Indictment of Russian National Offers Glimpse Into Methodical Targeting of Energy Firm

Evgeny Viktorovich Gladkikh tried to cause catastrophic damage to Saudi oil refinery in 2017 via the Triton/Trisis malware, the US has alleged.

A 2021 indictment that was unsealed this week against a Russian national for allegedly attacking an oil refinery in Saudi Arabia in 2017 has provided a glimpse into the methodical — and sometimes chilling — rigor that state-backed actors can put into breaching target networks and systems.
Details contained in the indictment also showed how actors can leverage their access on an organizations IT network to make their way into OT networks and business-critical industrial control system environments.
The US government Thursday unsealed a three-count indictment charging Russian national Evgeny Viktorovich Gladkikh and unnamed co-conspirators for their role in a 2017 attack that twice triggered emergency shutdowns of an oil refinery in Saudi Arabia. Gladkikh and his partners are accused of attempting to cause physical damage to the energy facility and of intentionally damaging systems controlling critical safety equipment at the site. The indictment was one of two the
US government unsealed
this week. The second involved three Russian Federal Security Service officers who allegedly were behind a long-running series of cyberattacks against organizations in the energy sector.
Gladkikhs attacks garnered
considerable attention
when they happened because they involved the use of malware — which some have dubbed Triton and others Trisis — specifically designed to cause catastrophic damage to an industrial plant. The malware targeted specific models of a safety instrumentation system (SIS) called Triconex from Schneider Electric that the plant was using at the time to monitor systems responsible for tasks like burn management and sulfur recovery. A malfunction of those systems could have resulted in explosions and the release of toxic gases at the facility.
Details in the
indictment
show that Gladkikh and his partners — using resources from an outfit associated with Russias Ministry of Defense — systematically targeted systems at the oil refinery to try to plant Triton on the facilitys Triconex systems. The four-month campaign began in May 2017 when Gladkikh gained initial access to the energy companys IT network. The indictment did not provide details on how he might have gained that initial foothold.
He, along with partners, then went about systematically gathering technical log files on the Triconex systems while also trying to disable cybersecurity controls that were designed to prevent unauthorized access to the systems.
As part of his effort to familiarize himself with the Triconex environment, Gladkikh accessed historical log data on the systems stored in the refinerys data historian servers. These are
systems
connected to an organizations control system environment that are responsible for collecting, storing, and logging data from there. He then used the historian server — and stolen credentials — as a gateway to remotely access an engineering workstation that was part of the refinerys distributed control system environment, which typically serves as a bridge between an organizations IT and OT environment.
In this case, the workstation that Gladkikh and his partners broke into was connected to the Saudi energy companys Triconex safety instrumentation systems.
Extensive Reconnaissance
He then proceeded to install a backdoor on the workstation to ensure continued access to it, and once again methodically went about trying to understand the protocols that the system used to communicate with the connected Triconex systems. In the process, Gladkikh and his accomplices discovered that some Triconex systems were configured in such a way that they required a physical key to be turned to a program mode before new code could be introduced to the devices. But some systems — its unclear how many — were running in program mode.
Gladkikh found one of those devices — connected to systems handling tasks like sulfur recovery and burn management — and proceeded to install an early version of Triton on it. But safety controls in the SIS quickly caught the malicious code and in minutes initiated an emergency shutdown of the oil refinery.
Several weeks later, Gladkikh and his conspirators installed credential-harvesting malware on the historian server and later installed an updated version of Triton on another Triconex SIS that was also set to run in program mode. The malware this time was specifically designed and customized to run on the specific model of Triconex devices, and in a matter of hours it had copied itself to other Triconex devices. But as happened the first time, a Triconex safety feature spotted something amiss and triggered a second emergency shutdown of the refinery.
In a somewhat chilling demonstration of attacker persistence, Gladkikh got back on the energy companys IT network several weeks later and this time broke into a file server containing business records. The goal was to find information on how the refinery had responded to the emergency shutdown, presumably so he could use that information to make recovery harder next time.
The US indictment alleged that while Gladkikhs malware triggered emergency shutdowns, his real goal was to cause extensive damage to the facility. The indictment alleged that the Russian operative and his partners had obtained the knowledge to disable or disturb the Saudi plants safety shutdown procedures in such a way as to cause catastrophic plant failure.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Indictment of Russian National Offers Glimpse Into Methodical Targeting of Energy Firm