Press release from the FBI
Three Charged in Cyber Campaign Targeting the Energy Sector
The Department of Justice unsealed indictments against three Russians alleged to be responsible for a long-running and persistent campaign to target and infiltrate the networks of critical infrastructure in the United States and worldwide.
The charges allege Pavel Aleksandrovich Akulov, Mikhail Mikhailovich Gavrilov, and Marat Valeryevich Tyukov were part of a Russian intelligence operational unit that security experts dubbed “Dragonfly,” “Berserk Bear,” “Energetic Bear,” and “Crouching Yeti.” The unit is part of an entity called Center 16 in the Russian Federal Security Service (FSB)—a successor agency to the Soviet KGB.
The alleged operation occurred in two phases. The first involved deploying a custom malware implant known to cybersecurity experts as Havex, which infected a significant number of organizations in the global energy sector. The second phase included targeted compromises of energy sector entities and individuals and engineers who worked with industrial control systems (ICS) and supervisory control and data acquisition (SCADA) systems. Collectively, these intrusions could have had a devastating impact on energy delivery worldwide.
The first phase stretched between at least 2012 and 2014 and resulted in Havex being downloaded onto more than 17,000 unique devices in the United States and other nations. An FBI intelligence analyst who worked on the case said the group had used a combination of techniques to deploy Havex, including sweeping efforts to cast a wide net across the global energy sector, but also well-researched and targeted techniques to reach specific companies and individuals.
Among the more alarming techniques used with Havex was the conspiracy’s compromise of a company that manufactures equipment and software used by ICS/SCADA systems. These are the control and safety mechanisms that exist within energy production facilities and other operational environments. For safety reasons, these are typically closed systems. But because the group had gained access into the systems of a company that provides a component of these systems, they were able to hide their malware within software updates offered by the company—a technique known as a supply chain attack.
Regardless of how the Havex malware was deployed, the analyst said it could be tailored for a variety of uses, including gathering credentials and scanning for human-machine interfaces. “That means the ways a human may interface with the system to tell it what to do,” he said. “If that interface is connected to a network, you have the potential for a remote actor to send instructions to a critical network.” In 2014, the group ceased using Havex after it was publicly exposed, and they began evolving the operation.
The second phase involved targeted intrusions of energy sector companies, including an intrusion in 2017 of the business network of a nuclear power plant in Kansas. This business network was not directly connected to any ICS/SCADA devices. An FBI special agent who investigated the case said they found no evidence that the hackers took any sensitive data of intelligence value, and it appeared the goal was simply to gain and maintain access. “Meaning that, at a later date, they could have used this access to affect or damage the energy grid or other critical operations within the United States,” the agent explained.
The Kansas intrusion in 2017 was part of a multipronged attack. “When we peeled away at the onion, we found this was a much larger campaign targeting the global energy sector to the tune of about 500 companies worldwide,” said the agent. “We believe they targeted nearly 3,300 people through a months-long spearphishing campaign.” As part of this phase, the group is also accused of breaching the network of a U.S. construction company. Access to that network allowed the group to send legitimate looking emails with the resume of an individual claiming to have industry-specific skills. The resume contained malicious code that victims could inadvertently download when they reviewed the document.
The group had also compromised multiple websites, including those of industry publications read by engineers in the energy sector. Those sites became what cybersecurity experts call watering holes, where the site itself is seeded with malicious code that visitors can inadvertently download.
Investigators came to understand the group’s efforts in 2017 were a continuation of activity stretching back to their use of Havex years before, demonstrating Russia’s concerted efforts over many years to gain access to U.S. critical infrastructure. This group is still in operation, and it continues to evolve.
The analyst said some of the most disturbing elements in this case were signs that, as the group’s efforts evolved, they sought ways to re-access these systems without leaving detectable evidence. “Essentially, they wanted to steal the keys to the door, so they no longer needed to stick something in the doorjamb or leave something else behind,” he said. “It’s a stealthier way to maintain long-term access and a clear indication that the intent was to have that access available if they needed it in the future.”
All of this highlights why law enforcement action is so important. By naming these individuals, we limit their ability to travel outside of Russia, limit their future usefulness to their intelligence service employer, and limit future employment options with law-abiding private sector entities. All of this may also cause other Russian citizens with cyber skills to choose a more respectable employment path that does not limit their future opportunities. It also puts more attention and pressure in the international community on nation-states and the cybercriminals they sponsor, since exposing Russia’s activity against the energy sectors and critical infrastructure of countries worldwide shows Russia’s willingness and intent to engage in disruptive, destabilizing, and often counter-normative activity, even in peacetime.
This case is also a reminder that cybersecurity must be a priority for every organization—even those who don’t work with sensitive materials or on critical infrastructure. “In this case and so many others, victim companies that provide an easier entry point can provide criminals a way into higher-level, more critical targets,” the agent said. “Cybersecurity is quite simply at the heart of our national security.”
The Department of Justice also indicted an employee of a research entity within the Russian Ministry of Defense on charges that he infiltrated and compromised critical safety equipment within an energy facility in an identified foreign country and, as part of the same conspiracy, attempted to do the same to the equipment of similar facilities in the United States.
Evgeny Gladkikh is accused of using the Triton malware to gain control of the systems used to ensure the safe operation of a foreign natural gas refinery. The conspirators designed the malware to, among other things, disable safety controls on physical equipment without alerting employees monitoring that equipment. The malware caused the safety system to briefly shut down on two occasions and had the potential to cause an explosion or the release of a toxic gas by affecting the plant’s sulphur recovery efforts and burner management mechanisms.
Gladkikh’s later, similar intrusion attempts targeting a U.S. company that operated similar plants in the United States were unsuccessful.
An FBI Cyber Division special agent who worked on the case said the FBI has several important goals related to this announcement. The first is to help the American public better understand the ongoing threat from cyber actors supported by Russia. Disabling the safety controls at a power plant could not only shut off power—it could also cause physical damage to the plant, the release of toxic chemicals, or physical injury or death.
The Russian Ministry of Defense entity behind Triton has a more than century-long history of developing cutting-edge weapons, both cyber and physical. “We’ve seen ransomware attacks and other malware that can shut down a facility,” the agent said. “The potential impact here is more dangerous. This could actually allow an actor to trick a plant’s operators into thinking that the plant is functioning normally, while the actor leverages access to a plant’s system for destructive effect, with consequences for human life and safety at both the plant and the areas it serves.”
The second key goal is to raise greater awareness in the energy sector of the risks of cyberattacks. “We are seeing malware being developed specifically for this industry,” the agent said. The Triton malware was created to target the industrial control systems in these plants, which are specifically designed to support their safe operation. “The industry needs to take the risks seriously.”
“Downtime is a really worrying thing for these facilities,” the agent explained. It is a common reason companies resist addressing a growing cyber threat. The time and resources required is not an easy thing for any business or organization to absorb—and for an energy company or critical service provider, it’s even harder.
The final goal is to continue to impose consequences on cyber criminals and the nation-states that support this activity. “Our intention is to discourage the actors who have conducted or are considering similar cyberattacks,” the agent said. “If they ever wanted to participate in the international community—through work, travel, or otherwise—those opportunities will disappear.”