The Department of Justice recently unsealed two indictments charging four Russian government employees for targeting critical infrastructure in 135 countries, including the United States. Three of the four are officers within the Russian Federation’s Federal Security Service (FSB) and the fourth is associated with Russia’s Ministry of Defense.
Concurrent with the unsealing of the indictments, the Cybersecurity and Infrastructure Security Agency (CISA) issued a Joint Cybersecurity Advisory, together with DHS and the FBI, which provide information security teams the technical details, indicators of compromise, and mitigation measures.
It is noteworthy that the unsealing of these indictments is part of a broader, all of government effort to provide as much information as possible to the private sector about the threat posed by Russia’s cyber attack apparatus. None of the four defendants in U.S. custody are presumed to be in Russia.
Russian Ministry of Defense (MOD)
The June 2021 indictment of Evgeny Viktorovich Gladkikh is centered on the Russian Ministry of Defense’s efforts to damage critical infrastructure outside of the United States. Their efforts were successful and on two separate occasions, according to the DOJ, the foreign targeted facility was forced to execute emergency shutdowns. Subsequently, Gladkikh and his colleagues within the MOD “attempted to hack the computers of a U.S. company that managed similar critical infrastructure entities in the United States.”
They also targeted industrial control systems and operational technologies. This group successfully hacked into the systems of a foreign refinery and installed malware, on a Schneider Electric safety system.
“Russian state-sponsored hackers pose a serious and persistent threat to critical infrastructure both in the United States and around the world,” said Deputy Attorney General Lisa O. Monaco. “Although the criminal charges unsealed today reflect past activity, they make crystal clear the urgent ongoing need for American businesses to harden their defenses and remain vigilant. Alongside our partners here at home and abroad, the Department of Justice is committed to exposing and holding accountable state-sponsored hackers who threaten our critical infrastructure with cyber-attacks.”
Russian Federal Security Service (FSB)
Two months later, in August 2021, DOJ indicted Pavel Alexksandrovich Akulov, Mikhail Mikhailovich Gavrilov, and Marat Valeryevich Tyukov, all FSB officers, associated with Military Unit 71330 or “Center 16”, for conducting a two-phase effort targeting hundreds of entities within the energy sector. If they had been successful, the DOJ tells us that the Russian government would have had the “ability to, among other things, disrupt and damage such computer systems at a future time of their choosing.”
As noted, the trio were associated with “Center 16” operations unit which, DOJ tells us has been identified by the cybersecurity research community as “Dragonfly,” “Berzerk Bear,” “Energetic Bear,” and “Crouching Yeti.” Their mission was to obtain and sustain surreptitious access to computer networks and companies in the energy sector (oil, gas, nuclear power plants, utility, and transmission companies). Especially noteworthy was the effort made by the trio and their compatriots to compromise and garner a foothold in ICS (industrial control systems) SCADA (supervisory control and data acquisition) systems. In plain speak, their mission was to position the Russian Federation to disrupt U.S. critical infrastructure on command/demand.
The DOJ shares how the group was successful in compromising the business networks of the “Wolf Creek Nuclear Operating Corporation (Wolf Creek) in Burlington, KS, which operates a nuclear power plant.” Also affected was Kansas Electric Power Cooperative.
U.S. Attorney Duston Slinkard for the District of Kansa highlighted, “The potential of cyberattacks to disrupt, if not paralyze, the delivery of critical energy services to hospitals, homes, businesses and other locations essential to sustaining our communities is a reality in today’s world. We must acknowledge there are individuals actively seeking to wreak havoc on our nation’s vital infrastructure system, and we must remain vigilant in our effort to thwart such attacks. ”
Next steps
Chief Security Officers, Chief Information Security Officers, Facility Security Officers and their respective teams will be well served by reviewing not only substantive CISA/DHS/FBI documents, the indictments should also be read to better understand the technical aspects of the Russian efforts, as well as to be able to articulate and explain the threat to both employees and senior most management.
The Department of State has issued a $10 million reward for information leading to the arrest of the defendants or identification of their coconspirators.
