DOJ unseals charges against Russians in attempted hacks of infrastructure, including Trisis case

The U.S. Department of Justice on Thursday unsealed two indictments charging four Russian nationals with crimes related to attempted hacks of critical infrastructure both abroad and within the United States, including use of the malware known as Trisis or Triton.

The indictments accuse the four suspects of “attempting, supporting and conducting computer intrusions that together, in two separate conspiracies that targeted the global energy sector between 2012 and 2018,” the DOJ said in its announcement. All four worked for the Russian government, the DOJ said.

“In total these hacking campaigns targeted thousands of computers, at hundreds of companies and organizations, in approximately 135 countries.” The announcement comes as the Biden administration has been urging U.S. critical infrastructure companies to harden their defenses against potential Russian cyberattacks.

A senior DOJ official told reporters Thursday that while the federal government is most concerned with attacks on critical infrastructure at any given time, “we selected these charges for unsealing because they do a good job of highlighting the kind of thing we are concerned about in the current environment. Not the only thing, but they’re very good examples of the dark art of the possible.”

A senior FBI official told reporters that the Russian targeting operations around the world included countries “from which Russia has sought economic and military and security assistance.”

The suspects — an employee of a Russian Ministry of Defense research institute, and three others who were officers of Russia’s Federal Security Service (FSB) — were indicted in June 2021 and August 2021, respectively.

Alleged Trisis actor

The June 2021 indictment accuses Evgeny Viktorovich Gladkikh, 36, of working on a campaign to hack industrial control systems and operational technology at a foreign energy facility “using techniques designed to enable future physical damage with potentially catastrophic effects.” The incidents between May and September 2017 used malicious code known as Triton or Trisis on a system produced by Schneider Electric, a multinational energy infrastructure manufacturer.

The DOJ announced a $10 millon reward for information on Gladkikh after it unseald the indictments.

The DOJ did not specify the affected facility in its announcement, but CyberScoop reported in 2018 that a Saudi petrochemical plant had been attacked with Trisis in 2017. In October 2020, the U.S. government attributed Trisis to the Russian government and announced related sanctions.

The DOJ points to other previously reported Trisis uses in the indictment: “Between February and July 2018, the conspirators researched similar refineries in the United States, which were owned by a U.S. company, and unsuccessfully attempted to hack the U.S. company’s computer systems,” the DOJ said.

Gladkikh is charged with one count of conspiracy to cause damage to an energy facility, one count of conspiracy to cause damage to an energy facility, one count of attempt to cause damage to an energy facility, and one count of conspiracy to commit computer fraud.

Dragonfly attacks

The August 2021 indictment alleges that FSB hakcers Pavel Aleksandrovich Akulov, 36; Mikhail Mikaihlovich Gavrilov, 42; and Marat Valeryevich Tyukov, 39, “engaged in computer intrusions, including supply chain attacks, in furtherance of the Russian government’s efforts to maintain surreptitious, unauthorized and persistent access” to computers belonging to oil and gas firms, nuclear power plants, and utility companies between 2012 and 2017, the DOJ said.

The campaign targeted companies in the U.S. and in more than 135 other countries. Cybersecurity researchers have typically referred to the attacks as “Dragonfly” or “Havex.” The three suspects were also connected with a hacking group known to researchers as Energetic Bear, the FBI said.

“Access to such systems would have provided the Russian government the ability to, among other things, disrupt and damage such computer systems at a future date of its choosing,” the DOJ said.

The indictment alleges the FSB activity occurred in two phases, 2012-14 and 2014-17. During the first phase — referring to Dragonfly or Havex — the suspects compromised the networks of the manufacturers of power generation equipment to plant malware inside legitimate software updates. The malware allowed the hackers to create backdoors in the systems to then scan for additional devices. The efforts, including spearphishing and “watering hole” attacks, allowed the attackers to install the malware on more than 17,000 unique devices in the U.S. and abroad, according to the DOJ.

During the second phase, known as “Dragonfly 2.0,” the effort was more targeted on specific companies and individuals with access to energy generation equipment and facilities. The hackers used spearphishing attacks on more than 3,300 users at more than 500 U.S. and international companies, as well as U.S. government agencies such as the Nuclear Regulatory Commission. The hackers managed to compromise the business network — computers not directly connected to the energy generation equipment — of the Wolf Creek Nuclear Operating Corporation in Burlington, Kansas, the DOJ alleges.