The Department of Justice recently unsealed an indictment charging three Russian nationals with attempting, supporting, and conducting computer intrusions that targeted the global energy sector between 2012 and 2017. One of the targets was Wolf Creek Nuclear Operating Corporation, operator of the single-unit 1200-MWe Wolf Creek nuclear plant near Burlington, Kans.
Nuclear News reported on the breach of Wolf Creek’s business network in its August 2017 issue, noting the company’s assurance that there had been “absolutely no operational impact” on the plant. (Nuclear facilities’ safety and control systems are, as a matter of course, not connected to business networks or the Internet.) At the time, U.S. authorities had not identified the hackers.
Specifics: According to a March 24 DOJ press release, a federal grand jury in Kansas City, Kans., returned an indictment in August 2021 charging three officers of Russia’s Federal Security Service with computer fraud and abuse, wire fraud, and aggravated identity theft, and with causing damage to the property of an energy facility.
The officers—Pavel Aleksandrovich Akulov, Mikhail Mikhailovich Gavrilov, and Marat Valeryevich Tyukov—were members of an operational unit known among cybersecurity researchers as Dragonfly, Berzerk Bear, Energetic Bear, and Crouching Yeti, the DOJ said.
The indictment alleges that between 2012 and 2017, Akulov, Gavrilov, and Tyukov engaged in computer intrusions, including supply chain attacks, to further the Russian government’s efforts to gain access to the computer networks of companies and organizations in the international energy sector.
Specifically, the defendants targeted the software and hardware that controls equipment in power generation facilities, known as industrial control systems (ICS) or supervisory control and data acquisition (SCADA) systems.
The hacking campaign involved two phases, according to the indictment. In the first phase, which took place between 2012 and 2014, the defendants engaged in a supply chain attack, compromising the computer networks of ICS/SCADA system manufacturers and software providers and then hiding malware inside legitimate software updates for such systems.
In the second phase, which took place between 2014 and 2017, the alleged hackers are said to have transitioned to more targeted attacks that focused on specific energy sector entities and individuals and on engineers who worked with ICS/SCADA systems. As stated in the indictment, the hackers’ tactics included spear-phishing attacks targeting over 3,300 users at more than 500 U.S. and international companies and entities, in addition to U.S. government agencies, such as the Nuclear Regulatory Commission. In some cases, the attacks were successful, the indictment noted, including the compromising of Wolf Creek’s business network.
The indictment charges Akulov et al. with conspiracy to cause damage to the property of an energy facility and commit computer fraud and abuse, which carries a maximum sentence of five years in prison, and conspiracy to commit wire fraud, which carries a maximum of 20 years. Akulov and Gavrilov are also charged with substantive counts of wire fraud and computer fraud related to unlawfully obtaining information from computers and causing computer damage, offenses that carry maximum prison terms ranging from five to 20 years, and with three counts of aggravated identity theft, each of which carries a minimum of two years consecutive to any other sentence imposed.