On 24th March 2022, the U.S. Justice Department indicted four Russian nationals who allegedly hacked several energy-sector-based companies in over 135 countries between 2012 and 2018.
The U.S. indictment links the defendants to Russia's security service, the Russian Federal Security Service (FSB), indicating that they were state-sponsored attacks.
The U.K. has also sanctioned the involvement of the Russian defense organization in this cyberattack.
Details of the Cyberattack
According to the U.S. cybersecurity and surveillance industry experts, a Russian defense ministry employee planted a trojan in computer networks and disseminated malware targeted at compromising the safety of energy plants. According to a separate indictment, three FSB employees engaged in a multi-year campaign to attack and infiltrate computer systems in the U.S. energy industry.
Prosecutors also claim that three FSB-affiliated hackers targeted hardware and software components at power-generation plants to give the Russian government the ability to disable infected computers at will.
State-sponsored cyberattacks from Russia represent a severe and ongoing threat to key infrastructure in the U.S. and worldwide.
The Cybersecurity and Infrastructure Security Agency (CISA) of the Department of Homeland Security have already issued several Technical Alerts, ICS Alerts, and Malware Analysis Reports in response to Russia's malicious cyber actions.
The Accused Russian Officials
Evgeny Gladkikh, a computer engineer, Pavel Akulov, Mikhail Gavrilov, and Marat Tyukov associated with the FSB, are suspected of running malware campaigns. Those campaigns infected over 17,000 devices in the United States and internationally. Attackers reportedly tried scamming engineers at the target firm to visit a corrupted website, where hackers may implant malware and collect website visitors' login credentials, using a tactic known as a "watering hole" assault.
Cybersecurity experts suggest that the individuals are linked to a hacker group known as Berzerk Bear or Energetic Bear, involved with the Russian government for some time. They are members of center 16, an active FSB unit that engages in computer intrusions.
The accused also pretended to be job applicants with experience with supervisory control and data acquisition (SCADA) systems ubiquitous in industrial control systems (ICS). According to a top Justice Department official, attackers are charged with embedding malware into authorized software upgrades used in those systems.
The indictments are a warning aimed at two of the three Russian infiltration groups that carry out disruptive cyberattacks.
History of Russian Cyberattacks
The energy sector hacks had two phases, according to the indictment. The first phase took place between 2012 and 2014 and is commonly referred to as "Dragonfly" or "Havex" by cyber security researchers.
It involved the conspirators jeopardizing the computer networks of ICS/SCADA system manufacturers and software providers, then hiding malware – dubbed "Havex" publicly – inside legitimate software updates for such systems.
The conspirators would use the virus to install trojan into compromised systems and scan victims' networks for newer ICS/SCADA devices after unwary consumers received Havex-infected upgrades. The conspirators planted malware on almost 17,000 unique devices in the United States and worldwide using these and other methods, such as spear phishing and "watering hole" operations.
The conspirators switched to more targeted breaches in the second phase, which took place between 2014 and 2017 and is known as "Dragonfly 2.0. It focused on specific energy sector businesses, persons, and engineers that worked with ICS/SCADA systems.
The conspirators used spear phishing operations to target over 3,300 people in over 500 companies globally. However, the main target was Nuclear Regulatory Commission, the U.S. government body.
Spear phishing refers to installing or misguiding users via fake emails.
The spear phishing assaults were effective in certain situations, such as the breach of the Wolf Creek Nuclear Operating Corporation's business network (i.e., PCs not directly connected to ICS/SCADA equipment) in Burlington, Kansas, which operates a nuclear power station. Furthermore, after the conspirators gained an illegal foothold in a network, they often leveraged that foothold to further enter the network by gaining access to other computer networks at the victim entity.
Apart from the mentioned cyberattacks, Russian agencies have conducted many similar activities.
Between May and September 2017, the FSB officials were accused of deploying malware known as Triton, intended to infiltrate a petrochemical refinery outside the United States.
Officials stated the refinery had massive storage of sulfur, which could cause explosions if not properly monitored. The malware was designed to cause physical harm by interfering with the safety functions of the petrochemical refinery.
The U.S. has made the indictments to stop the cyberattacks from Russia in the U.S. and globally. None of the four accused are currently in the custody of the U.S, nor is custody expected anytime soon. The U.S. believes that taking action against the attacks might have repercussions, and more stringent laws will be forthcoming.
Are you curious about which innovative technology is gaining traction in your industry? BIS Research provides the most up-to-date market research and studies. Connect with us at [email protected] to learn more.