For years, the hackers behind the malware known as Triton or Trisis have distinguished themselves as a uniquely dangerous threat to critical infrastructure: a group of digital invaders who attempted to sabotage industrial security systems, with physical, potentially catastrophic consequences. Now, the US Department of Justice has named one of the hackers in that group — confirming that the hackers’ targets were a US company that owns multiple oil refineries.
On Thursday, just days after the White House warned of possible cyber-attacks on US critical infrastructure by the Russian government in retaliation for new sanctions against the country, the Justice Department unsealed a pair of charges that together represent a years-long campaign by Russian authorities. hacking of US energy facilities. In one set of charges, filed in August 2021, authorities name three officers from Russia’s FSB intelligence agency accused of being members of a notorious hacking group known as Berserk Bear, Dragonfly 2.0 or Havex, which is known for attacking of electric utilities and other critical infrastructure worldwide, and widely suspected of working in the service of the Russian government.
The second indictment, filed in June 2021, concerns charges against a member of an arguably more dangerous team of hackers: a Russian group known as the Triton or Trisis actor, Xenotime or Temp.Veles. That second group not only focused on global energy infrastructure, but in 2017 also took the rare step of truly disrupting Saudi oil refinery Petro Rabigh, infecting its networks with potentially destructive malware and — according to the indictment for the first time — – attempting to break into a US oil refinery company with apparently similar intentions. At the same time, new advice from the FBI’s cyber division warns that Triton “stays” [a] threat,” and that the hacker group associated with it “continues to conduct activities targeting the global energy sector.”
The indictment of Evgeny Viktorovich Gladkikh, an employee of the Kremlin-affiliated Central Scientific Research Institute of Chemistry and Mechanics (usually abbreviated TsNIIKhM), accuses him and unnamed co-conspirators of developing the Triton malware and deploying it to Petro Rabigh’s so-called security instruments, tamper devices intended to automatically monitor and respond to unsafe conditions. Hacking into those security systems could have led to disastrous leaks or explosions, but instead it triggered a fail-safe mechanism that shut down the Saudi factory’s operations twice. Prosecutors also suggest that Gladkikh and his associates appear to have attempted to inflict a similar disruption on a specific, but undisclosed, U.S. oil refinery company, but failed.
“Now we have confirmation from the government,” said Joe Slowik, a researcher at security firm Gigamon, who analyzed the Triton malware when it first appeared and has tracked the hackers behind it for years. “We have an entity that was playing with a system of security tools in a high-risk environment. And to try to do that not only in Saudi Arabia, but also in the United States is alarming.”