Security

US charges four Russian spies for hacking Saudi oil facility and US nuclear power plant

Comment

Image Credits: David McNew (opens in a new window) / Getty Images

The U.S. Department of Justice has announced charges against four Russian government employees for a years-long hacking campaign targeting critical infrastructure, including a U.S. nuclear power operator and a Saudi petrochemical facility.

The first indictment, from June 2021, charges Evgeny Viktorovich Gladkikh, 36, a computer programmer at the Russian Ministry of Defense, and two co-conspirators, of planning to hack industrial control systems — the critical devices that keep industrial facilities operational — at global energy facilities. Gladkikh is believed to be behind the infamous Triton malware, which was used to target a petrochemical plant in Saudi Arabia in 2017. Hackers used the malware in an attempt to disable safety systems in the plant designed to prevent dangerous conditions that could lead to leaks or explosions. Triton was first linked to Russia in October 2018.

Following their failed plot to blow up the Saudi plant, the hackers attempted to hack the computers of a company that managed similar critical infrastructure entities in the U.S, according to the DOJ.

The second indictment, filed in August 2021, charges Pavel Aleksandrovich Akulov, Mikhail Mikhailovich Gavrilov and Marat Valeryevich Tyukov, all allegedly members of Military Unit 71330 of Russia’s Federal Security Bureau (FSB), with a number of attacks targeting the energy sector between 2012 and 2017. The hackers, better known to security researchers as “DragonFly,” “Energetic Bear” and “Crouching Yeti,” attempted to gain access to computer networks of companies in the international energy sector, including oil and gas firms, nuclear power plants and utility and power transmission companies, the DOJ said.

In the first stage of their attacks, which took place between 2012 and 2014, the threat actors compromised the networks of industrial control device makers and software providers, then hid Havex malware inside software updates. This, along with spearphishing and watering hole attacks — a form of attack that targets users by infecting websites that they commonly visit — enabled the attackers to install malware on more than 17,000 unique devices in the United States and abroad.

The second phase, “DragonFly 2.0,” ran from 2014 to 2017 and involved targeting more than 3,300 users at over 500 U.S. and international organizations, including the U.S. government’s Nuclear Regulatory Commission and the Wolf Creek Nuclear Operating Corporation.

“Russian state-sponsored hackers pose a serious and persistent threat to critical infrastructure both in the United States and around the world,” said U.S. Deputy Attorney General Lisa Monaco in a statement. “Although the criminal charges unsealed today reflect past activity, they make crystal clear the urgent ongoing need for American businesses to harden their defenses and remain vigilant.”

John Hultquist, vice president of intelligence analysis at Mandiant, said the indictments provide a glimpse of the FSB’s role in Russia’s state-sponsored hacking attempts, and come as a “warning shot” to the Russian intrusion groups who carry out these disruptive cyberattacks. “These actions are personal and are meant to signal to anyone working for these programs that they won’t be able to leave Russia anytime soon,” he said.

But Hultquist warned that the hackers likely retain access to these networks. “Notably, we have never seen this actor actually carry out disruptive attacks, just burrow into sensitive critical infrastructure for some future contingency,” he told TechCrunch. “Our concern with recent events is that this might be the contingency we have been waiting for.” 

Casey Brooks, a senior adversary hunter at Dragos, which calls the group behind the Triton malware “Xenotime,” told TechCrunch that the indictments are unlikely to deter the hackers.

“These activity groups are well-resourced and can conduct continuous complex operations. While the indictments detail some of these groups’ intrusion activity, their breadth is much greater,” said Brooks. “For example, we know that for Xenotime this is only a fraction of their overall activity. It’s essential to realize that these groups are still active and the indictments will probably do little to deter these adversary groups’ future operations.”

The unsealing of the indictments came three days after President Joe Biden warned of a growing Russian cyber threat against U.S. businesses in response to Western sanctions on Russia for its invasion of Ukraine. It also comes just days after the DOJ indicted six hackers working in the service of Russia’s military intelligence agency, the GRU. The hackers, known as Sandworm, are accused of a five-year spree of attacks, including the destructive NotPetya cyberattack that targeted hundreds of firms and hospitals worldwide in 2017 and a cyberattack that took down the Ukraine power grid.

The hacker group behind the Triton malware strikes again

More TechCrunch

These messaging features, announced at WWDC 2024, will have a significant impact on how people communicate every day.

At last, Apple’s Messages app will support RCS and scheduling texts

iOS 18 will be available in the fall as a free software update.

Here are all the devices compatible with iOS 18

The tests indicate there are loopholes in TikTok’s ability to apply its parental controls and policies effectively in a situation where the teen user originally lied about their age, as…

TikTok glitch allows Shop to appear to users under 18, despite adults-only policy

Lhoopa has raised $80 million to address the lack of affordable housing in Southeast Asian markets, starting with the Philippines.

Lhoopa raises $80M to spur more affordable housing in the Philippines

Former President Donald Trump picked Ohio Senator J.D. Vance as his running mate on Monday, as he runs to reclaim the office he lost to President Joe Biden in 2020.…

Trump’s VP candidate JD Vance has long ties to Silicon Valley, and was a VC himself

Hello and welcome back to TechCrunch Space. Is it just me, or is the news cycle only accelerating this summer?!

TechCrunch Space: Space cowboys

Apple Intelligence features are not available in the developer beta, which is out now.

Without Apple Intelligence, iOS 18 beta feels like a TV show that’s waiting for the finale

Apple released the public betas for its next generation of software on the iPhone, Mac, iPad and Apple Watch on Monday. You can now test out iOS 18 and many…

Apple’s public betas for iOS 18 are here to test out

One major dissenter threatens to upend Fisker’s apparent best chance at offloading its unsold EVs, a deal that would keep the startup’s bankruptcy proceeding alive and pave the way for…

Fisker has one major objector to its Ocean SUV fire sale

Payments giant Stripe has delayed going public for so long that its major investor Sequoia Capital is getting creative to offer returns to its limited partners. The venture firm emailed…

Major Stripe investor Sequoia confirms $70B valuation, offers its investors a payday

Alphabet, Google’s parent company, is in advanced talks to acquire Wiz for $23 billion, a person close to the company told TechCrunch. The deal discussions were previously reported by The…

Google’s Kurian approached Wiz, $23B deal could take a week to land, source says

Name That Bird determines individual members of a species by identifying distinguishing characteristics that most humans would be hard-pressed to spot.

Bird Buddy’s new AI feature lets people name and identify individual birds

YouTube Music is introducing two new ways to boost song discovery on its platform. YouTube announced on Monday that it’s experimenting with an AI-generated conversational radio feature, and rolling out…

YouTube Music is testing an AI-generated radio feature and adding a song recognition tool

Tesla had internally planned to build the dedicated robotaxi and the $25,000 car, often referred to as the Model 2, on the same platform.

Elon Musk confirms Tesla ‘robotaxi’ event delayed due to design change

What this means for the space industry is that theory has become reality: The possibility of designing a habitation within a lunar tunnel is a reasonable proposition.

Moon cave! Discovery could redirect lunar colony and startup plays

Get ready for a prime week of savings at TechCrunch Disrupt 2024 with the launch of Disrupt Deal Days! From now to July 19 at 11:59 p.m. PT, we’re going…

Disrupt Deal Days are here: Prime savings for TechCrunch Disrupt 2024!

Deezer is the latest music streaming app to introduce an AI playlist feature. The company announced on Monday that a select number of paid users will be able to create…

Deezer chases Spotify and Amazon Music with its own AI playlist generator

Real-time payments are becoming commonplace for individuals and businesses, but not yet for cross-border transactions. That’s what Caliza is hoping to change, starting with Latin America. Founded in 2021 by…

Caliza lands $8.5 million to bring real-time money transfers to Latin America using USDC

Adaptive is a platform that provides tools designed to simplify payments and accounting for general construction contractors.

Adaptive builds automation tools to speed up construction payments

When VanMoof declared bankruptcy last year, it left around 5,000 customers who had preordered e-bikes in the lurch. Now VanMoof is up and running under new management, and the company’s…

How VanMoof’s new owners plan to win over its old customers

Mitti Labs aims to transform rice farming in India and other South Asian markets by reducing methane emissions by 50% and water consumption by 30%.

Mitti Labs aims to make rice farming less harmful to the climate, starting in India

This is a guide on how to check whether someone compromised your online accounts.

How to tell if your online accounts have been hacked

There is a general consensus today that generative AI is going to transform business in a profound way, and companies and individuals who don’t get on board will be quickly…

The AI financial results paradox

Google’s parent company Alphabet might be on the verge of making its biggest acquisition ever. The Wall Street Journal reports that Alphabet is in advanced talks to acquire Wiz for…

Google reportedly in talks to acquire cloud security company Wiz for $23B

Featured Article

Hank Green reckons with the power — and the powerlessness — of the creator

Hank Green has had a while to think about how social media has changed us. He started making YouTube videos in 2007 with his brother, novelist John Green, at a time when the first iPhone was in development, Myspace was still relevant and Instagram didn’t exist. Seventeen years later, posting…

Hank Green reckons with the power — and the powerlessness — of the creator

Here is a timeline of Synapse’s troubles and the ongoing impact it is having on banking consumers. 

Synapse’s collapse has frozen nearly $160M from fintech users — here’s how it happened

Featured Article

Helixx wants to bring fast-food economics and Netflix pricing to EVs

When Helixx co-founder and CEO Steve Pegg looks at Daisy — the startup’s 3D-printed prototype delivery van — he sees a second chance. And he’s pulling inspiration from McDonald’s to get there.  The prototype, which made its global debut this week at the Goodwood Festival of Speed, is an interesting proof…

Helixx wants to bring fast-food economics and Netflix pricing to EVs

Featured Article

India clings to cheap feature phones as brands struggle to tap new smartphone buyers

India is struggling to get new smartphone buyers, as millions of Indians don’t go for an upgrade and continue to be on feature phones.

India clings to cheap feature phones as brands struggle to tap new smartphone buyers

Roboticists at The Faboratory at Yale University have developed a way for soft robots to replicate some of the more unsettling things that animals and insects can accomplish — say,…

Meet the soft robots that can amputate limbs and fuse with other robots

Featured Article

If you’re an AT&T customer, your data has likely been stolen

This week, AT&T confirmed it will begin notifying around 110 million AT&T customers about a data breach that allowed cybercriminals to steal the phone records of “nearly all” of its customers. The stolen data contains phone numbers and AT&T records of calls and text messages during a six-month period in…

If you’re an AT&T customer, your data has likely been stolen