informa
3 min read
article

Russian Nationals Indicted for Epic Triton/Trisis and Dragonfly Cyberattacks on Energy Firms

Four Russian government employees were charged by the DoJ for attack campaigns targeting hundreds of energy sector companies and organizations in 135 countries, including the US.

The US government today unsealed two blockbuster indictments handed down in 2021 charging four Russian nationals working for that nation's government with allegedly perpetrating two major industrial system cyberattack campaigns that targeted the global energy sector between 2012 and 2018.

In a now-unsealed June 2021 indictment, the US Department of Justice charged Evgeny Viktorovich Gladkikh, a Russian Ministry of Defense research institute employee, and two co-conspirators for their role in the infamous Triton/Trisis malware tools used in a 2017 attack that shut down Schneider Electric's safety instrumentation system at a petrochemical plant in Saudi Arabia. The defendants also were charged with trying to breach a US critical infrastructure management firm.

Triton was one of the first known industrial cyberattacks meant to inflict major physical and potentially life-threatening damage on a industrial plant: The malware was intended to sabotage and fool the Schneider safety system so it would be unable to detect unsafe conditions of its ICS equipment.

Gladkikh, 36, a computer programmer, and his co-conspirators created and dropped the Triton malware in an oil refinery in Saudi Arabia. The malware instead triggered emergency shutdowns at the refinery. The defendants then repeatedly tried to break into the network of a US company that owns similar refineries, but failed, the indictment said.

Gladkikh was charged with conspiracy, damage, and computer fraud crimes, which could bring a total maximum sentence of 45 years in prison.

Dragonfly
The second unsealed indictment is from August 2021, which charges Russian Federal Security Service officers Pavel Aleksandrovich Akulov, 36; Mikhail Mikhailovich Gavrilov, 42; and Marat Valeryevich Tyukov, 39, for a long-running cyberattack campaign against the energy sector, known as the Dragonfly or Havex attacks.

Charges against the FSB hackers include computer fraud and abuse, wire fraud, aggravated identity theft, and inflicting damage to the property of an energy facility.

From 2012 to 2017, Akulov, Gavrilov, Tyukov, and others allegedly waged multi-phase cyberattacks to gain a foothold in the networks of oil and gas, nuclear power, and utility and power transmission companies by first infiltrating and compromising the networks of ICS/SCADA manufacturers and software suppliers, then injecting the Havex malware into legitimate software updates that energy sector organizations installed in their industrial networks. Overall, they installed the backdoor malware on 17,000 devices in the US and in other nations, including on ICS controllers used in energy plants.

The defendants then kicked off Dragonfly 2.0, where they allegedly used spear-phishing, watering hole attacks, and other methods to target engineers and energy sector entities who use and work with ICS/SCADA equipment, hitting more than 500 organizations worldwide, including targeting US Nuclear Regulatory Commission. They got as far as the enterprise network of the nuclear power plant operator Wolf Creek Nuclear Operating Corporation in Burlington, Kansas, but not to its industrial network.

Akulov, Gavrilov, and Tyukov each face multiple charges associated with computer fraud and wire fraud; Akulov and Gavrilov also face charges related to computer damages.

But unless the defendants in these two cases leave Russia and step onto US soil — or visit another country that has an extradition agreement with the US — chances of their arrests are slim.

John Hultquist, vice president of intelligence analysis at Mandiant, called the indictments "a warning shot" aimed at key Russian state-sponsored hacking groups that wage damaging cyberattacks. "These actions are personal and are meant to signal to anyone working for these programs that they won't be able to leave Russia anytime soon," he said in a statement.