US DoJ reveals Russian supply chain attack targeting energy sector

Poisoned SCADA apps could have disrupted power supply – perhaps even at nuclear plants


The United States Department of Justice has unsealed a pair of indictments that detail alleged Russian government hackers' efforts to use supply chain attacks and malware in an attempt to compromise and control critical infrastructure around the world – including at least one nuclear power plant.

The documents detail two conspiracies said to have run from 2012 to 2018 and "targeted thousands of computers, at hundreds of companies and organizations, in approximately 135 countries."

One of the indictments, United States v. Pavel Aleksandrovich Akulov, et al [PDF] describes a campaign undertaken by individuals the DoJ has characterized as "three officers of Russia's Federal Security Service (FSB)" who worked in teams code-named "Berzerk Bear" and "Energetic Bear".

The trio allegedly spent 2012 to 2014 working on a project code-named "Dragonfly" during which a supply chain attack targeted updates of industrial control systems and supervisory control and data acquisition systems (ICS and SCADA). Legitimate updates to that software were infected with malware named "Havex" that allowed the attackers to create back doors and scan networks for more targets. Over 17,000 devices were infected in the US alone. The indictment states that their efforts gave Russia the chance to "damage such computer systems at a future time of its choosing."

From 2014 to 2017 the crew moved on to "Dragonfly 2.0" and "transitioned to more targeted compromises that focused on specific energy sector entities and individuals and engineers who worked with ICS/SCADA system."

Legitimate updates to ICS and SCADA software were infected with malware

That campaign included a spear phishing attack that the DoJ states compromised machines at "the Wolf Creek Nuclear Operating Corporation (Wolf Creek) in Burlington, Kansas, which operates a nuclear power plant."

The other indictment [PDF] describes the activities of a chap named Evgeny Viktorovich Gladkikh, who worked for the Russian Ministry of Defense, according to the DoJ.

In 2017, Gladkikh is alleged to have targeted refinery safety systems made by Schneider Electric with malware named "Triton" or "Trisis".

Triton/Trisis was spotted in the wild in 2017, when it was observed attacking targets in the Middle East and rated as the work of a nation-state attacker.

Whatever the name, it's nasty code. The DoJ says it can make safety refineries work in an unsafe fashion but leave the compromised code reporting all is well. Thankfully, running the malware caused a fault that prompted the Schneider products to initiate emergency shutdowns rather than allow worse damage.

The 2017 attacks took place outside the United States. In 2018, Gladkikh tried the same malware on US targets, but failed.

Both indictments were filed in 2021 and the DoJ does not mention if any arrests have taken place. The accused are Russian nationals, though, and the USA and Russia do not have an extradition treaty. And given relations between the two nations are at post-Cold-War low point, the chances the four named individuals will ever see handcuffs or grace a stateside court room are very low.

The DoJ has used the unsealing of the indictments to remind US businesses that they are constantly at risk of cyber attacks, reinforcing White House messaging issued earlier this week about Russia preparing revenge attacks on US targets as reprisal for sanctions imposed in the wake of the Kremlin's illegal invasion of Ukraine. The USA has also repeatedly stated it is working to improve its capability to detect, defend against, and aggressively disrupt foreign actors that target its private and public sectors.

Of course the US itself has form executing attacks not entirely dissimilar to those described in the indictments. The Stuxnet worm that rampaged through industrial control systems around the world is widely held to have started life as an American attack on Iran's nuclear capabilities.

All's fair in love and … the other thing. ®


Other stories you might like

  • International operation takes down Russian RSOCKS botnet
    $200 a day buys you 90,000 victims

    A Russian operated botnet known as RSOCKS has been shut down by the US Department of Justice acting with law enforcement partners in Germany, the Netherlands and the UK. It is believed to have compromised millions of computers and other devices around the globe.

    The RSOCKS botnet functioned as an IP proxy service, but instead of offering legitimate IP addresses leased from internet service providers, it was providing criminals with access to the IP addresses of devices that had been compromised by malware, according to a statement from the US Attorney’s Office in the Southern District of California.

    It seems that RSOCKS initially targeted a variety of Internet of Things (IoT) devices, such as industrial control systems, routers, audio/video streaming devices and various internet connected appliances, before expanding into other endpoints such as Android devices and computer systems.

    Continue reading
  • Microsoft Defender goes cross-platform for the masses
    Redmond's security brand extended to multiple devices without stomping on other solutions

    Microsoft is extending the Defender brand with a version aimed at families and individuals.

    "Defender" has been the company's name of choice for its anti-malware platform for years. Microsoft Defender for individuals, available for Microsoft 365 Personal and Family subscribers, is a cross-platform application, encompassing macOS, iOS, and Android devices and extending "the protection already built into Windows Security beyond your PC."

    The system comprises a dashboard showing the status of linked devices as well as alerts and suggestions.

    Continue reading
  • HelloXD ransomware bulked up with better encryption, nastier payload
    Russian-based group doubles the extortion by exfiltrating the corporate data before encrypting it.

    Windows and Linux systems are coming under attack by new variants of the HelloXD ransomware that includes stronger encryption, improved obfuscation and an additional payload that enables threat groups to modify compromised systems, exfiltrate files and execute commands.

    The new capabilities make the ransomware, first detected in November 2021 - and the developer behind it even more dangerous - according to researchers with Palo Alto Networks' Unit 42 threat intelligence group. Unit 42 said the HelloXD ransomware family is in its initial stages but it's working to track down the author.

    "While the ransomware functionality is nothing new, during our research, following the lines, we found out the ransomware is most likely developed by a threat actor named x4k," the researchers wrote in a blog post.

    Continue reading
  • Nothing says 2022 quite like this remote-controlled machine gun drone
    GNOM is small, but packs a mighty 7.62mm punch

    The latest drone headed to Ukraine's front lines isn't getting there by air. This one powers over rough terrain, armed with a 7.62mm tank machine gun.

    The GNOM (pronounced gnome), designed and built by a company called Temerland, based in Zaporizhzhia, won't be going far either. Next week it's scheduled to begin combat trials in its home city, which sits in southeastern Ukraine and has faced periods of rocket attacks and more since the beginning of the war.

    Measuring just under two feet in length, a couple inches less in width (57cm L х 60cm W x 38cm H), and weighing around 110lbs (50kg), GNOM is small like its namesake. It's also designed to operate quietly, with an all-electric motor that drives its 4x4 wheels. This particular model forgoes stealth in favor of a machine gun, but Temerland said it's quiet enough to "conduct covert surveillance using a circular survey camera on a telescopic mast."

    Continue reading
  • Emotet malware gang re-emerges with Chrome-based credit card heistware
    Crimeware groups are re-inventing themselves

    The criminals behind the Emotet botnet – which rose to fame as a banking trojan before evolving into spamming and malware delivery – are now using it to target credit card information stored in the Chrome web browser.

    Once the data – including the user's name, the card's numbers and expiration information – is exfiltrated, the malware will send it to command-and-control (C2) servers that are different than the one that the card stealer module uses, according to researchers with cybersecurity vendor Proofpoint's Threat Insight team.

    The new card information module is the latest illustration of Emotet's Lazarus-like return. It's been more than a year since Europol and law enforcement from countries including the United States, the UK and Ukraine tore down the Emotet actors' infrastructure in January 2021 and – they hoped – put the malware threat to rest.

    Continue reading
  • 'Prolific' NetWalker extortionist pleads guilty to ransomware charges
    Canadian stole $21.5m from dozens of companies worldwide

    A former Canadian government employee has pleaded guilty in a US court to several charges related to his involvement with the NetWalker ransomware gang.

    On Tuesday, 34-year-old Sebastien Vachon-Desjardins admitted he conspired to commit computer and wire fraud, intentionally damaged a protected computer, and transmitted a demand in relation to damaging a protected computer. 

    He will also forfeit $21.5 million and 21 laptops, mobile phones, gaming consoles, and other devices, according to his plea agreement [PDF], which described Vachon-Desjardins as "one of the most prolific NetWalker Ransomware affiliates" responsible for extorting said millions of dollars from dozens of companies worldwide.

    Continue reading
  • Trio accused of selling $88m of pirated Avaya licenses
    Rogue insider generated keys, resold them to blow the cash on gold, crypto, and more, prosecutors say

    Three people accused of selling pirate software licenses worth more than $88 million have been charged with fraud.

    The software in question is built and sold by US-based Avaya, which provides, among other things, a telephone system called IP Office to small and medium-sized businesses. To add phones and enable features such as voicemail, customers buy the necessary software licenses from an Avaya reseller or distributor. These licenses are generated by the vendor, and once installed, the features are activated.

    In charges unsealed on Tuesday, it is alleged Brad Pearce, a 46-year-old long-time Avaya customer service worker, used his system administrator access to generate license keys tens of millions of dollars without permission. Each license could sell for $100 to thousands of dollars.

    Continue reading

Biting the hand that feeds IT © 1998–2022