The US unveiled criminal charges against four Russian government officials on Thursday, saying they engaged in two major hacking campaigns between 2012 and 2018 that hit the global energy sector and affected thousands of computers in 135 countries.
In one now-unsealed indictment from June 2021, the Justice Department accused Evgeny Viktorovich Gladkikh, a Russian Ministry of Defence Research Institute employee, of conspiring with others between May and September 2017 to hack the systems of a foreign refinery and install malware known as “Triton” on a safety system produced by Schneider Electric.
In a second unsealed indictment from August 2021, the Justice Department said three other alleged hackers from Russia’s Federal Security Service (FSB) carried out cyber attacks on the computer networks of oil and gas firms, nuclear power plants, and utility and power transmission companies around the world between 2012 and 2017.
The three Russians accused in that case are Pavel Aleksandrovich Akulov, Mikhail Mikhailovich Gavrilov and Marat Valeryevich Tyukov.
The Justice Department unsealed the two cases days after US President Joe Biden warned of “evolving intelligence” suggesting the Russian government is exploring options for more potential cyber attacks in the future.
“The conduct alleged in these charges is the kind of conduct that we are concerned about under the current circumstances,” a US official said.
“These charges show the dark art of the possible when it comes to critical infrastructure.”
The official added that the four accused Russians are not in custody, but the department decided to unseal the indictments because they determined the “benefit of revealing the results of the investigation now outweighs the likelihood of arrests in the future".
The 2017 attack stunned the cyber security community when it was made public by researchers later that year because — unlike typical digital intrusions aimed at stealing data or holding it for ransom — it appeared aimed at causing physical damage to the facility itself by disabling its safety system.
In 2019, those behind Triton were reported to be scanning and probing at least 20 electric utilities in the US for vulnerabilities.
The following year — two weeks before the 2020 US presidential election — the Treasury Department sanctioned the Russian government-backed Central Scientific Research Institute of Chemistry and Mechanics where Mr Gladkikh is believed to have worked.
The news of the indictment represents “a shot across the bow” to any Russian hacking groups who might be poised to carry out destructive attacks against US critical infrastructure, said John Hultquist of the cyber security firm Mandiant.
Now that these criminal charges are public, he added, the US has “let them know that we know who they are".
An FBI official told reporters that these cases underscore the continued threat posed by Russian cyber operations and urged companies to “lock their cyber doors".
A department official said that additional related actions by other federal agencies are expected to be announced soon.
