US Charges Russian Hackers Over Infamous Triton, Havex Cyberattacks on Energy Sector
The U.S. Government has formally charged four Russian hackers said to be working with a government intelligence agency over a series of high profile cyberattacks that targeted the energy industry in the United States and around the world between 2012 and 2018.
The two indictments, returned over the summer of 2021, and just unsealed today, charge individuals over the high-profile attacks known as “Triton” or “Trisis,” in 2017, and the “Dragonfly” or “Havex” campaigns dating as far back as 2012.
In total, the DOJ says the two hacking campaigns targeted hundreds of companies and organizations across approximately 135 countries.
A June 2021 indictment charges Evgeny Viktorovich Gladkikh, an employee of a Russian Ministry of Defense research institute and his co-conspirators, over causing two separate emergency shutdowns at a foreign targeted facility after deploying the Triton/Trisis malware.
The malware was design to attack Triconex safety-instrumented systems (SIS) made by industrial giant Schneider Electric.
At SecurityWeek’s 2018 ICS Cybersecurity Conference, Robert M. Lee, CEO of industrial cybersecurity firm Dragos, described Triton/Trisis as “the first piece of malware specifically designed to kill people.”
While the indictment does not name the facility first hit by Triton, it has been known to the security community to be Saudi Arabia-based refining company Petro Rabigh.
After the initial attack on Petro Rabigh in 2017, the group remained active targeting other environments with different safety systems in other regions of the world.
“Between February and July 2018, the conspirators researched similar refineries in the United States, which were owned by a U.S. company, and unsuccessfully attempted to hack the U.S. company’s computer systems,” the DOJ said.
Gladkikh was said to be an employee of the State Research Center of the Russian Federation FGUP Central Scientific Research Institute of Chemistry and Mechanics’ (TsNIIKhM) Applied Developments Center.
After security researchers linked the notorious malware to the Russian institute in 2018, some information was removed or modified on its website when the Triton attack became public.
“Though the Central Scientific Research Institute of Chemistry and Mechanics, the state defense lab responsible for the TRITON malware, has been sanctioned, this is the first time individuals associated with the lab have been targeted. The indictments are personal and are meant to remind the people behind Russia’s cyber attack program that they can’t operate behind the shadows without repercussions,” John Hultquist, VP of Intelligence Analysis at Mandiant, told SecurityWeek in an emailed statement.
The second indictment (from August 2021), the DOJ said, relates to a two-phased campaign by three officers of Russia’s Federal Security Service (FSB); Pavel Aleksandrovich Akulov (36), Mikhail Mikhailovich Gavrilov (42), and Marat Valeryevich Tyukov (39).
The trio were said to be members of a Center 16 operational unit known as “Dragonfly,” “Berzerk Bear,” “Energetic Bear,” and “Crouching Yeti.”
The indictment alleges that, between 2012 and 2017, Akulov, Gavrilov, and Tyukov hacked into organizations in the energy sector, including oil and gas firms, nuclear power plants, and utility and power transmission companies in an effort to gain persistent access to networks and SCADA systems.
“Access to such systems would have provided the Russian government the ability to, among other things, disrupt and damage such computer systems at a future time of its choosing,” the DOJ said.
In the first phase of the campaign, which took place between 2012 and 2014, the DOJ said the attackers “engaged in a supply chain attack, compromising the computer networks of ICS/SCADA system manufacturers and software providers and then hiding malware – known publicly as ‘Havex’ – inside legitimate software updates for such systems.”
Their efforts resulted in malware being installed on more than 17,000 unique devices in the United States and abroad, including ICS/SCADA controllers used by power and energy companies, according to the indictment.
The second phase, which took place between 2014 and 2017, is commonly referred to as “Dragonfly 2.0”. In this phase, the attackers zoned in on specific energy sector entities and individuals that worked with ICS/SCADA systems.
Back in 2017, Symantec linked the Dragonfly 2.0 attacks to earlier Dragonfly campaigns based on the use of watering holes, spearphishing emails, trojanized applications, and the same malware families, including the Heriplor backdoor that appeared at the time to be exclusively used by the group.
“In some cases, the spearphishing attacks were successful,” the DOJ explained, “including in the compromise of the business network (i.e., involving computers not directly connected to ICS/SCADA equipment) of the Wolf Creek Nuclear Operating Corporation (Wolf Creek) in Burlington, Kansas, which operates a nuclear power plant. Moreover, after establishing an illegal foothold in a particular network, the conspirators typically used that foothold to penetrate further into the network by obtaining access to other computers and networks at the victim entity.”
“Until now, the details of the organization behind this activity have not been public,” Hultquist commented. “While we have significant details about the GRU operators who carry out disruptive and destructive cyberattacks, the FSB’s connection had not been yet been publicly exposed. The actor has been involved in repeated attempts to gain access to US and European critical infrastructure across multiple sectors, including utilities, manufacturing, airports and others. We are concerned that while there have been significant remediation efforts after each of the intrusion campaigns, the actor may retain some access.”
“Notably, we have never seen this actor actually carry out disruptive attacks, just burrow into sensitive critical infrastructure for some future contingency,” Hultquist said. “Our concern with recent events is that this might be the contingency we have been waiting for.”
CISA Response and Defender Resources
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) along with the FBI and the Department of Energy released a joint advisory detailing the campaigns attributed to the Russian hackers, along with historical tactics, techniques, and procedures as well as mitigations organizations can take now to protect their networks.
While Dragos’ Lee commended CISA for providing additional information alongside the DOJ indictment, he cautioned organizations running OT environments to not follow all the advice in the advisory.
“Lots of great info but please don’t follow their mitigation advice for ICS. It’s not practical & in some cases dangerous,” Lee wrote on Twitter.
“The document has lots of good info it as a recap of these intrusions for folks,” he continued. “But the mitigation advice is largely not related, much of it is ridiculously out of touch with industrial ops, and some is dangerous.”
In a Twitter rant, Lee called out several specific items of advice from CISA as being irrelevant or outright dangerous for ICS environments.
“Under ICS best practices they note you should update all software,” he noted. “This will literally bring down most environments, may void certain OEM warranties, and will absolutely rightfully piss off all your operations staff. It also is irrelevant to the attacks that were highlighted.”
“These indictments are a warning shot meant for the organizations and individuals behind two of the three Russian intrusion groups who carry out disruptive cyberattacks. Individuals from the third group, Sandworm, have already been indicted. These actions are personal and are meant to signal to anyone working for these programs that they won’t be able to leave Russia anytime soon,” Mandiant’s Hultquist said.
Related: In the video below Robert M. Lee presents, “Hunting for Xenotime, Creators of TRITON-TRISIS ICS Malware” at SecurityWeek’s 2018 ICS Cybersecurity Conference.
Related Resource: MITRE ATT&CK Knowledge Base for ICS