Four Russians Charged with Dragonfly Attacks on Critical Infrastructure

Written by

The US authorities have revealed indictments charging Russian state hackers with carrying out a string of attacks against global energy firms over a six-year period.

The first indictment originally returned in June 2021 involves Evgeny Viktorovich Gladkikh, a computer programmer with the State Research Center of the Russian Federation FGUP Central Scientific Research Institute of Chemistry and Mechanics.

He reportedly hacked industrial control systems (ICS) and operational technology (OT) between May and September 2017. This included attacks on a Middle East oil refinery using the Triton malware, which forced two emergency shutdowns.

Gladkikh then tried to probe US refineries the following year, along with co-conspirators, according to the Department of Justice (DoJ).

The second indictment, returned in August 2021, involves three FSB officers said to be members of the infamous Dragonfly group (aka Energetic Bear, Crouching Yeti): Pavel Aleksandrovich Akulov, Mikhail Mikhailovich Gavrilov and Marat Valeryevich Tyukov.

Between 2021 and 2017, the indictment alleges that the three gained covert access to energy sector networks, including SCADA and ICS systems in oil and gas firms, nuclear power plants and utility and power transmission companies.

The first stage of the attack, between 2012 and 2014, involved hiding Havex malware in legitimate software updates for ICS/SCADA systems and spear-phishing and watering hole raids. This enabled them to install malware on more than 17,000 unique devices in the US and elsewhere, the DoJ said.

The second phase, “Dragonfly 2.0,” ran from 2014 to 2017 and involved targeting more than 3300 users at over 500 US and international organizations, including US government agency the Nuclear Regulatory Commission and the Wolf Creek Nuclear Operating Corporation.

After establishing a foothold in victim networks, the conspirators moved laterally to access other computers and networks, the DoJ said.

The news will be particularly concerning given the risks of new offensive Russian activity in the US following its invasion of Ukraine.

“Russian state-sponsored hackers pose a serious and persistent threat to critical infrastructure both in the United States and around the world,” said deputy attorney General Lisa Monaco.

“Although the criminal charges unsealed today reflect past activity, they make crystal clear the urgent ongoing need for American businesses to harden their defenses and remain vigilant. Alongside our partners here at home and abroad, the Department of Justice is committed to exposing and holding accountable state-sponsored hackers who threaten our critical infrastructure with cyber-attacks.”

What’s hot on Infosecurity Magazine?