DOJ Reveals Indictments Against Russian Energy Hackers

Operation Alleged to Have Begun in 2012

Clockwise from top left: Pavel Aleksandrovich Akulov, Mikhail Mikhailovich Gavrilov, Marat Valeryevich Tyukov and Evgeny Viktorovich Gladkikh have been charged with computer hacking operations targeting energy companies in the U.S. | U.S. Department of State

Mar 27, 2022 | Holden Mann

The U.S. Department of Justice unveiled charges against four Russian state-sponsored hackers for compromising energy companies in the U.S. and abroad.

The U.S. Department of Justice revealed on Thursday that it has charged four Russian nationals for “attempting, supporting and conducting” computer hacking operations against the global energy sector, including electric utilities within the U.S.

In a media statement, DOJ officials said that the charges comprise two separate cases filed last year. The first set of charges was brought in June 2021 by a federal grand jury in D.C.

According to the indictment, Evgeny Viktorovich Gladkikh, a computer programmer working for Russia’s Central Scientific Research Institute of Chemistry and Mechanics (TsNIIKhM) allegedly worked with unnamed co-conspirators between May and September 2017 to hack into industrial control systems (ICS) and operational technology (OT) networks of an oil refinery outside the U.S. They later attempted a similar operation at a U.S. refinery but were unable to hack into the system at all.

The group installed malware on the foreign refinery’s network that was intended to disable the refinery’s safety systems, but when they deployed the malware, it instead caused “a fault that led the refinery’s … safety systems to initiate two automatic emergency shutdowns of the refinery’s operations.”

Gladkikh faces one count of conspiracy to cause damage to an energy facility, one count of attempt to cause damage to an energy facility and one count of conspiracy to commit computer fraud. The first two charges carry maximum sentences of 20 years in prison, while the last carries a penalty of up to five years.

Security Officers Targeted Power Plants

The other case involves Pavel Aleksandrovich Akulov, Mikhail Mikhailovich Gavrilov and Marat Valeryevich Tyukov, all officers in Russia’s Federal Security Service (FSB). A federal grand jury in Kansas brought the charges in August of last year, accusing the three men of a five-year operation targeting the supervisory control and data acquisition (SCADA) systems in U.S. energy facilities.

The plan had two stages: First, beginning in 2012, the defendants compromised the computer networks of ICS and SCADA system manufacturers and software providers and hid malware, dubbed “Havex” by cybersecurity researchers, in the update channels for their software products — a very similar plot to the 2020 hack of the SolarWinds Orion network management platform, also attributed to Russian hackers. (See FERC, E-ISAC Report Details Reach of SolarWinds Compromise.) According to the government, the group was able to install malware on more than 17,000 devices in the U.S. and overseas, including its targets in the energy sector.

In the second stage, the hackers shifted tactics to compromise specific energy sector entities, as well as individuals and engineers working with ICS and SCADA systems. This phase brought spearphishing attacks against more than 3,300 users in both the private and public sector. Successfully compromised targets included the Wolf Creek Generating Station, a nuclear plant in Kansas, although the release said the hackers only gained access to the plant’s business network, not the SCADA systems.

Akulov, Gavrilov and Tyukov face multiple counts, including conspiracy to cause damage to the property of an energy facility, conspiracy to commit wire fraud and aggravated identify theft. All of the charges carry maximum sentences of five to 20 years in prison, except for the identify theft charge, which carries a minimum sentence of two years in addition to any other sentences imposed.

Russia’s Continuing Cyber Threat

At the same time DOJ released news of the charges, the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) issued a release providing more detail on the suspects’ hacking operations. The U.S. State Department also added the four men to its Rewards for Justice page, offering rewards of up to $10 million for “information leading to [their] identification or location.”

Concern over Russian hacking capabilities has been growing for years; DOJ previously charged six Russian military intelligence officers for cyberattacks against Ukraine’s power grid in 2015 and 2017, along with attacks on the 2018 Winter Olympics in South Korea and others. (See Six Russians Charged for Ukraine Cyberattacks.) Those fears have only grown more acute following Russia’s invasion of Ukraine last month, with experts warning that Russian President Vladimir Putin could lash out with electronic warfare as conventional military operations lose momentum. (See Experts Warn Cyberwar Still Possible.)

“Russian state-sponsored hackers pose a serious and persistent threat to critical infrastructure both in the United States and around the world,” said Deputy Attorney General Lisa Monaco. “Although the criminal charges unsealed today reflect past activity, they make crystal clear the urgent ongoing need for American businesses to harden their defenses and remain vigilant.”

FERC & Federal