Monday, March 28, 2022

US: four russian hackers indicted

Four russian hackers with links to russian intelligence service FSB are indicted for the failed attempts to infiltrate energy companies, SPON:

The US government on Thursday published its indictments against four Russian citizens, whom it accuses of having hacked numerous energy companies around the world on behalf of the secret service FSB and the Ministry of Defense.

The charges relate to cases that date back a while. In the US, there are sealed, ready-made indictments that can be made public at any time. In this case, they are from June and August of the previous year. Now the US authorities thought the time had come to make them public.

These are two separate charges, but they have one thing in common: the hacking activities they describe are sophisticated and have been carried out over a long period of time. They are not aimed at short-term effects, but consist of targeted and well-prepared attacks in which malware is intended to be smuggled into the systems of companies in the critical infrastructure - in order to manipulate their operation on a »Day X« chosen by the attacker or even completely shut it down sabotage.

It is this type of cyber attack that is of greatest concern to security agencies around the world. An infiltrated energy infrastructure, which in extreme cases could be switched off by malicious actors, is considered a nightmare scenario.

The first new US indictment is directed against a 36-year-old Russian, Evgeny G., who is said to work for a leading research institute of the Russian Defense Ministry. In the period from May to September 2017, he and his accomplices are said to have penetrated the security systems of a refinery outside the USA, which is not described in detail in the indictment, and tried to install malware there called Triton.

According to the prosecution, the attackers could have used the code to manipulate and deactivate the security system used there by the French company Schneider Electric – without the refinery employees noticing it on their control monitors. The malicious code would have indicated systems were operating normally and had the potential to damage the refinery's equipment, cause economic damage and even injure employees, US prosecutors said.

However, the attempt failed: The Schneider Electric systems responded to the Russian attempts to upload their manipulation code twice with an emergency shutdown. The hackers, however, were apparently not discouraged. According to the indictment, they are said to have tried similar refineries in the USA for months the following year, also without success. In the extremely unlikely event of extradition to the United States and a conviction on all three counts, Evgeny G. would have to face a total of 45 years in prison.

In 2017, Triton attacks on Saudi systems that work with Schneider Electric technologies became known. The IT security company FireEye had already suspected Russian authorship and pointed to traces of a Moscow research institute. The international IT security scene reacted with alarm because the Schneider Electric target systems targeted by the hackers are used in oil, gas and nuclear power plants worldwide. According to experts, the attacks in Saudi Arabia could have had potentially catastrophic consequences had they been successful - up to and including poison gas leaks and explosions.

The second set of charges now published by the United States is also about years of sophisticated, multi-stage attempts to attack facilities in the energy industry - in tens of thousands of cases and in more than 135 countries, including the United States and Germany. It is aimed at three employees of the FSB unit 71330, named and identified with portrait photos, who are said to belong to a hacker group that has been known in security circles for around a decade under names such as "Energetic Bear", "Dragonfly" and "Crouching Yeti". .

The three FSB men are accused of having targeted control and monitoring systems for such facilities from 2012 onwards. Using targeted phishing emails and other methods such as fake software updates, they are said to have succeeded in more than 17,000 cases in installing their »Havex« malicious code on the devices of victims - including electricity suppliers and other companies in the energy industry.

In a second, according to the indictment, "more targeted" phase, they sent phishing emails to more than 3,300 employees of more than 500 international companies from 2014 and subsequently infiltrated many systems. One target was the Wolf Creek company in the US state of Kansas, which operates a nuclear power plant. However, the attackers only made it into the accounting and administration area. According to the indictment, they did not penetrate the control systems of the power plant.

If the three defendants, aged 36, 39 and 42, are ever found guilty by a US court, they face combined sentences of between 25 and 47 years in prison. Hackers on behalf of the Russian government are "a serious and ongoing threat to the energy industry in the United States and the rest of the world," said one of the responsible US prosecutors when the indictments were published.

It is hardly a coincidence that the US authorities are now making them public. Only on Monday did US President Joe Biden warn of Russian cyber attacks and spoke of indications that the Kremlin was considering new attacks in response to the sanctions. With regard to companies, Biden demanded: "Harden your cyber defenses, immediately!"

In Germany, too, there is great nervousness. Security authorities have been warning of possible attacks by Vladimir Putin's cyber troops for weeks. The intelligence agency fears that the sanctions against Russia and the arms deliveries to Ukraine have further increased the risk of attacks "against German bodies, including companies." The authorities are convinced that the Russian services "undoubtedly" have the ability to "considerably and permanently sabotage" both critical infrastructure and military facilities and political operations.

In the past, the authorities had warned several times about the hackers of the "Berserk Bear" group and their "long-term and with great effort" driven activities in the energy sector. German targets are in the sights of the group, it said. Concrete waves of attacks by the group on targets in Germany were observed in 2018 and 2020.

The US government has been pursuing its "naming and shaming" strategy for several years. Special Counsel Robert Mueller indicted a dozen Russian intelligence officials in 2018 for hacking the 2016 presidential campaign. Seven other GRU workers were named and charged just months later, with a further six in 2020.

As a rule, the charges do not have any direct effects because Russia has no extradition agreement with the USA and, in particular, would not leave its state hackers to the USA. But on the one hand, those affected know that they must expect to be arrested abroad from now on. And on the other hand, the USA should be concerned with sending out signals, along the lines of: »We see what you think you are doing in secret, we are technically superior to you.«

In addition, the signal could also have an inward effect. A threat that has human faces may be taken more seriously than abstract references to intelligence hackers.

See the bills of indictment below:

No comments:

Post a Comment