For years, the hackers behind the malware known as Triton or Trisis stood out as a uniquely dangerous threat to critical infrastructure: a group of digital invaders who attempted to sabotage industrial security systems, with physical, potentially catastrophic, consequences. Now the US Department of Justice has given a name to one of the hackers in that group – confirming that their target was a US company that owns multiple oil refineries.
On Thursday, just days after the White House warned of possible cyber-attacks on US critical infrastructure by the Russian government in retaliation for new sanctions against the country, the Justice Department unsealed a pair of charges that together represent a years-long campaign by Russian authorities. hacking of US energy facilities. In one set of charges, filed in August 2021, authorities name three officers from Russia’s FSB intelligence agency accused of being members of a notorious hacking group known as Berserk Bear, Dragonfly 2.0 or Havex, which is known for attacking of electric utilities and other critical infrastructure worldwide, and widely suspected of working in the service of the Russian government.
The second indictment, filed in June 2021, concerns charges against a member of an arguably more dangerous team of hackers: a Russian group known as the Triton or Trisis actor, Xenotime or Temp.Veles. That second group not only focused on global energy infrastructure, but in 2017 also took the rare step of truly disrupting Saudi oil refinery Petro Rabigh, infecting its networks with potentially destructive malware and — according to the indictment for the first time — – attempting to break into a US oil refinery company with apparently similar intentions. At the same time, new advice from the FBI’s cyber division warns that Triton “stays” [a] threat,” and that the hacker group associated with it “continues to conduct activities targeting the global energy sector.”
The indictment of Evgeny Viktorovich Gladkikh, a staffer at the Kremlin-affiliated Central Scientific Research Institute of Chemistry and Mechanics (commonly abbreviated TsNIIKhM), accuses him and unnamed conspirators of developing the Triton malware and using it to kill Petro. Rabigh’s so sabotage. – called safety devices, tamper devices intended to automatically monitor and respond to unsafe conditions. Hacking into those security systems could have led to disastrous leaks or explosions, but instead it triggered a fail-safe mechanism that shut down the Saudi factory’s operations twice. Prosecutors also suggest that Gladkikh and his associates appear to have attempted to inflict a similar disruption on a specific, but undisclosed, U.S. oil refinery company, but failed.
“Now we have confirmation from the government,” said Joe Slowik, a researcher at security firm Gigamon, who analyzed the Triton malware when it first appeared and has tracked the hackers behind it for years. “We have an entity that was playing with a system of security tools in a high-risk environment. And to try to do that not only in Saudi Arabia, but also in the United States is alarming.”
According to the indictment, in February 2018, just two months after the Triton malware deployed at Petro Rabigh was discovered by cybersecurity firms FireEye and Dragos, TsNIIKhM employees began investigating U.S. refineries, looking for U.S. government research documents. that could specify which U.S. refineries have the most capacity, the potential consequences of fires or explosions at those facilities, and their vulnerability to nuclear attack or other disasters.