Russian agents charged with targeting U.S. nuclear plant, Saudi oil refinery

FILE PHOTO: The crest of the United States Department of Justice is seen at its headquarters in Washington, D.C.
FILE PHOTO: The crest of the United States Department of Justice is seen at its headquarters in Washington, D.C., U.S., May 10, 2021. REUTERS/Andrew Kelly/File Photo

March 24, 2022

By Sarah N. Lynch and Raphael Satter

WASHINGTON (Reuters) – U.S. and British officials on Thursday accused the Russian government of running a years-long campaign to hack into critical infrastructure, including an American nuclear plant and a Saudi oil refinery.

The announcement was paired with the unsealing of criminal charges against four Russian government officials, whom the U.S. Department of Justice accused of carrying out two major hacking operations aimed at the global energy sector. Thousands of computers in 135 countries were affected between 2012 and 2018, U.S. prosecutors said.

Cyber security analysts described the moves as a shot across the bow to Moscow after U.S. President Joe Biden warned just days ago about “evolving intelligence” that the Russian government may be preparing cyberattacks against American targets.

John Hultquist, whose firm Mandiant investigated the Saudi refinery hack, said that by making the criminal charges public the United States has “let them know that we know who they are.”

In one of the two indictments unsealed on Thursday and dated June 2021, the Justice Department accused Evgeny Viktorovich Gladkikh, a 36-year-old Russian ministry of defense research institute employee, of conspiring with others between May and September 2017 to hack the systems of a foreign refinery and install malware known as “Triton” on a safety system produced by Schneider Electric.

The refinery wasn’t named, but the British government said it was in Saudi Arabia and it has previously been identified as the Petro Rabigh refinery complex on the Red Sea coast.

In a second indictment, dated August 2021, the Justice Department said three other suspected hackers from Russia’s Federal Security Service (FSB) carried out cyberattacks on the computer networks of oil and gas firms, nuclear power plants, and utility and power transmission companies between 2012 and 2017 – a campaign researchers have long attributed to a group sometimes dubbed “Energetic Bear” or “Berserk Bear.”

The Russian Embassy in Washington did not immediately return a message seeking comment.

The three accused Russians in the second case are Pavel Aleksandrovich Akulov, 36, Mikhail Mikhailovich Gavrilov, 42, and Marat Valeryevich Tyukov, 39. None of the four defendants have been arrested, a U.S. official said.

Britain’s Foreign Office said that the FSB hackers targeted the systems controlling the Wolf Creek nuclear plant in Kansas “but failed to have any negative impact.”

“Russia’s targeting of critical national infrastructure is calculated and dangerous,” UK foreign secretary Liz Truss said in a statement. She said it showed Russian President Vladimir Putin “is prepared to risk lives to sow division and confusion among allies.”

A Justice Department official told reporters that even though the hacking at issue in the two cases occurred years ago, investigators remained concerned Russia will carry out similar attacks in future.

“These charges show the dark art of the possible when it comes to critical infrastructure,” the official said.

The official added that the department decided to unseal the indictments because they determined the “benefit of revealing the results of the investigation now outweighs the likelihood of arrests in the future.”

The 2017 Saudi refinery attack stunned the cybersecurity community when it was made public by researchers later that year because – unlike typical digital intrusions aimed at stealing data or holding it for ransom – it appeared aimed at causing physical damage to the facility itself by disabling its safety system. U.S. officials have been tracking the case ever since.

In 2019, those behind Triton were reported to be scanning and probing at least 20 electric utilities in the United States for vulnerabilities.

Two weeks before the 2020 U.S. presidential election the U.S. Treasury Department imposed sanctions on the Russian government-backed Central Scientific Research Institute of Chemistry and Mechanics. Prosecutors believe Gladkikh worked there. On Thursday, British officials also announced sanctions on the institute.

The Foreign Office said FSB hackers had targeted British energy companies and successfully stolen data from the U.S. aviation sector. It also accused the hackers of trying to compromise an employee of Mikhail Khodorkovsky, a former oil tycoon who fell afoul of the Kremlin and now lives in London.

(Reporting by Sarah N. Lynch and Raphael Satter in Washington; Editing by Marguerita Choy and Grant McCool)