Two days after Norwood congressman, Rep. Ritchie Torres (NY-15) called for an investigation into the Russian diplomatic compound, located at 355 W 255th Street in the Riverdale section of the Bronx, on Tuesday, March 22, and amid the ongoing invasion of Ukraine by Russia, the FBI announced on Thursday, March 24, that four Russian government employees have been charged in two historical hacking campaigns, targeting critical infrastructure, worldwide.
The Department of Justice unsealed two charges on Thursday, charging four defendants, all Russian nationals, who worked for the Russian government, with attempting, supporting and conducting computer intrusions [hacking] that together, in two separate conspiracies, targeted the global energy sector between 2012 and 2018. In total, these hacking campaigns targeted thousands of computers, at hundreds of companies and organizations, in approximately 135 countries. The center for strategic and international studies tracks significant cyber attacks.
According to the FBI, a June 2021 charge returned in Washington D.C., United States v. Evgeny Viktorovich Gladkikh, concerns the alleged efforts of an employee of a Russian Ministry of Defense research institute and his co-conspirators to damage critical infrastructure outside the United States, thereby causing two separate emergency shutdowns at a foreign targeted facility. They are alleged to have subsequently attempted to hack the computers of a U.S. company that managed similar critical infrastructure entities in the United States.
A few months later, an August 2021 charge returned in the District of Kansas, United States v. Pavel Aleksandrovich Akulov, et al., details allegations about a separate, two-phased campaign undertaken by three officers of Russia’s Federal Security Service (FSB) and their co-conspirators to target and compromise the computers of hundreds of entities related to the energy sector worldwide. Access to such systems would have provided the Russian government the ability to, among other things, disrupt and damage such computer systems at a future time of its choosing.
In the context of the announcement, Deputy U.S. Attorney General Lisa O. Monaco said, “Russian state-sponsored hackers pose a serious and persistent threat to critical infrastructure both in the United States and around the world.” Monaco added, “Although the criminal charges unsealed today reflect past activity, they make crystal clear the urgent ongoing need for American businesses to harden their defenses and remain vigilant. Alongside our partners here at home and abroad, the Department of Justice is committed to exposing and holding accountable state-sponsored hackers who threaten our critical infrastructure with cyber-attacks.”
Meanwhile, FBI Deputy Director Paul Abbate said the FBI, along with federal and international partners, was laser-focused on countering the significant cyber threat Russia posed to the country’s critical infrastructure. “We will continue to identify and quickly direct response assets to victims of Russian cyber activity; to arm our partners with the information that they need to deploy their own tools against the adversary; and to attribute the misconduct and impose consequences both seen and unseen,” he said.
U.S. Attorney Matthew M. Graves for the District of Columbia said the country faced no greater cyber threat than actors seeking to compromise critical infrastructure, offenses which he said could harm those working at affected plants as well as the citizens who depend on them. “The department and my office will ensure that those attacking operational technology will be identified and prosecuted,” he said.
For his part, U.S. Attorney Duston Slinkard for the District of Kansas, said, “The potential of cyberattacks to disrupt, if not paralyze, the delivery of critical energy services to hospitals, homes, businesses and other locations essential to sustaining our communities is a reality in today’s world.” He added, “We must acknowledge there are individuals actively seeking to wreak havoc on our nation’s vital infrastructure system, and we must remain vigilant in our effort to thwart such attacks. The Department of Justice is committed to the pursuit and prosecution of accused hackers as part of its mission to protect the safety and security of our nation.”
In addition to unsealing these charges, according to the FBI, the U.S. government is also taking action to enhance private sector network defense efforts and disrupt similar malicious activity. The U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) has already released numerous technical alerts, ICS alerts and malware analysis reports regarding Russia’s malign cyber activities, including the campaigns discussed in the indictments. These are located at: https://www.cisa.gov/shields-up.
Regarding the offense charging Evgeny Viktorovich Gladkikh, 36, a computer programmer employed by an institute affiliated with the Russian Ministry of Defense, according to the charge, between May and September 2017, the defendant and co-conspirators hacked the systems of a foreign refinery and installed malware, which cyber security researchers have referred to as “Triton” or “Trisis,” on a safety system produced by Schneider Electric, a multinational corporation.
The conspirators allegedly designed the Triton malware to prevent the refinery’s safety systems from functioning i.e., by causing the ICS to operate in an unsafe manner while appearing to be operating normally, granting the defendant and his co-conspirators the ability to cause damage to the refinery, injury to anyone nearby, and economic harm. However, FBI officials said when the defendant deployed the Triton malware, it caused a fault that led the refinery’s Schneider Electric safety systems to initiate two automatic emergency shutdowns of the refinery’s operations.
Between February and July 2018, the conspirators researched similar refineries in the United States, which were owned by a U.S. company, and unsuccessfully attempted to hack the U.S. company’s computer systems. The three-count charge alleges that Gladkikh was an employee of the State Research Center of the Russian Federation FGUP Central Scientific Research Institute of Chemistry and Mechanics or “TsNIIKhM,” Applied Developments Center (hereinafter “ADC”).
On its website, which was modified after the Triton attack became public, TsNIIKhM described itself as the Russian Ministry of Defense’s leading research organization. The ADC, in turn, publicly asserted that it engaged in research concerning information technology-related threats to critical infrastructure i.e., that its research was defensive in nature.
The defendant is charged with one count of conspiracy to cause damage to an energy facility, which carries a maximum sentence of 20 years in prison, one count of attempt to cause damage to an energy facility, which carries a maximum sentence of 20 years in prison, and one count of conspiracy to commit computer fraud, which carries a maximum sentence of five years in prison.
The Russian Diplomatic Compound in the #Bronx is shrouded in secrecy & may pose a threat to our national security. I’m calling on the @FBI & @TheJusticeDept to conduct an investigation into the Compound & bring to light the activities going on behind closed doors. pic.twitter.com/bcVMZZEIZh
— Rep. Ritchie Torres (@RepRitchie) March 22, 2022
Assistant U.S. Attorneys Christopher B. Brown and Luke Jones for the District of Columbia, in partnership with the National Security Division’s Counterintelligence and Export Control Section, are prosecuting this case. The FBI’s Washington field office conducted the investigation.
FBI officials said the U.S.-based targets of the conspiracy cooperated and provided valuable assistance in the investigation. The Department of Justice and the FBI also expressed appreciation to Schneider Electric for its assistance in the investigation, particularly noting the company’s public outreach and education efforts following the overseas Triton attack.
On Aug. 26, 2021, a federal grand jury in Kansas City, Kansas, returned a charge, charging three computer hackers, all of whom were residents and nationals of the Russian Federation (Russia) and officers in Military Unit 71330 or “Center 16” of the FSB, with violating U.S. laws related to computer fraud and abuse, wire fraud, aggravated identity theft and causing damage to the property of an energy facility.
The FSB hackers, Pavel Aleksandrovich Akulov, 36, Mikhail Mikhailovich Gavrilov, 42, and Marat Valeryevich Tyukov, 39, were members of a Center 16 operational unit, known among cybersecurity researchers as “Dragonfly,” “Berzerk Bear,” “Energetic Bear,” and “Crouching Yeti.”
The charge alleges that, between 2012 and 2017, Akulov, Gavrilov, Tyukov and their co-conspirators, engaged in computer intrusions, including supply chain attacks, in furtherance of the Russian government’s efforts to maintain surreptitious, unauthorized and persistent access to the computer networks of companies and organizations in the international energy sector, including oil and gas firms, nuclear power plants, and utility and power transmission companies.
Specifically, the conspirators targeted the software and hardware that controls equipment in power generation facilities, known as ICS or Supervisory Control and Data Acquisition (SCADA) systems. Access to such systems would have provided the Russian government the ability to, among other things, disrupt and damage such computer systems at a future time of its choosing.
According to the charge, the energy sector campaign involved two phases. In the first phase, which took place between 2012 and 2014 and is commonly referred to by cyber security researchers as “Dragonfly” or “Havex,” the conspirators engaged in a supply chain attack, compromising the computer networks of ICS/SCADA system manufacturers and software providers and then hiding malware – known publicly as “Havex” – inside legitimate software updates for such systems.
After unsuspecting customers downloaded Havex-infected updates, the conspirators would use the malware to, among other things, create backdoors into infected systems and scan victims’ networks for additional ICS/SCADA devices. Through these and other efforts, including spear-phishing and “watering hole” attacks, the conspirators installed malware on more than 17,000 unique devices in the United States and abroad, including ICS/SCADA controllers used by power and energy companies.
In the second phase, which took place between 2014 and 2017 and is commonly referred to as “Dragonfly 2.0,” the conspirators transitioned to more targeted compromises that focused on specific energy sector entities and individuals and engineers who worked with ICS/SCADA systems. As alleged in the charge, the conspirators’ tactics included spear-phishing attacks, targeting more than 3,300 users at more than 500 U.S. and international companies and entities, in addition to U.S. government agencies such as the Nuclear Regulatory Commission.
In some cases, the spear-phishing attacks were successful, including in the compromise of the business network i.e., involving computers not directly connected to ICS/SCADA equipment of the Wolf Creek Nuclear Operating Corporation (Wolf Creek) in Burlington, Kansas, which operates a nuclear power plant. Moreover, after establishing an illegal foothold in a particular network, the conspirators typically used that foothold to penetrate further into the network by obtaining access to other computers and networks at the victim entity.
During the Dragonfly 2.0 phase, the conspirators also undertook a watering hole attack by compromising servers that hosted websites commonly visited by ICS/SCADA system and other energy sector engineers through publicly known vulnerabilities in content management software. When the engineers browsed to a compromised website, the conspirators’ hidden scripts deployed malware designed to capture login credentials onto their computers. The hacking campaign targeted victims in the United States and in more than 135 other countries.
Akulov, Gavrilov and Tyukov are charged with conspiracy to cause damage to the property of an energy facility and commit computer fraud and abuse, which carries a maximum sentence of five years in prison, and conspiracy to commit wire fraud, which carries a maximum sentence of 20 years in prison. Akulov and Gavrilov are also charged with substantive counts of wire fraud and computer fraud related to unlawfully obtaining information from computers and causing damage to computers.
These offenses carry maximum sentences ranging from five to 20 years in prison. Finally, Akulov and Gavrilov are also charged with three counts of aggravated identity theft, each of which carry a minimum sentence of two years consecutive to any other sentence imposed.
Assistant U.S. Attorneys Scott Rask, Christopher Oakley and Ryan Huschka for the District of Kansas, counsel for cyber investigations, Ali Ahmad, and trial attorney, Christine Bonomo, of the National Security Division’s Counterintelligence and Export Control Section are prosecuting this case. The FBI’s Portland and Richmond field offices conducted the investigation, with the assistance of the FBI’s Cyber Division. Numerous victims, including Wolf Creek and its owners Evergy and the Kansas Electric Power Cooperative, cooperated and provided invaluable assistance in the investigation, FBI officials said.
A person arrested and charged with a crime is innocent unless and until convicted in a court of law. A federal district court judge will determine any sentence after considering the U.S. Sentencing Guidelines and other statutory factors.
Norwood News asked the FBI if any of the four defendants live or have lived at the Bronx Russian Diplomatic compound, and will update this story upon receipt of any response.
As reported, New York State Joint Commission on Public Ethics (JCOPE) recently provided an update on the cyberattack reported on its systems at the end of February. The commission reported that it had learned that it had been the target of a deliberate malicious cyberattack, specifically to the web server that houses, among other systems, JCOPE’s Lobbying Application and Financial Disclosure Statement Online Filing System.
Meanwhile, according to Torres, the Russian Riverdale compound is believed to be home to Russian foreign agents and spies who Torres’ office said may be gathering sensitive information on the United States. On March 21, the congressman said he was introducing the “Reveal Risky Business in Russia Act,” If passed, it would require U.S. companies to publicly disclose if they have business ties to Russia or any other country that has invaded a sovereign nation. The legislation aims to hold companies accountable for refusing to denounce Russia’s invasion of Ukraine, and to disincentivise countries from engaging in what was described as amoral business practices with oppressive governments.
While 400 companies have withdrawn from Russia, according to Yale School for Management, many others are refusing to do so. The bill also requires such companies to report on other companies that do business with the Russian government or the government of another country that has invaded or annexed the territory of another country. We asked the Torres’ office about the scope of the bill since there are currently several areas of ongoing conflict around the world which stem from the invasion of independent territories. A representative responded, saying, “It would just be from the point of law enactment, and forward.”