Skip to main content
banner image
venafi logo

DOJ Indictment Links Russian Nationals to Supply Chain Attacks

DOJ Indictment Links Russian Nationals to Supply Chain Attacks

doj-russian-supply-chain-attacks
March 30, 2022 | Brooke Crothers

The Department of Justice unsealed two indictments last week charging four defendants, all Russian nationals working for the Russian government, with “attempting, supporting and conducting computer intrusions that…targeted the global energy sector between 2012 and 2018.” The hacking campaigns were directed at hundreds of companies and organizations in 135 countries.

One of the indictments, United States v. Pavel Aleksandrovich Akulov, et al. (August 2021), details a campaign carried out by three officers of Russia’s Federal Security Service (FSB) and their co-conspirators to compromise the computers of “hundreds of entities related to the energy sector worldwide,” the DOJ said.

The “Center 16” operational unit – also known in the wider cybersecurity community by various names including “Dragonfly,” “Berzerk Bear,” “Energetic Bear,” and “Crouching Yeti” – is at the center of the supply chain attacks, the DOJ said.

Center 16 seeks to advance “the Russian government’s efforts to maintain surreptitious, unauthorized and persistent access to the computer networks of companies and organizations in the international energy sector,” the DOJ said.

SolarWinds: Anatomy of a Supply Chain Attack. Download the free White Paper now.

Supply chain attacks have been around for years as the DOJ’s August 26, 2021 indictment shows.  Three Russian computer hackers, who were officers in Center 16, carried out energy sector attacks between 2012 and 2014 in phase one of the campaign.

What the supply chain hackers did

In this phase, referred to as “Dragonfly” or “Havex,” the conspirators launched a supply chain attack that compromised the computer networks of ICS (Industrial Control Systems) and SCADA (Supervisory Control and Data Acquisition) system manufacturers and software providers. The hackers then hid the malware inside legitimate software updates. As a result, customers unwittingly downloaded Havex-infected updates. Hackers then used the malware to create backdoors into infected systems and scan victims’ networks for additional ICS/SCADA devices, the indictment said.

By using spear phishing and watering hole attacks as well as other tactics, the conspirators installed malware on more than 17,000 unique devices in the United States and abroad, including ICS/SCADA controllers used by power and energy companies, the DOJ said.

In the second phase (2014-2017), referred to as “Dragonfly 2.0,” the conspirators focused on specific energy sector organizations and individuals who worked with ICS/SCADA systems, according to the indictment.  Those entities included 3,300 users at more than 500 U.S. and international companies and entities and U.S. government agencies such as the Nuclear Regulatory Commission.

Successful attacks

The spearphishing attacks in some instances succeeded – though those attacks did not involve computers directly connected to ICS/SCADA equipment, the DOJ said.

“In some cases, the spearphishing attacks were successful, including in the compromise of the business network…of the Wolf Creek Nuclear Operating Corporation (Wolf Creek) in Burlington, Kansas, which operates a nuclear power plant. Moreover, after establishing an illegal foothold in a particular network, the conspirators typically used that foothold to penetrate further into the network by obtaining access to other computers and networks at the victim entity.”

--Four Russian Government Employees Charged in Two Historical Hacking Campaigns Targeting Critical Infrastructure Worldwide, Department of Justice, March 24, 2022

During the Dragonfly 2.0 phase, the conspirators also conducted a watering hole attack that compromised servers hosting websites commonly visited by ICS/SCADA system engineers through publicly known vulnerabilities in content management software. “When the engineers browsed to a compromised website, the conspirators’ hidden scripts deployed malware designed to capture login credentials onto their computers,” the DOJ said.

The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) has already released numerous Technical Alerts about Russia’s recent malicious cyber activities and the campaigns discussed in the indictments.

Businesses can protect themselves against threat actors like the above by implementing a robust machine identity management program. Solutions, such as Venafi CodeSign Protect, can help organizations protect the code signing machine identities which are being used to protect their software across the extended enterprise. As part of the Trust Protection Platform, CodeSign Protect powers enterprise solutions that give you the visibility, intelligence and automation to protect your software infrastructure.

If you wish to learn more, reach out to one of our experts. They will be glad to answer all your questions.

Related posts

Like this blog? We think you will love this.
twitter-api-key-bot-army
Featured Blog

Researchers Find 3,200 Apps Exposing Twitter API Keys, Cite ‘BOT Army’ Threat

Key Findings:

Read More
Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

See Popular Tags

You might also like

TLS Machine Identity Management for Dummies
eBook

TLS Machine Identity Management for Dummies

Certificate-Related Outages Continue to Plague Organizations
White Paper

CIO Study: Certificate-Related Outages Continue to Plague Organizations

About the author

Brooke Crothers
Brooke Crothers
Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon
Venafi Risk assessment Form Image

Sign up for Venafi Cloud


Venafi Cloud manages and protects certificates



* Please fill in this field Please enter valid email address
* Please fill in this field Password must be
At least 8 characters long
At least one digit
At last one lowercase letter
At least one uppercase letter
At least one special character
(@%+^!#$?:,(){}[]~`-_)
* Please fill in this field
* Please fill in this field
* Please fill in this field
*

End User License Agreement needs to be viewed and accepted



Already have an account? Login Here

×
get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more