The U.S. government on Thursday released a cybersecurity advisory outlining multiple intrusion campaigns conducted by state-sponsored Russian cyber actors from 2011 to 2018 that targeted the energy sector in the U.S. and beyond.
"The [Federal Security Service] conducted a multi-stage campaign in which they gained remote access to U.S. and international Energy Sector networks, deployed ICS-focused malware, and collected and exfiltrated enterprise and ICS-related data," the U.S. government said, attributing the attacks to an APT actor known as Energetic Bear.
In addition, the Justice Department charged four Russian government employees, including three officers of the Russian Federal Security Service and a computer programmer at the Central Scientific Research Institute of Chemistry and Mechanics (TsNIIKhM), for their roles in carrying out the attacks on oil refineries, nuclear facilities, and energy companies.
The four Russian nationals are Pavel Aleksandrovich Akulov(36), Mikhail Mikhailovich Gavrilov (42), and Marat Valeryevich Tyukov (39), and Evgeny Viktorovich Gladkikh (36). But in the absence of an extradition treaty between the U.S. and Russia, the chances that the four individuals will be brought to trial in the U.S. are slim.
The seven-year-long global energy sector campaign is said to have taken advantage of spear-phishing emails, trojanized software updates, and redirects to rogue websites (aka watering holes) to gain initial access, using it to deploy remote access trojans like Havex on compromised systems.
The energy sector attacks, which took place in two phases, involved deploying malware on an estimated 17,000 unique devices in the U.S. and abroad between 2012 and 2014, alongside targeting 3,300 users at more than 500 U.S. and international companies and entities from 2014 to 2017.
Also detailed by the security agencies is a 2017 campaign engineered by cyber actors with ties to TsNIIKhM with the goal of manipulating the industrial control systems of an unnamed oil refinery located in the Middle East by leveraging a piece of malware called TRITON.
"TRITON was designed to specifically target Schneider Electric's Triconex Tricon safety systems and is capable of disrupting those systems," the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Department of Energy (DOE) said.
Collectively, the hacking campaigns are alleged to have singled out thousands of computers, at hundreds of companies and organizations, in approximately 135 countries, the FBI said.
"The potential of cyberattacks to disrupt, if not paralyze, the delivery of critical energy services to hospitals, homes, businesses and other locations essential to sustaining our communities is a reality in today's world," said U.S. Attorney Duston Slinkard for the District of Kansas. "We must acknowledge there are individuals actively seeking to wreak havoc on our nation's vital infrastructure system, and we must remain vigilant in our effort to thwart such attacks."