The United States Department of Justice has unsealed two historical indictments charging four Russian nationals with conducting computer intrusions, in two separate conspiracies, that targeted the international energy sector between 2012 and 2018. The worldwide hacking campaigns were carried out against thousands of computers at hundreds of companies and organizations involving deployment of malware called Triton and Havex by cyber researchers. The unsealing comes at a time of increasingly heightened tension between the United States and Russia in the global cybersecurity ecosystem.

1. Introduction

On June 29, 2021, a grand jury returned an indictment in the United States District Court, District of Columbia, in United States v. Evgeny Viktorovich Gladkikh. (here) The indictment alleges that Mr. Gladkikh and co-conspirators including members of TsNIIKhM, a research institute of the Russian government, and the Applied Development Center (ADC), a component of TsNIIKhM, “conspired to conduct computer intrusions using ADC resources that targeted energy facilities in the United States and elsewhere.” The indictment asserts that the conspirators gained unauthorized access to the systems of a refinery outside the United States between May and September 2017 using techniques and tools designed to enable the attackers to cause “potentially catastrophic effects” and not just a plant shutdown. The cyber attack resulted in an emergency shutdown of the facility’s operations.

On August 26, 2021, another grand jury returned an indictment in the United States District Court, District of Kansas, in United States v. Pavel Aleksandrovich Akulov, Mikhail Mikhailovich Gavrilov and Marat Valeryevich Tyukov. (here) This indictment alleges that the conspirators were officers working in Russia’s Federal Security Service, Military Unit 71330, also known as “Center16”, and members of a “discrete operational unit” known as “Dragonfly”, “Berzerk Bear”, “Eergetic Bear” and “Crouching Yeti”. The indictment asserts that the conspirators deployed a two-phase worldwide campaign targeting the computers of hundreds of entities allowing them to “maintain persistent access” to the networks of critical infrastructure and companies in the energy sector. Access to the systems would have provided Russia with the ability to disrupt and damage the infected computer systems at any future date.

2. Triton and Havex

The Triton malware, deployed in the Gladkikh case, was first discovered at a petrochemical plant in Saudi Arabia in 2017. On December 15, 2017, Samuel Gibbs reported for The Guardian that the safety systems of an unidentified power station had been compromised when Triconex industrial safety technology made by Schneider Electric SE disclosed the incident. (here) The security software firm, Symantec, reported that Triton worked by infecting a Microsoft Windows computer attached to the safety system. “While there have been a small number of previous cases of malware designed to attack industrial control systems,” Symantec said, “Triton is the first to attack safety instrumented system devices.” Triton was called “the world’s most murderous malware” by Martin Giles in an article published by MIT Technology Review in 2019. (here) Mr. Giles suggested it was “no coincidence” the malware appeared just as “hackers from countries like Russia, Iran, and North Korea stepped up their probing of ‘critical infrastructure’ sectors vital to the smooth running of modern economies, such as oil and gas companies, electrical utilities, and transport networks.”

The Havex malware, deployed in the Akulov case, was discovered in 2013 and is often grouped with three other malwares developed in the last ten years in addition to Triton – Stuxnet, BlackEnergy and Industroyer/CRASHOVERRIDE. It has been used in widespread espionage campaigns. In a 2014 report, Symantec found that Havex, more commonly known as “Dragonfly”, initially targeted defence and aviation companies in the U.S. and Canada before shifting its focus to U.S. and European energy firms in early 2013. (here) By 2014 the targets of the Dragonfly group included industrial control systems. In a subsequent report released in 2017, Symantec found that the energy sectors in North America and Europe were targeted by a new wave of cyber attacks following a hiatus after the exposure generated by its report in 2014. (here) Symantec concluded that the new “Dragonfly 2.0” campaign, which started in late 2015, shared “tactics and tools” used in earlier campaigns.

3. The Gladkikh Indictment

The three-count Gladkikh indictment alleges that the defendant was an employee of the State Research Center of the Russian Federation FGUP Central Scientific Research Institute of Chemistry and Mechanics. He is charged with one count of conspiracy to cause damage to an energy facility; one count of attempt to cause damage to an energy facility; and, one count of conspiracy to commit computer fraud. Here are four of the key allegations:

• Between no later than in or about August 2014 and continuing through at least in or after July 2018, GLADKIKH, TsNIIKhM, and other co-conspirators […] who were located outside the United States, conspired to commit computer intrusions targeting energy facilities, including refineries in the United States and overseas, and to cause damage to those facilities. The conspiracy specifically targeted OT and SIS computer systems and sought to install malicious software applications (“malware”) designed to cause physical safety systems to cease operating or to operate in an unsafe manner. (para. 16)
• […] GLADKIKH and co-conspirators gained unauthorized access to and installed a package of malware on protected computers belonging to VICTIM COMPANY 1 at a refinery operated by VICTIM COMPANY 1. The malware was designed to give an unauthorized operator access to and control of a Triconex device, including the ability to load additional software. That malware later became known as “TRITON” or “TRISIS” in the computer security industry. (para. 18)
• On or about May 19, 2017, GLADKIKH used a historian server at VICTIM COMPANY 1 (“MACHINE 1”) and stolen administrator login credentials to remotely access an Engineering Workstation (“MACNINE 2”) without authorization. MACHINE 2 was part of the DCS at VICTIM COMPANY 1’s refinery and was connected to SIS devices, including the Tristation engineering workstation and Triconex systems. (Para. 25)
• Further on or about May 29, 2017, GLADKIKH installed a “back door” on MACHINE 2, which would allow an unauthorized user to gain access in the future. GLADKIKH subsequently sought information regarding protocols that would be used to communicate with a Triconex device. (para. 26)

On June 2, 2017, the indictment states that Mr. Gladkikh installed a “package of software applications” on a device connected to Machine 2. The applications comprised an early version of the Triton malware. However, within minutes, a fault was detected by the refinery’s safety system and an emergency shutdown occurred. (para. 28)

4. The Akulov Indictment

The Akulov indictment alleges that the conspirators undertook a campaign to hack and “maintain persistent access” to the networks of critical infrastructure and energy companies worldwide including in the District of Kansas. Cybersecurity researchers have referred to the two phases of the campaign as: (a) Dragonfly or Havex; and, (b) Dragonfly 2.0. Here are three introductory paragraphs from the indictment that summarize the allegations:

• A common theme of both campaign phases was the Conspirators’ focus on software and hardware that controls equipment in power generation facilities, known as Industrial Control Systems [“ICS”] or Supervisory Control and Data Acquisition systems [“SCADA”] systems. During the Havex phase, the Conspirators compromised the computer networks of ICS/SCADA manufacturers and software providers and then hid their malware inside the legitimate software updates for such systems (known as a “supply chain attack”). Upon being downloaded by unsuspecting customers, the Conspirators’ malicious software, among other functions, located and compromised the customers’ ICS/SCADA systems. Through such efforts, as well as other techniques, the Conspirators installed malware on more than 17,000 unique devices in the United States and elsewhere, including ICS/SCADA controllers used by power and energy companies. (para. 3)
• During the later Dragonfly 2.0 phase, the Conspirators transitioned to more targeted compromises that focused on specific energy sector entities or individuals and engineers who worked in or with ICS/SCADA systems. Such efforts included: (i) spearphishing attacks, often with SCADA themes, targeting more than 3,000 users at more than 500 U.S. and international companies and entities; and, (ii) compromising servers hosting websites commonly visited by engineers in the energy sector or otherwise involved in ICS/SCADA system manufacturing and then using these websites to deploy malware onto the engineers’ (or other visitors’) computers (known as a “watering hole attack”). (para. 4)
• Regardless of the evolution of the Conspirators’ methods of compromise, the Conspirators’ goals remained the same: to establish and maintain surreptitious, unauthorized access to networks, computers, and devices of companies and other entities in the energy sector, including power generation facilities, in the United States and elsewhere. Such access enabled the Russian government to disrupt and damage such systems, if it wished. (para. 5)

The targeted companies and entities included: (a) the Nuclear Regulatory Commission, a U.S. government agency responsible for regulating entities that use nuclear materials including nuclear power plants; (b) Wolf Creek Nuclear Operating Corporation, in Burlington, Kansas, that operates the Wolf Creek Generating Station, a nuclear power plant; (c) Kansas Electric Power Cooperative, a power generation and transmission electric cooperative in Topeka, Kansas; and, (d) two renewable energy companies in New York and New England. The targets of the alleged conspiracy were based in 135 countries including Belgium, Canada, the United Kingdom, France, Germany, Pakistan and South Korea. (paras. 8-9)

5. Conclusion

The unsealing of the indictments on March 24, 2022, during the continuing invasion of Ukraine by Russia is not a coincidence. “Russian state-sponsored hackers pose a serious and persistent threat to critical infrastructure both in the United States and around the world,” said Deputy Attorney General Lisa O. Monaco in a press release issued concurrently by the Department of Justice. “Although the criminal charges unsealed today reflect past activity, they make crystal clear the urgent ongoing need for American businesses to harden their defenses and remain vigilant,” she added. (here) FBI Deputy Director Paul Abbate also emphasized the need to counter “the significant cyber threat” Russia poses to critical infrastructure. According to an anonymous Justice Department official cited by cybercrime reporters A.J. Vicens and Joe Warminsky at CyberScoop, the two indictments were selected for unsealing because they shine a spotlight on the kind of thing that is concerning in the present environment. “Not the only thing,” the official added, “but they’re very good examples of the dark art of the possible.” (here) The developing story, however, does not end there.

Today, the U.S. Department of the Treasury, Office of Foreign Assets Control, released a new round of sanctions against Russia “for its unprovoked and unjustified war against Ukraine”. (here) Targets of the latest sanctions include leaders of Russia’s TsNIIKhM institute where Evgeny Gladkikh, the researcher accused of developing Triton malware, was employed. The Treasury Department stated in a press release that TsNIIKhM “was responsible for building a customized tool that enabled the August 2017 cyber attack on a Middle East petrochemical facility” and that Mr. Gladkikh “played a crucial role” in targeting the facility’s cybersecurity systems. The U.S. Department of State’s Rewards for Justice program has already offered a reward up to $10 million under its critical infrastructure reward offer for information leading to the identification or location of Mr. Gladkikh. (here) It was the first time the program listed a specific cyber actor under the reward offer administered by the Diplomatic Security Service.