For several years, The hackers behind malware known as Triton or Trisis have emerged as a unique and dangerous threat to critical infrastructure: a group of digital intruders attempting to sabotage systems. Industrial safety systems, with physical, potentially catastrophic results. Now the US Department of Justice has named one of the hackers in that group — and confirmed that their targets included a US company that owns multiple oil refineries.
On Thursday, just days after the White House warned of potential cyberattacks on critical US infrastructure by the Russian government in retaliation for new sanctions against the country, the Justice Department published a pair of allegations that together outline a years-long campaign against Russia. US energy facilities. In a set of charges, filed in August 2021, authorities named three officers of Russia’s FSB intelligence service accused of being members of a notorious hacking group known as Berserk Bear, Dragonfly 2.0 or Havexis known for targeting electrical utilities and other critical infrastructure worldwide, and is widely suspected of working in the Russian government service.
The second indictment, filed in June 2021, lays out the charges against a member of a supposedly more dangerous group of hackers: a Russian group known variously as the Triton or actor Trisis, Xenotime or Temp.Veles. That latter group not only targets energy infrastructure around the world, but also takes the rare step of causing real disruption in Saudi Arabia’s Petro Rabigh Refinery in 2017, infected its network with potentially destructive malware and – the indictment alleges for the first time – attempted to break into an American oil refinery with similar intentions. At the same time, a new advisor from the FBI’s cyber division warns that Triton “remains [a] The threat “and the hacker group associated with it” continues to conduct operations targeting the global energy sector. “
The indictment of Evgeny Viktorovich Gladkikh, an employee at the Moscow-based Central Scientific Research Institute of Chemistry and Mechanics (commonly abbreviated as TsNIIKhM), charges him and his unnamed accomplices developed the Triton malware and deployed it to sabotage Petro Rabigh. – systems of safety devices known as sabotage devices for the purpose of automatically monitoring and responding to unsafe conditions. Hacking those safety systems could lead to a catastrophic leak or explosion but instead triggered a failed safety mechanism that shut down the Saudi Arabian factory operation twice. Prosecutors also suggested that Gladkikh and his associates appeared to have tried to cause a similar disruption to a specific but unnamed U.S. refinery, without success.
Joe Slowik, a researcher at security firm Gigamon who analyzed the Triton malware when it first emerged and has been tracking the hackers behind it for years, said: I got confirmation from the government. “We have an entity that is playing with a secure tooling system in a high-risk environment. And trying to do that is not only in Saudi Arabia but also in the United States.”
The indictment alleges that in February 2018, just two months after the Triton malware deployed at Petro Rabigh was discovered by cybersecurity companies FireEye and Dragosstaff at TsNIIKhM began researching U.S. refineries, looking for U.S. government research papers that might detail which U.S. refineries have the highest capacity, potential impacts potential for fire or explosion at such facilities and their vulnerability to nuclear attacks or other disasters.
