The United States Department of Justice unsealed two indictments in March involving four Russian government employees who have been charged in connection with two separate hacking conspiracies targeting the global energy sector.  These campaigns took place between 2012 and 2018 and affected thousands of computers, hundreds of organizations, and approximately 135 countries.

These indictments were unsealed just days after President Joe Biden publicly warned US business executives that Russia is exploring using cyberattacks as part of its offensive strategy during its continued attacks on Ukraine.  Biden warned that the private sector needed to strengthen its cyber defenses, and that Russia’s capacity to deploy cyberattacks is “fairly consequential, and it’s coming.”

These unsealed indictments underscore the President’s somber message.  U.S. companies—particularly energy sector companies—must turn their attention to investing even more in their cyber infrastructure.

Below, we break down the indictments and highlight some of the tactics allegedly used by the Russian-backed hackers.

The Indictments

(1) S. v. Gladkikh

The first of these indictments, United States v. Evgeny Viktorovich Gladkikh, relates to the Compromise of a Middle East-based energy sector organization. In connection with this campaign, an employee of the Russian Ministry Defense research institute allegedly attempted to damage critical energy infrastructure outside of the US, which resulted in two separate emergency shutdowns at the targeted facility.  The conspirators additionally attempted to hack the computers of a US company managing similar critical energy.

The indictment alleges that Gladkikh was an employee of the State Research Center of the Russian Federal FGUP Central Scientific Research Institute of Chemistry and Mechanics’ (“Research Center”) Applied Developments Center (“ADC”).  The Research Center has identified itself as the Russian Ministry of Defense’s leading research organization, and ADC has stated that it engaged in research regarding information technology-related threats to critical infrastructure—an attempt to suggest its research was defensive in nature and focused on protecting Russia from threats, and not offensive in nature as these hacks would be considered.

According to the indictment, however, Gladkikh’s role was to hack industrial control systems and operational technology of global energy facilities to enable future attacks and damage.  Gladkikh is accused of hacking a foreign refinery to install malware that would prevent its safety systems from operating.  Luckily, the installation of the malware led to a fault that initiated two automatic emergency shutdowns, preventing any major harm.  Gladkikh has been charged with one count of conspiracy to cause damage to an energy facility (which carries a maximum sentence of 20 years in prison), one count of attempt to cause damage to an energy facility (also carrying a maximum sentence of 20 years), and one count of conspiracy to commit computer fraud (carrying a maximum sentence of five years).

(2) S. v. Akulov

The other indictment, United States v. Pavel Aleksandrovich Akulov, et al., relates to the Global Energy Sector Intrusion Campaign, which occurred from approximately 2011 through 2018 and targeted US and international energy sector networks.  This compromise included a two-phased campaign to disrupt energy sector entities.  The indictment involves three officers of Russia’s Federal Security Service.  These hackers, along with their co-conspirators, allegedly targeted and compromised the computers of hundreds of energy-sector entities across the globe.  The hack enabled the conspirators to access the computers and disrupt and damage those computers at a later time of their choosing.  The co-conspirators targeted a variety of organizations in the energy sector, including oil and gas firms, nuclear power plants, and utility and power transmission companies.

As the first phase of this campaign, the conspirators engaged in supply chain attacks, compromising computer networks for industrial control system manufacturers and software providers to hide malware inside of legitimate software updates for these systems.  Unsuspecting customers would then download the software updates along with the malware, which created backdoors into a now-infected system, giving the hackers access to those systems.  This malware was installed onto more than 17,000 unique devices in the U.S. and abroad.

The second phase of this campaign included more targeted compromises focused on specific energy sector entities and individuals, including engineers working on industrial control systems.  This phase targeted more than 3,300 users at over 500 companies and entities, as well as U.S. government agencies.  The hackers used tactics including spear phishing (i.e., sending emails that appear to be from a known or trusted sender to induce a target to reveal confidential information) and watering hole attacks (i.e., infecting a website typically used by workers within a specific industry and luring them to a malicious site) for both phases of this campaign.

The three Federal Security Service employees, along with their co-conspirators, are charged with conspiracy to cause damage to the property of an energy facility and commit computer fraud and abuse (carrying a maximum sentence of five years) and conspiracy to commit wire fraud (carrying a maximum sentence of 20 years).  Two of the employees are also charged with substantive counts of wire fraud and computer fraud (carrying a maximum sentence ranging from five to 20 years) and three counts of aggravated identity theft (each count carrying a minimum sentence of two years).

***

Concerns about cyber threats to the energy sector continue to grow, and rightfully so, especially as sanctions and other measures are aimed at Russia in light of its military campaign against Ukraine.  The two indictments discussed above show the profound impact these types of hacks can have, and the sophistication of the state-sponsored hackers who are targeting energy infrastructure.

In our next post, we will dive into the Cybersecurity Advisory released jointly by the Cybersecurity and Infrastructure Security Agency, the Federal Bureau of Investigation, and the Department of Energy, which was published concurrently with the DOJ’s unsealing of the indictments.