The US Department of Justice (DOJ) has indicted 4 Russian Govt. employees in connection to plots to cyber-fry critical infrastructure in the US & beyond, including at least 1 nuclear power plant.
The supply-chain attack on the US energy sector targeted 1,000s of computers at 100s of organisations.
The campaigns involved one of the most dangerous malwares ever encountered in the operational technology & energy sectors: Triton, aka Trisis, a Russia-linked malware used to shut down an oil refinery in 2017 & another Mideast target in 2019.
Military Unit 71330
2 related indictments were unsealed: 1 that named Evgeny Viktorovich Gladkikh (PDF), an employee of the Russian Ministry of Defence, & another (PDF) that named 3 officers in Military Unit 71330 – or “Centre 16” – of Russia’s Federal Security Service (FSB), the successor to Russia’s KGB.
Centre 16 is the FSB’s main unit for signals intelligence, consisting of a central unit housed in unmarked administrative buildings spread across Moscow & secluded forest enclosures, with massive satellite dishes pointing out to listen to the world. It is known by cyber-security researchers as “Dragonfly,” “Energetic Bear” & “Crouching Yeti.”
$10m Reward – Intel on FSB Officers
There is a reward on the heads of the trio of FSB officers for allegedly hacking a refinery. The State Department stated on Thurs. that its Rewards for Justice (RFJ) program is offering $10m for information on the 3, whose names are Pavel Aleksandrovich Akulov, Mikhail Mikhailovich Gavrilov & Marat Valeryevich Tyukov.
The officers were allegedly involved in computer intrusions, wire fraud, aggravated identity theft & damage to an energy facility. The reward marks the 1st time that RFJ has named a foreign govt. security personnel under its critical infrastructure reward offer, the US State Department explained.
Triton / Trisis
Triton was allegedly used in campaigns run between May & Sept. 2017.
Researchers have compared Triton’s targeting of industrial control systems (ICS) to malware used in the watershed attacks Stuxnet & Industroyer/Crashoverride, the latter of which is a ‘backdoor’ that targets ICS & which took down the Ukrainian power grid in Kiev in 2016.
In 2018, research revealed that Industroyer was linked to the massive NotPetya ransomware outbreak that crippled organisations worldwide in 2017.
Says the indictment, between May & Sept. 2017, Gladkikh, a 36-year-old computer programmer employed by an institute affiliated with the Russian Ministry of Defence, participated in a campaign to hack global energy facilities “using techniques designed to enable future physical damage with potentially catastrophic effects.” The hacking allegedly led to 2 separate emergency shutdowns at a foreign facility.
Petro Rabigh
Along with co-conspirators, Gladkikh allegedly hacked the systems of “a foreign refinery” (presumably Saudi oil giant Petro Rabigh) in 2017 & installed Triton/Trisis malware on a safety system produced by Schneider Electric.
Triton actually takes its name from the fact that it is designed to target Triconex safety instrumented system (SIS) controllers, which are sold by Schneider Electric. Triton surfaced again in 2019, when it was again used to target an undisclosed company in the ME.
Triton was designed to prevent the refinery’s safety systems from functioning – “by causing the ICS to operate in an unsafe manner while appearing to be operating normally,” the DOJ outlined – so leaving the refinery open to damage & jeopardising anybody nearby.
Emergency Shutdowns
“When the defendant deployed the Triton malware, it caused a fault that led the refinery’s Schneider Electric safety systems to initiate 2 automatic emergency shutdowns of the refinery’s operations,” the DOJ observed. Between Feb. & July 2018, Gladkikh & his crew allegedly researched & unsuccessfully tried to hack the computer systems used by a US company with similar refineries.
As energy news outlet E&E News reported in 2019, in the early evening of Aug. 4, 2017, 2 emergency shutdown systems sprang to life at Petro Rabigh’s sprawling refinery along Saudi Arabia’s Red Sea coast.
Oblivious
Engineers working the weekend shift were oblivious, even as the systems knocked the complex offline “in a last-gasp effort to prevent a gas release & deadly explosion.”
“They spotted nothing out of the ordinary, either on their computer screens or out on the plant floor,” according to E&E News.
Gladkikh has been charged with 3 counts: conspiracy to cause damage to an energy facility, attempt to damage an energy facility, & 1 count of conspiracy to commit computer fraud.
FSB Officers’ Indictment: The Dragonfly Supply-Chain Attack
The indictment that names the FSB officers alleges that, between 2012 & 2017, Akulov, Gavrilov, Tyukov & their co-conspirators engaged in computer intrusions, including supply chain attacks, “in furtherance of the Russian government’s efforts to maintain surreptitious, unauthorised & persistent access to the computer networks of companies & organisations in the international energy sector, including oil & gas firms, nuclear power plants, & utility & power transmission companies.”
They allegedly targeted the software & hardware that controls equipment in power generation facilities, known as ICS or Supervisory Control & Data Acquisition (SCADA) systems.
“Access to such systems would have provided the Russian Govt. the ability to, among other things, disrupt & damage such computer systems at a future time of its choosing,” according to the DOJ’s press release.
2 Phases
The indictment describes a campaign against the energy sector that involved 2 phases: The 1st was a supply-chain attack that was commonly referred to as “Dragonfly” or “Havex” by security researchers. Dragonfly took place between 2012 & 2014 & compromised computer networks of ICS/SCADA system manufacturers & software vendors.
It involved putting the Havex remote access trojan (RAT) inside legitimate software updates. States a 2014 advisory from the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), the Havex RAT targeted vendors via phishing campaigns, website redirects &, finally, by infecting the software installers.
3 vendor websites were compromised in ‘watering-hole attacks’, the ICS-CERT advisory stated.
Havex-Infected
“After unsuspecting customers downloaded Havex-infected updates, the conspirators would use the malware to, among other things, create backdoors into infected systems & scan victims’ networks for additional ICS/SCADA devices,” according to the DOJ.
The gang allegedly managed to install malware on more than 17,000 unique devices in the US & abroad, including ICS/SCADA controllers used by power & energy companies.
Dragonfly 2.0: Spearphishing a Nuclear Power Plant
Between 2014 & 2017, the campaign entered into what is often referred to as “Dragonfly 2.0,” wherein the suspects allegedly turned their focus to specific energy sector entities & individuals and engineers who worked with ICS/SCADA systems.
This 2nd phase entailed spearphishing attacks targeting more than 3,300 users at more than 500 US & international companies & entities, in addition to US Govt. agencies, e.g. the Nuclear Regulatory Commission (NRC).
The spearphishing attacks sometimes ‘struck gold,’ including in the compromise of the business network (i.e., involving computers not directly connected to ICS/SCADA equipment) of the Wolf Creek Nuclear Operating Corporation (Wolf Creek) in Burlington, Kansas. Wolf Creek operates a nuclear power plant.
Illegal Foothold
“Moreover, after establishing an illegal foothold in a particular network, the conspirators typically used that foothold to penetrate further into the network by obtaining access to other computers & networks at the victim entity,” according to the US DOJ.
Dragonfly 2.0 also meant a ‘watering-hole attack’ where the alleged attackers exploited publicly known vulnerabilities in content management software (CMS) to compromise servers that hosted websites commonly visited by ICS/SCADA system & other energy sector engineers.
Compromised Website
“When the engineers browsed to a compromised website, the conspirators’ hidden scripts deployed malware designed to capture login credentials onto their computers,” the DOJ observed.
The campaign targeted victims in the US & in more than 135 other countries, the Feds. suggested.
The FSB officers are looking at charges of conspiracy to cause damage to the property of an energy facility & commit computer fraud & abuse & conspiracy to commit wire-fraud.
Akulov & Gavrilov are also charged with counts of wire-fraud & computer-fraud related to unlawfully obtaining information from computers & causing damage to computers. Akulov & Gavrilov are also charged with 3 counts of aggravated identity theft.
Huge Security Holes in Energy Companies
Looking Glass CEO Gilman Louie, an expert on national security & cyber-security who has CIA experience, & who regularly shares or analyses intel with govt. agencies, explained that legal actions against the potential operators of the critically dangerous Triton malware are welcome: They are a “positive move that sends a strong message to cyber-crime & nation-state actors globally,” he commented.
On the less-positive side, a recent Looking Glass cyber profile of the US Energy sector looks bleak.
Many energy companies are ‘sitting ducks,’ with current exposures that have already been exploited by these players in the past, including open ports that enable threat players to gain full remote access.
US Infrastructure
The report found that Russian hackers are already inside US infrastructure. “For years, energy companies have been hammered on securing their operational technology,” Louie noted.
“The Triton attacks show why this is important,” he outlined, organisations also need to ensure they are improving security on their traditional IT side. He pointed to the Colonial Pipeline attack as showing that adversaries “didn’t need the in-depth knowledge of operational technology, or OT to shut down the flow of gas or oil.”
5 Years Old
Looking Glass research shows that, across the energy sector, there are vulnerabilities that are more than 5 years old that haven’t been dealt with, Louie said, & open ports like remote desktop that are “basically unprotected doors into an organisation.”
Energy companies need to be patching or updating their systems, Louise commented & shutting those open doors: “If they really need a port open for remote desktop, then they need to add layers of compensating security controls to make sure it’s not easy to exploit.”
When unsealing the indictments, the govt. noted that it’s taking action to enhance private sector network defence efforts & to disrupt similar malicious activity.
Need to Address
Here is some of what Russia is already doing & what companies need to address before Russia uses these exposures further for attacks that could be bigger than those we have already seen, Looking Glass observed:
- Default Passwords: Not changing a Telnet password, thus leaving wide open Russian access to networks.
- Port 161 – SNMP protocol: The Simple Network Management Protocol (SNMP) uses both port 161 & port 162 for sending commands & messages & is being used by Russia to gain access to network devices & infrastructure.
- Port 139/445 – SMB: The SMB network port is commonly used for file sharing. Russian groups have successfully targeted this port to execute remote code & to steal information, Looking Glass found.
Vulnerabilities
These are just a few examples of vulnerabilities that threat players tied directly to Russia are actively exploiting within US companies, according to Looking Glass’s research.
It is not time to wait for a nuclear-level cyber event, given that threat players are already inside the power infrastructure. Now’s the time for companies to find & mitigate the holes that have let them in, Louie suggested.
“Energy sector entities should be reviewing their digital footprint & taking action to secure their external-facing assets, especially as the threat of Russian cyber-attacks intensifies,” he concluded.