U.S. Indicts 4 Russian Hackers for Attacks on Energy Sector

“Russian state-sponsored hackers pose a serious and persistent threat to critical infrastructure both in the U.S. and around the world,” Deputy Attorney General Lisa Monaco said in a statement. “Although the criminal charges unsealed today reflect past activity, they make crystal clear the urgent ongoing need for American businesses to harden their defenses and remain vigilant.”

Evgeny Gladkikh, a computer programmer employed by an institute affiliated with the Russian Ministry of Defense, is accused along with unnamed co-conspirators of using malware — known as Triton — to hack a refinery outside the U.S. between May and September 2017. The breach caused safety systems made by Schneider Electric to trigger an automatic emergency shutdown of the organization’s operations, according to the indictment.

The refinery was located outside the U.S. and conducted work involving sulfur, which can result in an explosion if not properly regulated, officials said. The malware was intended to cause physical damage by disrupting refinery functions that regulate safety.

Prosecutors also allege that three hackers associated with the FSB targeted software and hardware at power-generation facilities, an effort meant to provide the Russian government with the ability to disrupt hacked computers at its discretion.

Those defendants — Pavel Akulov, Mikhail Gavrilov and Marat Tyukov — are accused of engaging in campaigns in which they installed malware on more than 17,000 devices in the U.S. and abroad. Using one technique, known as a “watering hole” attack, attackers allegedly tried duping engineers at a target organization to visit a compromised website, where hackers could deploy malware and capture website visitors’ login credentials.

Their tactics, prosecutors say, included so-called spearphishing attacks that targeted 3,300 users across more than 500 U.S. and international companies and entities, including the Nuclear Regulatory Commission. One successful spearphishing campaign was directed at the business network — but not the industrial controls — of the Wolf Creek Nuclear Operating Corporation in Burlington, Kansas, which operates a nuclear power plant, according to the U.S.

The suspects are affiliated with a hacking group, known alternatively as Berzerk Bear and Energetic Bear, that cybersecurity researchers have long suspected was tied to the Russian government. The government says they are members of Center 16, an operational FSB unit that engaged in computer intrusions.

Members of the group also posed as job applicants who specialized in work with supervisory control and data acquisition, or SCADA, systems, which are common in industrial control systems, or ICS. A senior Justice Department official said the attackers are accused of inserting malware into legitimate software updates used in those systems.

“These indictments are a warning shot meant for the organizations and individuals behind two of the three Russian intrusion groups who carry out disruptive cyberattacks,” said John Hultquist, vice president of intelligence analysis at cybersecurity firm Mandiant Inc. “These actions are personal and are meant to signal to anyone working for these programs that they won’t be able to leave Russia anytime soon.”

None of the four suspects is currently in U.S. custody. “We determined it would be better to unseal the charges rather than waiting for that distant possibility in the future,” a senior U.S. law enforcement official said.

Also on Thursday, Britain’s cyber agency said it is “almost certain” that the FSB conducted a “malign program of cyber activity” targeting critical IT systems and national infrastructure in Europe, the Americas and Asia since 2013. British Foreign Secretary Liz Truss also said she sanctioned a Russian defense ministry subsidiary for carrying out an alleged cyberattack on a Saudi petrochemical plant five years ago.

A spokesperson for the Russian embassy in Washington didn’t immediately respond to a request seeking comment Thursday.