The US Justice Department and the British Foreign Office announced Thursday that four Russian officials, including hackers with a government intelligence agency, have been charged with malicious hacking of critical infrastructure around the world, including the US energy and aviation sectors, between 2012 and 2018.
Machines at a Kansas nuclear power facility, whose business network was infiltrated, and at a Saudi petrochemical factory in 2017, where the hackers overrode safety measures, were among the thousands of computers attacked in 135 nations, officials said.
Despite the fact that the hacks occurred years ago, the indictments were unsealed as the FBI voiced new concerns about Russian hackers scanning the networks of U.S. energy companies for weaknesses that may be exploited amid Russia’s conflict with Ukraine.
The timing — showing “the worldwide scale” of hacking by the KGB’s successor intelligence agency — was clearly tied to Russian President Vladimir Putin’s “unprovoked and unlawful conflict in Ukraine,” according to a statement on the Foreign Office’s website.
In addition, various US federal agencies issued a unified advise on the cyber effort on Thursday, advising energy executives to take precautions to secure their networks from Russian operations.
“The DOJ is shooting warning shots at the persons in charge of Russia’s hacking capacity,” Mandiant threat intelligence expert John Hultquist tweeted.
In a statement, Deputy Attorney General Lisa Monaco stated, “Russian state-sponsored hackers represent a substantial and persistent danger to key infrastructure in the United States and throughout the world.” “While the criminal charges announced today relate to prior conduct, they highlight the vital need for American firms to strengthen their defenses and remain watchful.”
Although none of the four defendants are in prison, a Justice Department official who briefed reporters said the inquiry should be made public rather than waiting for the “remote prospect” of arrests. The State Department stated on Thursday that information leading to the “identity or whereabouts” of any of the four defendants may earn up to $10 million in incentives.
One of the charged Russians is an employee of a Russian military research organization who is suspected of conspiring with co-conspirators in 2017 to hack a foreign refinery’s systems and install harmful software, causing the refinery’s operations to be shut down twice. The target has been identified as Saudi Arabia, and the military research facility has been sanctioned, according to the British Foreign Office.
The so-called “Triton” case, which affected the Petro Rabigh complex on the Red Sea, has been well-documented as one of the most deadly on record, according to cybersecurity experts. According to a Justice Department official, the software was created with the intent of causing physical harm by disabling a safety shutdown component that would typically prevent a refinery from “catastrophic failure.”
According to an indictment filed in June 2021 and released Thursday, the employee, Evgeny Viktorovich Gladkikh, attempted to hack into the systems of an undisclosed U.S. corporation that manages many oil refineries.
The three other defendants are accused hackers with Russia’s Federal Security Service, or FSB — which handles domestic intelligence and counterintelligence — and members of the Dragonfly hacking squad, according to cybersecurity experts.
The hackers are suspected of injecting malware inside legal software updates on over 17,000 devices in the United States and elsewhere. Prosecutors stated that between 2012 and 2014, their supply chain hacks targeted oil and gas industries, nuclear power facilities, and utility and power transmission organizations.
The purpose was to “create and maintain surreptitious unlawful access to networks, computers, and devices of enterprises and other organizations in the energy industry,” according to the indictment. According to the indictment, this access would allow the Russian government to change and harm systems if it so desired.
Officials stated a second phase of the campaign featured spear-phishing operations against over 500 US and overseas firms, as well as US government institutions including the Nuclear Regulatory Commission.
The hackers also gained access to the Wolf Creek Nuclear Operating Corporation’s corporate network, but not its control systems, in Burlington, Kansas, which operates a nuclear power plant.
The FSB hackers also targeted UK energy businesses and acquired data from the US aviation sector and other critical US targets, according to the British Foreign Office.