US charges four Russians for cyber hacks on energy sector

The United States has charged four Russian government staff for perpetrating a wave of cyberattacks targeting the energy industry and thousands of computers in the US  and globally between 2012 and 2018 across 135 countries.

The department while unsealing two separate indictments, maintained that the four Russian defendants were involved in attempting, supporting and conducting computer intrusions for nearly six years.

“Russian state-sponsored hackers pose a serious and persistent threat to critical infrastructure both in the United States and around the world,” said Deputy Attorney General Lisa O. Monaco.

“Although the criminal charges unsealed today reflect past activity, they make crystal clear the urgent ongoing need for American businesses to harden their defences and remain vigilant. Alongside our partners here at home and abroad, the Department of Justice is committed to exposing and holding accountable state-sponsored hackers who threaten our critical infrastructure with cyber-attacks,” she said.

According to the indictment shared by DOJ, the energy sector campaign involved two phases. The first phase, which happened from 2012 to 2014 and is commonly referred to by cyber security researchers as “Dragonfly” or “Havex,” the conspirators are perpetrated a supply chain attack, compromising the computer networks of ICS/SCADA system manufacturers and software providers and then hiding malware (Havex) – inside legitimate software updates for such systems.

During that phase, there were ‘spearphishing’ and “watering hole” attacks, wherein the conspirators had installed malware on more than 17,000 unique devices in the US and abroad, including ICS/SCADA controllers used by power and energy.

The second phase, which between 2014 and 2017 and is commonly referred to as “Dragonfly 2.0,” the conspirators transitioned to more ‘targeted compromises’ that zeroed in on specific energy sector entities and individuals and engineers who worked with ICS/SCADA systems. The perpetrator’s tactics included ‘spearphishing’ attacks targeting more than 3,300 users at more than 500 US and international companies and entities, in addition to US government agencies such as the Nuclear Regulatory Commission, as per the indictment.