US DoJ reveals Russian supply chain attack targeting energy sector

The United States Department of Justice has unsealed a pair of indictments that detail alleged Russian government hackers' efforts to use supply chain attacks and malware in an attempt to compromise and control critical infrastructure around the world – including at least one nuclear power plant.

The documents detail two conspiracies said to have run from 2012 to 2018 and "targeted thousands of computers, at hundreds of companies and organizations, in approximately 135 countries."

One of the indictments, United States v. Pavel Aleksandrovich Akulov, et al [PDF] describes a campaign undertaken by individuals the DoJ has characterized as "three officers of Russia's Federal Security Service (FSB)" who worked in teams code-named "Berzerk Bear" and "Energetic Bear".

The trio allegedly spent 2012 to 2014 working on a project code-named "Dragonfly" during which a supply chain attack targeted updates of industrial control systems and supervisory control and data acquisition systems (ICS and SCADA). Legitimate updates to that software were infected with malware named "Havex" that allowed the attackers to create back doors and scan networks for more targets. Over 17,000 devices were infected in the US alone. The indictment states that their efforts gave Russia the chance to "damage such computer systems at a future time of its choosing."

From 2014 to 2017 the crew moved on to "Dragonfly 2.0" and "transitioned to more targeted compromises that focused on specific energy sector entities and individuals and engineers who worked with ICS/SCADA system."

Legitimate updates to ICS and SCADA software were infected with malware

That campaign included a spear phishing attack that the DoJ states compromised machines at "the Wolf Creek Nuclear Operating Corporation (Wolf Creek) in Burlington, Kansas, which operates a nuclear power plant."

• Distributor dumps Kaspersky to show solidarity with Ukraine
• Researchers warn of unpatched remote code execution flaws in Schneider Electric industrial gear
• Stuxnet sibling theory surges after Iran says nuke facility shut down by electrical fault
• Russian IT pros flee Putin, says tech lobby group

The other indictment [PDF] describes the activities of a chap named Evgeny Viktorovich Gladkikh, who worked for the Russian Ministry of Defense, according to the DoJ.

In 2017, Gladkikh is alleged to have targeted refinery safety systems made by Schneider Electric with malware named "Triton" or "Trisis".

Triton/Trisis was spotted in the wild in 2017, when it was observed attacking targets in the Middle East and rated as the work of a nation-state attacker.

Whatever the name, it's nasty code. The DoJ says it can make safety refineries work in an unsafe fashion but leave the compromised code reporting all is well. Thankfully, running the malware caused a fault that prompted the Schneider products to initiate emergency shutdowns rather than allow worse damage.

The 2017 attacks took place outside the United States. In 2018, Gladkikh tried the same malware on US targets, but failed.

Both indictments were filed in 2021 and the DoJ does not mention if any arrests have taken place. The accused are Russian nationals, though, and the USA and Russia do not have an extradition treaty. And given relations between the two nations are at post-Cold-War low point, the chances the four named individuals will ever see handcuffs or grace a stateside court room are very low.

The DoJ has used the unsealing of the indictments to remind US businesses that they are constantly at risk of cyber attacks, reinforcing White House messaging issued earlier this week about Russia preparing revenge attacks on US targets as reprisal for sanctions imposed in the wake of the Kremlin's illegal invasion of Ukraine. The USA has also repeatedly stated it is working to improve its capability to detect, defend against, and aggressively disrupt foreign actors that target its private and public sectors.

Of course the US itself has form executing attacks not entirely dissimilar to those described in the indictments. The Stuxnet worm that rampaged through industrial control systems around the world is widely held to have started life as an American attack on Iran's nuclear capabilities.

All's fair in love and … the other thing. ®