U.S. Charges 4 Russian Gov Employees Over Hacking Critical Infrastructure Worldwide

The U.S. government on Thursday released a cybersecurity advisory outlining multiple intrusion campaigns conducted by state-sponsored Russian cyber actors from 2011 to 2018 that targeted the energy sector in the U.S. and beyond.

“The [Federal Security Service] conducted a multi-stage campaign in which they gained remote access to U.S. and international Energy Sector networks, deployed ICS-focused malware, and collected and exfiltrated enterprise and ICS-related data,” the U.S. government said, attributing the attacks to an APT actor known as Energetic Bear.

In addition, the Justice Department charged four Russian government employees, including three officers of the Russian Federal Security Service and a computer programmer at the Central Scientific Research Institute of Chemistry and Mechanics (TsNIIKhM), for their roles in carrying out the attacks on oil refineries, nuclear facilities, and energy companies.

The four Russian nationals are Pavel Aleksandrovich Akulov(36), Mikhail Mikhailovich Gavrilov (42), and Marat Valeryevich Tyukov (39), and Evgeny Viktorovich Gladkikh (36).

The seven-year-long global energy sector campaign is said to have taken advantage of spear-phishing emails, trojanized software updates, and redirects to rogue websites (aka watering holes) to gain initial access, using it to deploy remote access trojans like Havex on compromised systems.

Also detailed by the security agencies is a 2017 campaign engineered by cyber actors with ties to TsNIIKhM with the goal of manipulating the industrial control systems of an unnamed oil refinery located in the Middle East by leveraging a piece of malware called TRITON.

“TRITON was designed to specifically target Schneider Electric’s Triconex Tricon safety systems and is capable of disrupting those systems,” the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Department of Energy (DOE) said.

Collectively, the hacking campaigns are alleged to have singled out thousands of computers, at hundreds of companies and organizations, in approximately 135 countries, the FBI said.

“The potential of cyberattacks to disrupt, if not paralyze, the delivery of critical energy services to hospitals, homes, businesses and other locations essential to sustaining our communities is a reality in today’s world,” said U.S. Attorney Duston Slinkard for the District of Kansas. “We must acknowledge there are individuals actively seeking to wreak havoc on our nation’s vital infrastructure system, and we must remain vigilant in our effort to thwart such attacks.”

Suggest a change to this article

Go to Cybersecurity Knowledge Base

Got to the Latest Cybersecurity News

Go to Cybersecurity Academy

Go to Homepage

Stay informed of the latest Cybersecurity trends, threats and developments. Sign up for our Weekly Cybersecurity Newsletter Today.

Remember, CyberSecurity Starts With You!

• Globally, 30,000 websites are hacked daily.
• 64% of companies worldwide have experienced at least one form of a cyber attack.
• There were 20M breached records in March 2021.
• In 2020, ransomware cases grew by 150%.
• Email is responsible for around 94% of all malware.
• Every 39 seconds, there is a new attack somewhere on the web.
• An average of around 24,000 malicious mobile apps are blocked daily on the internet.