U.S. charges Russian government agents for cyber attacks on critical infrastructure | #government | #hacking | #cyberattack

The U.S. Department of Justice (DoJ) has charged three Russian FSB officers and a programmer working for a Russian military research institute with past attacks against industrial control systems (ICS) operated by critical infrastructure providers.

The attacks involve the 2017 Triton malware that was designed to infect safety instrumented system (SIS) controllers made by Schneider Electric’s Triconex division and the 2013 Havex remote access Trojan that included a module to map supervisory control and data acquisition (SCADA) on networks. These malware threats were used against energy sector organizations including oil and gas firms, nuclear power plants and power transmission companies.

While these threats were attributed by security researchers in the past to Russian state-sponsored groups, this is the first time when individuals directly linked to Russian government agencies or organizations are named in relation to the attacks.

The Triton indictment

The U.S. charged Evgeny Viktorovich Gladkikh, a 36-year-old programmer working for the Russian Central Scientific Research Institute of Chemistry and Mechanics (TsNIIKhM), for his role in a campaign meant to hack into oil refineries around the world, including the U.S. At least one of those attacks resulted in the successful deployment of the Triton malware, which was developed at TsNIIKhM, one of Russia’s oldest state research centers that works under the country’s Ministry of Defense and specializes in creating new advanced weapons for use in space warfare and cyber operations, the unsealed indictment says.

While the indictment doesn’t name the country or company where the Triton malware was successfully deployed, referring to the organization as “victim company 1,” security researchers believe it’s Saudi Arabia’s Petro Rabigh. The 2017 incident led to the discovery of the Triton malware after a glitch in the malware’s code after being deployed on Triconex SIS controllers at the refinery triggered two safety shutdown events.

The indictment notes that Gladkikh was directly involved in the attack, planting backdoors on machines inside the organization’s network, familiarizing himself with organization’s safety logs, the results of past safety exercises and the planned response, the software versions used on logging servers and exact model and features of the Triconex SIS devices. He was also directly responsible for deploying the Triton malware on the organization’s SIS devices that were connected to computer machines that he backdoored. These machines were part of the organization’s distributed control system (DCS) and one of them controlled sensitive physical processes that involved sulfur recovery and burner management. Improper operation of these systems could have led to the release of toxic gasses or explosions.

Copyright © 2022 IDG Communications, Inc.

Original Source link

Leave a Reply

Your email address will not be published.

one + four =