Four Russian government employees face charges over Triton/Trisis and Dragonfly attacks. The timing signals to Russia's cyber warriors that they're not leaving the country soon.
The US Department of Justice (DoJ) unsealed two major indictments, charging four Russian nationals working for the nation's government.
They're believed to be involved in targeting the global energy sector between 2012 and 2018 with cyberattacks. The accused allegedly targeted organizations in 135 countries.
John Hultquist, VP of Intelligence Analysis at Mandiant, says the timing of the indictments is meant as a warning shot for people behind Russia's state-sponsored hacking groups.
"These actions are personal and are meant to signal to anyone working for these programs that they won't be able to leave Russia anytime soon," Hultquist said.
One of the indictments charged Russian Federal Security Service (FSB) officers Pavel Aleksandrovich Akulov, Mikhail Mikhailovich Gavrilov, and Marat Valeryevich Tyukov.
According to the statement, the trio were members of an operational unit, better known as 'Dragonfly,' 'Berzerk Bear,' 'Energetic Bear,' and 'Crouching Yeti.'
Akulov, Gavrilov, Tyukov, and their co-conspirators allegedly breached IT systems of energy sector firms for Russia 'to maintain surreptitious, unauthorized and persistent access.'
The DoJ claims that Russia's state hackers targeted the software and hardware that controls equipment in power generation facilities, known as ICS or Supervisory Control and Data Acquisition (SCADA) systems.
"Access to such systems would have provided the Russian government the ability to, among other things, disrupt and damage such computer systems at a future time of its choosing," reads the statement.
"Our concern with recent events is that this might be the contingency we have been waiting for."-John Hultquist, VP of Intelligence Analysis at Mandiant
In the first phase of the attack from 2012 to 2014, threat actors engaged in a supply chain attack, compromising the computer networks hiding Havex malware inside legitimate software updates.
It is estimated that the attacks infected 17,000 unique devices in the United States and abroad, including critical controllers used by power and energy companies.
In the second phase of the attack from 2014 to 2017, Russia's hackers targeted more than 3,300 users at more than 500 US and international companies and entities.
The focus of the attack was also on individuals and companies that worked with ICS/SCADA systems.
One of the successful attacks penetrated systems of the Wolf Creek Nuclear Operating Corporation, a nuclear power plant operator.
The DoJ also charged Evgeny Viktorovich Gladkikh, a Russian Ministry of Defense research institute employee, and two co-conspirators for the Triton malware attack targeting oil refineries in Saudi Arabia.
"The conspirators designed the Triton malware to prevent the refinery's safety systems from functioning, granting the defendant and his co-conspirators the ability to cause damage to the refinery, injury to anyone nearby, and economic harm," reads the DoJ statement.
The malware caused a fault that led the refinery's safety systems to initiate two automatic emergency shutdowns of the refinery's operations.
According to the DoJ, the conspirators tried to carry out similar attacks against refineries in the US, however, unsuccessfully.
The US Department of State offers up to a $10 million reward for information leading to the arrest of any of the four defendants and co-conspirators.
According to Hultquist, the information revealed in the indictments provides a glimpse of the FSB's role in Russia's state-sponsored hacking attempts.
'Berzerk Bear' has been involved in repeated attempts to gain access to the US and European critical infrastructure across multiple sectors.
"We are concerned that while there have been significant remediation efforts after each of the intrusion campaigns, the actor may retain some access," Hultquist said.
Most importantly, Russia's threat actors did not carry out disruptive attacks so far, aiming to implant themselves in critical infrastructure for future contingency.
"Our concern with recent events is that this might be the contingency we have been waiting for," Hultquist explained.
The US President Joe Biden urged American businesses to invest in cyber security as much as possible as American intelligence believes Russia is preparing for a cyberattack.
"And as I've said, the magnitude of Russia's cyber capacity is fairly consequential, and it's coming," President Biden said.
The FBI also warned that it had seen increased interest by Russian hackers in energy companies since the start of Russia's war against Ukraine.
Russian hackers are believed to have scanned at least five energy companies for vulnerabilities and at least 18 other companies in critical sectors.
The tension nears a boiling point, one month after Russia invaded Ukraine, kickstarting a war Europe hasn't seen for decades.
Over 10 million Ukrainians have been displaced since the start of the conflict, with over 3 million fleeing the country.
More from Cybernews:
Subscribe to our newsletter