Four Russian government employees have been indicted for allegedly undertaking hacking campaigns that targeted critical infrastructure worldwide.
The four were indicted in 2021, with the U.S. Department of Justice only unsealing the indictments today. In the first indictment in June, Evgeny Viktorovich Gladkikh, a Russian Ministry of Defense research institute employee and two co-conspirators, are alleged to be behind the infamous Triton malware.
Triton was used in an attack in 2017 that targeted equipment sold by Schneider Electric SE used in oil and gas facilities and resulted in the shutdown of a petrochemical plant in Saudi Arabia. Triton malware was first linked to Russia in October 2018.
The Justice Department claims that the accused researched targeting similar refineries in the U.S. between February and July 2018 and unsuccessfully attempted to hack a U.S. company’s computer systems.
Gladkikh is charged with one count of conspiracy to damage an energy facility, one count of attempt to cause damage to an energy facility and one count of conspiracy to commit computer fraud.
Filed in August, the second indictment indicts Pavel Aleksandrovich Akulov, Mikhail Mikhailovich Gavrilov and Marat Valeryevich Tyukov. All three are allegedly members of Military Unit 71330 of the Russian Federal Security Bureau, known by cybersecurity researchers as DrangonFly, Berzerk Bear, Energetic Bear and Crouching Yeti.
It is alleged that the three men, along with their co-conspirators, engaged in computer instructions, including supply chain attacks between 2012 and 2017. The indictment claims they did so in furtherance of the Russian government’s efforts to maintain surreptitious, unauthorized and persistent access to the computer networks of companies and organizations in the international energy sector.
The conspirators are said to have targeted software and hardware controls in power generation facilities – industrial control systems. With such access, the Russian government could disrupt and damage computer systems.
The hackers made headlines in 2018 when it was reported that they had gained access to control rooms in U.S. utility companies where they could have caused blackouts. The group was also linked to a hack of the City of Austin in December 2020.
The indictment alleges that the hackers targeted more than 3,300 users at more than 500 U.S. and international companies and entities and U.S. government entities such as the Nuclear Regulatory Commission. In one case, the hackers successfully gained access to the Wolf Creek Nuclear Operating Corp. in Kansas, which operates a nuclear power plant.
All three are charged with conspiracy to cause damage to an energy facility and commit computer fraud, along with conspiracy to commit wire fraud. Akulov and Gavrilov are also charged with substantive counts of wire fraud and computer fraud related to unlawfully obtaining information from computers and causing damage to computers.
“Russian state-sponsored hackers pose a serious and persistent threat to critical infrastructure both in the United States and around the world,” Deputy Attorney General Lisa O. Monaco said in a statement. “Although the criminal charges unsealed today reflect past activity, they make crystal clear the urgent ongoing need for American businesses to harden their defenses and remain vigilant.