreign Asset Control sanctioned the State Research Center.
“Though the Central Scientific Research Institute of Chemistry and Mechanics, the state defense lab responsible for the TRITON malware, has been sanctioned, this is the first time individuals associated with the lab have been targeted. The indictments are personal and are meant to remind the people behind Russia’s cyber attack program that they can’t operate behind the shadows without repercussions,” said John Hultquist, vice president of intelligence analysis at Mandiant, who has tracked Russian threats for many years.
The DoJ indictment alleges that Gladkikh, along with unnamed co-conspirators, ran the attack on the Saudi refinery and also researched and ran the unsuccessful attacks on facilities in the U.S.
The second indictment alleges that three other Russian nationals, who are part of the FSB-affiliated APT group known variously as Energetic Bear and Crouching Yeti, ran a five-year-long campaign known as Dragonfly that was focused on compromising ICS and SCADA software supply chains using the Havex malware. The men charged in the indictment are Pavel Aleksandrovich Akulov, Mikhail Mikhailovich Gavrilov, and Marat Valeryevich Tyukov. Dragonfly was a two-stage operation. The first stage involved the attackers compromising the networks of ICS and SCADA software makers and then inserting Havex into the update pipelines. Once organizations downloaded the malicious updates, the attackers could then gain a foothold on those networks. More than 17,000 devices were infected as part of this campaign, the DoJ said.
“These actions are personal and are meant to signal to anyone working for these programs that they won’t be able to leave Russia anytime soon.”
Read the full article here