Feds allege destructive Russian hackers targeted US oil refineries

The group of digital intruders who attempted to sabotage industrial safety systems, with physical, potentially catastrophic results, have stood out as a uniquely dangerous threat to critical infrastructure. The US Department of Justice has put a name to one of the hackers in that group and confirmed that the targets included a US company that owns multiple oil refineries.

On Thursday, just days after the White House warned of potential cyberattacks on US critical infrastructure by the Russian government in retaliation for new sanctions against the country, the Justice Department released a pair of indictments that outline a years-long campaign of Russian hacking of US energy facilities. In one set of charges, filed in August 2021, authorities name three officers of Russia's FSB intelligence agency accused of being members of a notorious hacking group known as Berserk Bear, Dragonfly 2.0, or Havex, known for targeting electrical utilities and other critical infrastructure worldwide.

The second indictment, filed in June 2021, levels charges against a member of an arguably more dangerous team of hackers: a Russian group known variously as the Triton or Trisis actor, Xenotime or Temp.Veles. That second group didn't merely target energy infrastructure worldwide but also took the rare step of inflicting real disruption in the Saudi oil refinery Petro Rabigh in 2017, infecting its networks with potentially destructive malware, and—the indictment alleges for the first time—attempting to break into a US oil-refining company with what appeared to be similar intentions. At the same time, a new advisory from the FBI cyber division warns that Triton "remains [a] threat," and that the hacker group associated with it "continues to conduct activity targeting the global energy sector." Advertisement

According to the indictment, the staffer at the Moscow-based Central Scientific Research Institute of Chemistry and Mechanics, called TsNIIKhM, and unnamed co-conspirators were responsible for the development and deployment of the Triton malware to sabotage Petro. The failure-safe mechanism that shut down the Saudi plant after the hacking of the safety systems could have led to disastrous leaks or explosions. According to prosecutors, Gladkikh and his associates tried to disrupt a US oil refining firm, but failed.

Joe Slowik, a researcher at security firm Gigamon, says that they have confirmation from the government that there is a entity that was playing around with safety. It is concerning to try to do that in the United States.