On March 24, the Department of Justice unsealed indictments against three Russians alleged to be responsible for a long-running and persistent campaign to target and infiltrate the networks of critical infrastructure in the United States and worldwide.
The charges allege Pavel Aleksandrovich Akulov, Mikhail Mikhailovich Gavrilov, and Marat Valeryevich Tyukov were part of a Russian intelligence operational unit that security experts dubbed “Dragonfly,” “Berserk Bear,” “Energetic Bear,” and “Crouching Yeti.” The unit is part of an entity called Center 16 in the Russian Federal Security Service (FSB)—a successor agency to the Soviet KGB.
The alleged operation occurred in two phases. The first involved deploying a custom malware implant known to cybersecurity experts as Havex, which infected a significant number of organizations in the global energy sector. The second phase included targeted compromises of energy sector entities and individuals and engineers who worked with industrial control systems (ICS) and supervisory control and data acquisition (SCADA) systems. Collectively, these intrusions could have had a devastating impact on energy delivery worldwide.
The first phase stretched between at least 2012 and 2014 and resulted in Havex being downloaded onto more than 17,000 unique devices in the United States and other nations. An FBI intelligence analyst who worked on the case said the group had used a combination of techniques to deploy Havex, including sweeping efforts to cast a wide net across the global energy sector, but also well-researched and targeted techniques to reach specific companies and individuals.
Among the more alarming techniques used with Havex was the conspiracy’s compromise of a company that manufactures equipment and software used by ICS/SCADA systems. These are the control and safety mechanisms that exist within energy production facilities and other operational environments. For safety reasons, these are typically closed systems. But because the group had gained access into the systems of a company that provides a component of these systems, they were able to hide their malware within software updates offered by the company—a technique known as a supply chain attack.
Regardless of how the Havex malware was deployed, the analyst said it could be tailored for a variety of uses, including gathering credentials and scanning for human-machine interfaces. “That means the ways a human may interface with the system to tell it what to do,” he said. “If that interface is connected to a network, you have the potential for a remote actor to send instructions to a critical network.” In 2014, the group ceased using Havex after it was publicly exposed, and they began evolving the operation.
The second phase involved targeted intrusions of energy sector companies, including an intrusion in 2017 of the business network of a nuclear power plant in Kansas. This business network was not directly connected to any ICS/SCADA devices. An FBI special agent who investigated the case said they found no evidence that the hackers took any sensitive data of intelligence value, and it appeared the goal was simply to gain and maintain access. “Meaning that, at a later date, they could have used this access to affect or damage the energy grid or other critical operations within the United States,” the agent explained.
The Kansas intrusion in 2017 was part of a multipronged attack. “When we peeled away at the onion, we found this was a much larger campaign targeting the global energy sector to the tune of about 500 companies worldwide,” said the agent. “We believe they targeted nearly 3,300 people through a months-long spearphishing campaign.” As part of this phase, the group is also accused of breaching the network of a U.S. construction company. Access to that network allowed the group to send legitimate looking emails with the resume of an individual claiming to have industry-specific skills. The resume contained malicious code that victims could inadvertently download when they reviewed the document.
The group had also compromised multiple websites, including those of industry publications read by engineers in the energy sector. Those sites became what cybersecurity experts call watering holes, where the site itself is seeded with malicious code that visitors can inadvertently download.
Investigators came to understand the group’s efforts in 2017 were a continuation of activity stretching back to their use of Havex years before, demonstrating Russia’s concerted efforts over many years to gain access to U.S. critical infrastructure. This group is still in operation, and it continues to evolve.
The analyst said some of the most disturbing elements in this case were signs that, as the group’s efforts evolved, they sought ways to re-access these systems without leaving detectable evidence. “Essentially, they wanted to steal the keys to the door, so they no longer needed to stick something in the doorjamb or leave something else behind,” he said. “It’s a stealthier way to maintain long-term access and a clear indication that the intent was to have that access available if they needed it in the future.”
All of this highlights why law enforcement action is so important. By naming these individuals, we limit their ability to travel outside of Russia, limit their future usefulness to their intelligence service employer, and limit future employment options with law-abiding private sector entities. All of this may also cause other Russian citizens with cyber skills to choose a more respectable employment path that does not limit their future opportunities. It also puts more attention and pressure in the international community on nation-states and the cybercriminals they sponsor, since exposing Russia’s activity against the energy sectors and critical infrastructure of countries worldwide shows Russia’s willingness and intent to engage in disruptive, destabilizing, and often counter-normative activity, even in peacetime.
This case is also a reminder that cybersecurity must be a priority for every organization—even those who don’t work with sensitive materials or on critical infrastructure. “In this case and so many others, victim companies that provide an easier entry point can provide criminals a way into higher-level, more critical targets,” the agent said. “Cybersecurity is quite simply at the heart of our national security.”