The supply-chain attack on the U.S. energy sector targeted thousands of computers at hundreds of organizations, including at least one nuclear power plant.
Originally published by ThreatPost
MARCH 31, 2022
The U.S. Department of Justice (DOJ) has indicted four Russian government employees in connection to plots to cyber-fry critical infrastructure in the United States and beyond, including at least one nuclear power plant.
The campaigns involved one of the most dangerous malwares ever encountered in the operational technology and energy sectors: Triton, aka Trisis, a Russia-linked malware used to shut down an oil refinery in 2017 and another Mideast target in 2019.
Two related indictments were unsealed yesterday: one that named Evgeny Viktorovich Gladkikh (PDF), an employee of the Russian Ministry of Defense, and another (PDF) that named three officers in Military Unit 71330 – or “Center 16” – of Russia’s Federal Security Service (FSB), which is the successor to Russia’s KGB.
Center 16 is the FSB’s main structural unit for signals intelligence, consisting of a central unit housed in unmarked administrative buildings spread across Moscow and secluded forest enclosures, with massive satellite dishes pointing out to listen to the world. It’s known by cybersecurity researchers as “Dragonfly,” “Energetic Bear” and “Crouching Yeti.”
$10M Reward for Intel on FSB Officers
There’s a reward on the heads of the trio of FSB officers for allegedly hacking a refinery. The State Department said on Thursday that its Rewards for Justice (RFJ) program is offering $10 million for information on the three, whose names are Pavel Aleksandrovich Akulov, Mikhail Mikhailovich Gavrilov and Marat Valeryevich Tyukov.
The officers were allegedly involved in computer intrusions, wire fraud, aggravated identity theft and damage to an energy facility. The reward marks the first time that RFJ has named a foreign government security personnel under its critical infrastructure reward offer, the State Department said.
Triton was allegedly used in campaigns run between May and September 2017.
Researchers have compared Triton’s targeting of industrial control systems (ICS) to malware used in the watershed attacks Stuxnet and Industroyer/Crashoverride, the latter of which is a backdoor that targets ICS and which took down the Ukrainian power grid in Kiev in 2016. In 2018, research revealed that Industroyer was linked to the massive NotPetya ransomware outbreak that crippled organizations around the world the year before.
According to the indictment, between May and September 2017, Gladkikh, a 36-year-old computer programmer employed by an institute affiliated with the Russian Ministry of Defense, was involved in a campaign to hack global energy facilities “using techniques designed to enable future physical damage with potentially catastrophic effects.” The hacking allegedly led to two separate emergency shutdowns at a foreign facility.
Along with co-conspirators, Gladkikh allegedly hacked the systems of “a foreign refinery” (presumably Saudi oil giant Petro Rabigh) in 2017 and installed Triton/Trisis malware on a safety system produced by Schneider Electric. Triton actually takes its name from the fact that it’s designed to target Triconex safety instrumented system (SIS) controllers, which are sold by Schneider Electric. Triton surfaced again in 2019, when it was again used to target an undisclosed company in the Middle East.
Triton was designed to prevent the refinery’s safety systems from functioning – “by causing the ICS to operate in an unsafe manner while appearing to be operating normally,” the DOJ said – thereby leaving the refinery open to damage and jeopardizing anybody nearby.
“When the defendant deployed the Triton malware, it caused a fault that led the refinery’s Schneider Electric safety systems to initiate two automatic emergency shutdowns of the refinery’s operations,” the DOJ said. Between February and July 2018, Gladkikh and his crew allegedly researched and (unsuccessfully) tried to hack the computer systems used by a U.S. company with similar refineries.
As energy news outlet E&E News reported in 2019, in the early evening of Aug. 4, 2017, two emergency shutdown systems sprang to life at Petro Rabigh’s sprawling refinery along Saudi Arbia’s Red Sea coast. Engineers working the weekend shift were oblivious, even as the systems knocked the complex offline “in a last-gasp effort to prevent a gas release and deadly explosion.”
“[They] spotted nothing out of the ordinary, either on their computer screens or out on the plant floor,” according to E&E News.
Gladkikh has been charged with three counts: conspiracy to cause damage to an energy facility, attempt to damage an energy facility, and one count of conspiracy to commit computer fraud.
FSB Officers’ Indictment: The Dragonfly Supply-Chain Attack
The indictment that names the FSB officers alleges that, between 2012 and 2017, Akulov, Gavrilov, Tyukov and their co-conspirators engaged in computer intrusions, including supply chain attacks, “in furtherance of the Russian government’s efforts to maintain surreptitious, unauthorized and persistent access to the computer networks of companies and organizations in the international energy sector, including oil and gas firms, nuclear power plants, and utility and power transmission companies.”
Specifically, they allegedly targeted the software and hardware that controls equipment in power generation facilities, known as ICS or Supervisory Control and Data Acquisition (SCADA) systems.
“Access to such systems would have provided the Russian government the ability to, among other things, disrupt and damage such computer systems at a future time of its choosing,” according to the DOJ’s press release.
The indictment describes a campaign against the energy sector that involved two phases: The first was a supply-chain attack that was commonly referred to as “Dragonfly” or “Havex” by security researchers. Dragonfly took place between 2012 and 2014 and compromised computer networks of ICS/SCADA system manufacturers and software vendors.
It involved tucking the Havex remote-access trojan (RAT) inside legitimate software updates. According to a 2014 advisory from the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), the Havex RAT targeted vendors via phishing campaigns, website redirects and, finally, by infecting the software installers. Three vendor websites were compromised in watering-hole attacks, the ICS-CERT advisory said.
“After unsuspecting customers downloaded Havex-infected updates, the conspirators would use the malware to, among other things, create backdoors into infected systems and scan victims’ networks for additional ICS/SCADA devices,” according to the DOJ. The gang allegedly managed to install malware on more than 17,000 unique devices in the United States and abroad, including ICS/SCADA controllers used by power and energy companies.
Dragonfly 2.0: Spearphishing a Nuclear Power Plant
Between 2014 and 2017, the campaign entered into what’s commonly referred to as “Dragonfly 2.0,” wherein the suspects allegedly turned their focus to specific energy sector entities and individuals and engineers who worked with ICS/SCADA systems.
This second phase entailed spearphishing attacks targeting more than 3,300 users at more than 500 U.S. and international companies and entities, in addition to U.S. government agencies such as the Nuclear Regulatory Commission.
The spearphishing attacks sometimes struck gold, including in the compromise of the business network (i.e., involving computers not directly connected to ICS/SCADA equipment) of the Wolf Creek Nuclear Operating Corporation (Wolf Creek) in Burlington, Kansas. Wolf Creek operates a nuclear power plant.
“Moreover, after establishing an illegal foothold in a particular network, the conspirators typically used that foothold to penetrate further into the network by obtaining access to other computers and networks at the victim entity,” according to the DOJ.
Dragonfly 2.0 also entailed a watering-hole attack wherein the alleged attackers exploited publicly known vulnerabilities in content management software (CMS) to compromise servers that hosted websites commonly visited by ICS/SCADA system and other energy sector engineers. “When the engineers browsed to a compromised website, the conspirators’ hidden scripts deployed malware designed to capture login credentials onto their computers,” the DOJ said.
The campaign targeted victims in the United States and in more than 135 other countries, the Feds said.
The FSB officers are looking at charges of conspiracy to cause damage to the property of an energy facility and commit computer fraud and abuse and conspiracy to commit wire fraud. Akulov and Gavrilov are also charged with substantive counts of wire fraud and computer fraud related to unlawfully obtaining information from computers and causing damage to computers. Akulov and Gavrilov are also charged with three counts of aggravated identity theft.
Still Gaping Security Holes in Energy Companies
LookingGlass CEO Gilman Louie, an expert on national security and cybersecurity who regularly shares or analyzes intel with government agencies, told Threatpost on Friday that legal actions against the potential operators of the critically dangerous Triton malware are welcome: They’re a “positive move [that] sends a strong message to cybercrime and nation-state actors globally,” he said via email.
On the less-positive side, a recent LookingGlass cyber profile of the U.S. Energy sector looks grim.
Many energy companies are sitting ducks, with current cybersecurity exposures that have already been exploited by Russian actors in the past, including open ports that enable threat actors to gain full remote access.
The report shares vulnerabilities and exposures that Russian hackers are known to have used. “For years, energy companies have been hammered on securing their operational technology. The Triton attacks show why this is important,” Louie noted.
But he stated that “organizations also need to ensure they’re improving security on their traditional IT side.” He pointed to the Colonial Pipeline attack as an example of how adversaries “didn’t need in-depth knowledge of [operational technology, or OT] to shut down the flow of gas or oil.”
LookingGlass research shows that, across the energy sector, there are vulnerabilities that are more than 5 years old that haven’t been dealt with, and open ports like remote desktop that are “basically unprotected doors into an organization.”
Energy companies need to be patching or updating their systems, Louie said and shutting those open doors: “If they really need a port open for remote desktop, then they need to add layers of compensating security controls to make sure it’s not easy to exploit.”
When unsealing the indictments, the government noted that it’s taking action to enhance private sector network defense efforts and to disrupt similar malicious activity.
Other security issues that Russian actors have leveraged, which companies need to address immediately before they are used for attacks that could be bigger than those we’ve already seen, include:
- Default Passwords: Exactly what it sounds like. Default passwords are a major attack vector. Not changing default passwords, especially with a tool like Telnet, leaves companies wide open to Russian access to networks.
- Port 161 – SNMP protocol: The Simple Network Management Protocol (SNMP) uses both port 161 and port 162 for sending commands and messages and is being used by Russia to gain access to network devices and infrastructure. Older versions of this protocol are unsecure and allow threat actors to eavesdrop or manipulate data.
- Port 139/445 – SMB: The SMB network port is commonly used for file sharing. Russian groups have successfully targeted this port to execute remote code and to steal information, LookingGlass found.
These are just a few examples of security exposures that threat actors tied directly to Russia have exploited and will likely exploit again within U.S. companies, according to LookingGlass’s research.
It’s not time to wait for a nuclear-level cyber event, given that threat actors are already inside the power infrastructure. Now’s the time for companies to find and mitigate the holes that let them in, Louie said.
“Energy sector entities should be reviewing their digital footprint and taking action to secure their external-facing assets, especially as the threat of Russian cyberattacks intensifies,” he said.
Find out how we can help your organization at https://www.lookingglasscyber.com.