Critical Infrastructure Security

Feds Charge 4 Russians With Long-Term Energy Sector Attacks

Nuclear Plants, Utilities, and Oil and Gas Firms Allegedly Targeted by Hackers
Feds Charge 4 Russians With Long-Term Energy Sector Attacks
Red Square in Moscow (Photo: Pixabay)

The U.S. Department of Justice unsealed two indictments Thursday accusing four Russian nationals with government ties of hack attacks against the U.S. energy sector from 2012 through 2018.

See Also: 5 Requirements for Modern DLP

All four individuals have been placed on the FBI's most wanted list. The announcement of the charges comes as the White House continues to urge American organizations to bolster their cybersecurity defenses, owing to an increased risk of cyberattacks launched by Russia, as its war with Ukraine continues.

"Russian state-sponsored hackers pose a serious and persistent threat to critical infrastructure both in the United States and around the world," says Deputy Attorney General Lisa O. Monaco. She says the indictments have been unsealed to serve as a warning to American businesses to continue strengthening their cybersecurity defenses.

The four Russian men charged by U.S. prosecutors for global attacks on the energy sector (Source: FBI)

The DOJ says attacks launched by the men targeted thousands of computers and hundreds of organizations around the world, across about 135 countries.

Also on Thursday, the DOJ announced another indictment, accusing three alleged Russian threat actors of operating a darknet marketplace that sold stolen credentials and participating in other illicit activity (see: US Indicts Russian Behind Popular Carding Marketplace).

Earlier this week, the FBI reportedly issued an urgent bulletin warning that network scanning activity directed toward at least five U.S. energy firms had been traced to Russian IP addresses.

Schneider Electric Hack

Of the two indictments pertaining to the energy sector attacks unsealed this week, one was returned by a federal grand jury in June 2021 and accuses Russian Ministry of Defense researcher Evgeny Viktorovich Gladkikh, 36, of playing a leading role in disrupting refineries.

Gladkikh, who is a computer programmer for the Russian Ministry of Defense, stands accused of conspiring with others to lead a series of cyberattacks against foreign refineries between May and September 2017. He also allegedly installed malware called Triton onto a safety system for France-based solar and electric power company Schneider Electric (see: How Triton Malware Targets Industrial Control Systems).

The Triton malware, aka Trisis, was created in a Russian-backed research lab and was intended to cause damage to industrial systems, according to the U.S. Department of the Treasury.

Gladkikh is charged with three counts of conspiracy, including attempting to and causing damage to an energy firm and accessing and damaging protected computers. He could face up to 45 years in prison.

'Energetic Bear' Allegations

The second unsealed indictment pertaining to energy sector attacks was returned by a federal grand jury in August 2021 and charges three Russian Federal Security Service - aka FSB - as well as military officials with persistently attacking companies in the energy sector, including oil and gas firms, nuclear power plants and utilities.

The three suspects are Pavel Aleksandrovich Akulov, 36; Mikhail Mikhailovich Gavrilov, 42; and Marat Valeryevich Tyukov, 39. They worked on behalf of the Russian government in a military unit known as Center 16, prosecutors say. Center 16 is also referred to by security researchers as Energetic Bear, Berserk Bear and Dragonfly.

Illustration of the Russia-aligned nation-state adversary group Berserk Bear (Image: CrowdStrike)

The trio allegedly targeted software used in power plants, according to the court documents.

"Specifically, the conspirators targeted the software and hardware that controls equipment in power generation facilities, known as ICS or Supervisory Control and Data Acquisition (SCADA) systems," the DOJ says. "Access to such systems would have provided the Russian government the ability to, among other things, disrupt and damage such computer systems at a future time of its choosing."

The alleged attacks took place via two reconnaissance phases against the energy sector supply chain from 2012 through 2017, the DOJ says. The first phase of the malicious campaign included installing a remote access Trojan known as Havex, which allowed the group to use tactics such as spear-phishing and other attack maneuvers to target unsuspecting supplier networks. The second part of the attack, which researchers refer to as Dragonfly 2.0, evolved into a campaign against employees, energy sector organizations and government agencies.

The DOJ says the group targeted numerous organizations, including both the Kansas Electric Power Cooperative and its subsidiary Wolf Creek, which is a power plant that provides energy to Kansas and Missouri.

The suspects could face between 25 and up to 42 years in prison if convicted of the charges against them. The U.S. and Russia, however, do not have an extradition treaty. As a result, so long as the accused remain in Russia, there's little chance they will ever face trial in the U.S.

To protect against cyberattacks carried out by Russian nation-states, the DOJ has continued to urge U.S. businesses to follow steps detailed by the Cybersecurity and Infrastructure Security Agency in its "Shields Up" campaign.

About the Author

Devon Warren-Kachelein

Devon Warren-Kachelein

Former Staff Writer, ISMG

Warren-Kachelein began her information security journey as a multimedia journalist for SecureWorld, a Portland, Oregon-based cybersecurity events and media group. There she covered topics ranging from government policy to nation-states, as well as topics related to diversity and security awareness. She began her career reporting news for a Southern California-based paper called The Log and also contributed to tech media company Digital Trends.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.