US charges four Russian spies for hacking Saudi oil facility and US nuclear power plant

The U.S. Department of Justice has announced charges against four Russian government employees for a years-long hacking campaign targeting critical infrastructure, including a U.S. nuclear power operator and a Saudi petrochemical facility.

The first indictment, from June 2021, charges Evgeny Viktorovich Gladkikh, 36, a computer programmer at the Russian Ministry of Defense, and two co-conspirators, of planning to hack industrial control systems — the critical devices that keep industrial facilities operational — at global energy facilities. Gladkikh is believed to be behind the infamous Triton malware, which was used to target a petrochemical plant in Saudi Arabia in 2017. Hackers used the malware in an attempt to disable safety systems in the plant designed to prevent dangerous conditions that could lead to leaks or explosions. Triton was first linked to Russia in October 2018.

Following their failed plot to blow up the Saudi plant, the hackers attempted to hack the computers of a company that managed similar critical infrastructure entities in the U.S, according to the DOJ.

The second indictment, filed in August 2021, charges Pavel Aleksandrovich Akulov, Mikhail Mikhailovich Gavrilov and Marat Valeryevich Tyukov, all allegedly members of Military Unit 71330 of Russia’s Federal Security Bureau (FSB), with a number of attacks targeting the energy sector between 2012 and 2017. The hackers, better known to security researchers as “DragonFly,” “Energetic Bear” and “Crouching Yeti,” attempted to gain access to computer networks of companies in the international energy sector, including oil and gas firms, nuclear power plants and utility and power transmission companies, the DOJ said.

In the first stage of their attacks, which took place between 2012 and 2014, the threat actors compromised the networks of industrial control device makers and software providers, then hid Havex malware inside software updates. This, along with spearphishing and watering hole attacks — a form of attack that targets users by infecting websites that they commonly visit — enabled the attackers to install malware on more than 17,000 unique devices in the United States and abroad.

The second phase, “DragonFly 2.0,” ran from 2014 to 2017 and involved targeting more than 3,300 users at over 500 U.S. and international organizations, including the U.S. government’s Nuclear Regulatory Commission and the Wolf Creek Nuclear Operating Corporation.

“Russian state-sponsored hackers pose a serious and persistent threat to critical infrastructure both in the United States and around the world,” said U.S. Deputy Attorney General Lisa Monaco in a statement. “Although the criminal charges unsealed today reflect past activity, they make crystal clear the urgent ongoing need for American businesses to harden their defenses and remain vigilant.”

John Hultquist, vice president of intelligence analysis at Mandiant, said the indictments provide a glimpse of the FSB’s role in Russia’s state-sponsored hacking attempts, and come as a “warning shot” to the Russian intrusion groups who carry out these disruptive cyberattacks. “These actions are personal and are meant to signal to anyone working for these programs that they won’t be able to leave Russia anytime soon,” he said.

But Hultquist warned that the hackers likely retain access to these networks. “Notably, we have never seen this actor actually carry out disruptive attacks, just burrow into sensitive critical infrastructure for some future contingency,” he told TechCrunch. “Our concern with recent events is that this might be the contingency we have been waiting for.” 

Casey Brooks, a senior adversary hunter at Dragos, which calls the group behind the Triton malware “Xenotime,” told TechCrunch that the indictments are unlikely to deter the hackers.

“These activity groups are well-resourced and can conduct continuous complex operations. While the indictments detail some of these groups’ intrusion activity, their breadth is much greater,” said Brooks. “For example, we know that for Xenotime this is only a fraction of their overall activity. It’s essential to realize that these groups are still active and the indictments will probably do little to deter these adversary groups’ future operations.”

The unsealing of the indictments came three days after President Joe Biden warned of a growing Russian cyber threat against U.S. businesses in response to Western sanctions on Russia for its invasion of Ukraine. It also comes just days after the DOJ indicted six hackers working in the service of Russia’s military intelligence agency, the GRU. The hackers, known as Sandworm, are accused of a five-year spree of attacks, including the destructive NotPetya cyberattack that targeted hundreds of firms and hospitals worldwide in 2017 and a cyberattack that took down the Ukraine power grid.