Russian Nationals Indicted for Epic Triton/Trisis and Dragonfly Cyberattacks on Energy Firms

  /     /     /  
Publicated : 23/11/2024   Category : security


Russian Nationals Indicted for Epic Triton/Trisis and Dragonfly Cyberattacks on Energy Firms


Four Russian government employees were charged by the DoJ for attack campaigns targeting hundreds of energy sector companies and organizations in 135 countries, including the US.



The US government today unsealed two blockbuster indictments handed down in 2021 charging four Russian nationals working for that nations government with allegedly perpetrating two major industrial system cyberattack campaigns that targeted the global energy sector between 2012 and 2018.
In a
now-unsealed June 2021 indictment
, the US Department of Justice charged Evgeny Viktorovich Gladkikh, a Russian Ministry of Defense research institute employee, and two co-conspirators for their role in the
infamous Triton/Trisis malware tools used in a 2017 attack
that shut down Schneider Electrics safety instrumentation system at a petrochemical plant in Saudi Arabia. The defendants also were charged with trying to breach a US critical infrastructure management firm.
Triton was one of the first known industrial cyberattacks meant to inflict major physical and potentially life-threatening damage on a industrial plant: The malware was intended to sabotage and fool the Schneider safety system so it would be unable to detect unsafe conditions of its ICS equipment.
Gladkikh, 36, a computer programmer, and his co-conspirators created and dropped the Triton malware in an oil refinery in Saudi Arabia. The malware instead triggered emergency shutdowns at the refinery. The defendants then repeatedly tried to break into the network of a US company that owns similar refineries, but failed, the indictment said.
Gladkikh was charged with conspiracy, damage, and computer fraud crimes, which could bring a total maximum sentence of 45 years in prison.
Dragonfly
The
second unsealed indictment
is from August 2021, which charges Russian Federal Security Service officers Pavel Aleksandrovich Akulov, 36; Mikhail Mikhailovich Gavrilov, 42; and Marat Valeryevich Tyukov, 39, for a long-running cyberattack campaign against the energy sector, known as the
Dragonfly or Havex attacks
.
Charges against the FSB hackers include computer fraud and abuse, wire fraud, aggravated identity theft, and inflicting damage to the property of an energy facility.
From 2012 to 2017, Akulov, Gavrilov, Tyukov, and others allegedly waged multi-phase cyberattacks to gain a foothold in the networks of oil and gas, nuclear power, and utility and power transmission companies by first infiltrating and compromising the networks of ICS/SCADA manufacturers and software suppliers, then injecting the Havex malware into legitimate software updates that energy sector organizations installed in their industrial networks. Overall, they installed the backdoor malware on 17,000 devices in the US and in other nations, including on ICS controllers used in energy plants.
The defendants then kicked off Dragonfly 2.0, where they allegedly used spear-phishing, watering hole attacks, and other methods to target engineers and energy sector entities who use and work with ICS/SCADA equipment, hitting more than 500 organizations worldwide, including targeting US Nuclear Regulatory Commission. They got as far as the enterprise network of the nuclear power plant operator Wolf Creek Nuclear Operating Corporation in Burlington, Kansas, but not to its industrial network.
Akulov, Gavrilov, and Tyukov each face multiple charges associated with computer fraud and wire fraud; Akulov and Gavrilov also face charges related to computer damages.
But unless the defendants in these two cases leave Russia and step onto US soil — or visit another country that has an extradition agreement with the US — chances of their arrests are slim.
John Hultquist, vice president of intelligence analysis at Mandiant, called the indictments a warning shot aimed at key Russian state-sponsored hacking groups that wage damaging cyberattacks. These actions are personal and are meant to signal to anyone working for these programs that they wont be able to leave Russia anytime soon, he said in a statement.

Last News

▸ Making use of a homemade Android army ◂
Discovered: 23/12/2024
Category: security

▸ CryptoWall is more widespread but less lucrative than CryptoLocker. ◂
Discovered: 23/12/2024
Category: security

▸ Feds probe cyber breaches at JPMorgan, other banks. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Russian Nationals Indicted for Epic Triton/Trisis and Dragonfly Cyberattacks on Energy Firms