Four Russian nationals who worked for the Russian government were charged with two sets of US indictments last year for their alleged role in hacks performed by the DragonFly and Triton groups, which both targeted critical infrastructure around the world.
The indictments were only unsealed on Friday, however, with the US Department of Justice (DOJ) saying the hacking campaigns conducted by the charged individuals targeted hundreds of companies and organisations across 135 countries.
“We face no greater cyber threat than actors seeking to compromise critical infrastructure, offences which could harm those working at affected plants as well as the citizens who depend on them,” District of Columbia attorney Matthew Graves said.
One of the indictments accuses three Russian individuals of being part of the DragonFly group, also known as Energetic Bear and Crouching Yeti, which conducted a two-phased campaign targeting and compromising the computers of hundreds of entities related to the energy sector worldwide. Two websites operated by the San Francisco International Airport were also allegedly hacked by the group in 2020.
Access to such systems provided the Russian government the ability to, among other things, disrupt and damage such computer systems at a future time of its choosing, the DOJ said.
In the first phase of this cyberespionage operation, which took place between 2012 and 2014, the conspirators allegedly engaged in a supply chain attack, compromising the computer networks of Supervisory Control and Data Acquisition (SCADA) system manufacturers and software providers and then hiding malware — known publicly as “Havex” — inside legitimate software updates for such systems.
After unsuspecting customers downloaded Havex-infected updates, the conspirators allegedly deployed spear-phishing emails and watering hole attacks, allowing them to install malware on over 17,000 devices, including SCADA controllers used by power and energy companies.
After pausing activities for two years, the group then resumed operations, under the moniker of Dragonfly 2.0, to deploy spear-phishing emails, watering hole attacks, and a range of malware in an effort to infect energy companies once again. Over two dozen energy companies and utility providers in the US and Europe were attacked as part of this second phase of cyber espionage activity.
The three Russian nationals have been charged with conspiracy to cause damage to the property of an energy facility, committing computer fraud and abuse, conspiracy to commit wire fraud, and aggravated identity theft.
Two of the three charged individuals could face up to 47 years in prison.
The second indictment alleges another Russian national was part of the Triton hacker group, helping the group cause two separate emergency shutdowns at a Schneider Electric facility based in the Middle East.
That individual subsequently made an unsuccessful attempt to hack the computers of a US company that managed similar critical infrastructure entities in the United States, the indictment alleges.
The Russian national charged in the second indictment faces one count each of conspiracy to cause damage to an energy facility, attempt to cause damage to an energy facility, and conspiracy to commit computer fraud. If convicted, the alleged Triton hacker could face up to 45 years in prison.
The unsealing of these indictments follows US President Joe Biden earlier this week calling for local organisations to bolster their cyber defence efforts as Russia is considering conducting cyber attacks in retaliation to sanctions imposed against the country for its invasion into Ukraine.
“My administration is reiterating those warnings based on evolving intelligence that the Russian government is exploring options for potential cyber attacks,” Biden said.
- Manufacturing is the most targeted sector by ransomware in Brazil
- Biden warns organisations to harden cyber defences against Russian cyber attacks
- Russian state hackers behind San Francisco airport hack
- NSA report: This is how you should be securing your network
- Okta: Lapsus$ attackers had access to support engineer’s laptop