The Justice Department revealed Thursday that four Russian nationals working for the Russian government have been previously indicted for two separate incidents of attempted hacking into energy facilities in the U.S. and abroad between 2012 and 2018, targeting hundreds of companies and organizations in some 135 countries.
Justice Department officials said in a press release that one of the campaigns, if successful, would have given Russia the ability to disrupt energy sector computer systems “at a future time of its choosing,” resulting in “potentially catastrophic” damage to critical infrastructure.
A Justice Department official told reporters that these charges were unsealed because “they do a good job of highlighting the kind of thing that we are concerned about in the current environment.”
The official added, “they’re very good examples of the dark art of the possible.”
The unsealing of the indictments followsMonday that “evolving intelligence” suggests Russia is exploring options for potential cyberattacks targeting the U.S. homeland.
For weeks, the Biden administration has urged U.S. businesses, including energy companies, to monitor for signs of potential cyber attacks should the Kremlin lash out following the severe economic sanctions put in place against Russia in response to its invasion of Ukraine.
“Russian state-sponsored hackers pose a serious and persistent threat to critical infrastructure both in the United States and around the world,” Lisa Monaco, deputy attorney general, said in a statement Thursday. “Although the criminal charges unsealed today reflect past activity, they make crystal clear the urgent ongoing need for American businesses to harden their defenses and remain vigilant.”
The first incident involved the alleged hacking of a petrochemical refinery in Saudi Arabia in 2017, where an employee of Russia’s state research center, Evgeny Gladkikh, allgedly deployed malware in an attempt to overtake the industrial control systems and operational technology, designed by Schneider Electric.
Instead, the installed malware, known as “Triton,” prompted two automatic emergency shutdowns of operations, according to court documents. Under the Trump administration, the U.S. Treasury sanctioned the Russian government research group for deploying Triton malware against U.S. partners in the Middle East, as well as scanning and probing U.S. facilities.
The second operation, according to the Justice Department, allegedly involved a supply chain hack commonly referred to as “Dragonfly” or “Havex and a “spearphishing” campaign by three FSB hackers.
Pavel Akulov, Mikhail Gavrilov, and Marat Tyukov are accused of spending at least five years attempting to infiltrate organizations in the international energy sector, including oil and gas firms, nuclear power plants and utility and power transmission companies, the government said.
If successful, the Justice Department said the mission could have disrupted critical energy services to hospitals, homes and businesses. “The actor has been involved in repeated attempts to gain access to U.S. and European critical infrastructure across multiple sectors including utilities, manufacturing, airports and others. We are concerned that while there have been significant remediation efforts after each of the intrusion campaigns, the actor may retain some access,” John Hultquist, VP of Intelligence Analysis at Mandiant told CBS News.
Cybersecurity researched have observed this actor burrow into critical infrastructure.
“Our concern with recent events is that this might be the contingency we have been waiting for,” Hultquist noted.
Hackers did succeed in gaining access to computers at Wolf Creek Nuclear Operating Plant in Burlington, Kansas, which operates a nuclear power plant. However, the hacked computers were not connected to the industrial control system itself.
None of the four defendants is in custody, according to Justice Department officials.
“In these two cases, we’ve determined that the benefit of revealing the results of the investigation now outweighs the likelihood of arrests in the future,” a Justice Department official told reporters.
Russia has repeatedly denied engaging in cyber attacks against the United States and its allies. CBS News has reached out to the Russian Embassy in Washington for comment.
Following the announcement, the Cybersecurity and Infrastructure Security Agency (CISA), FBI and Department of Energy released a technical bulletin detailing the global intrusion campaigns.
“While this advisory documents historical cyber activity, CISA, FBI and DOE assess that state-sponsored Russian cyber operations continue to pose an ongoing threat to U.S. Energy Sector networks,” the agencies said in a joint statement. “The U.S. energy sector and critical infrastructure organizations more broadly are urged to apply the recommended mitigations.”
The U.S. government has recommended critical infrastructure owners and operators deploy robust network segmentation between information technology and industrial control system networks, enforce multi-factor authentication and limit permissions associated with privileged accounts.