For years, the hackers behind the malware known as Triton or Trisis have stood out as a uniquely dangerous threat to critical infrastructure: a group of digital intruders who attempted to sabotage industrial safety systems, with physical, potentially catastrophic results. Now the US Department of Justice has put a name to one of the hackers in that group—and confirmed that their targets included a US company that owns multiple oil refineries.
On Thursday, just days after the White House warned of potential cyberattacks on US critical infrastructure by the Russian government in retaliation for new sanctions against the country, the Justice Department unsealed a pair of indictments that together outline a years-long campaign of Russian hacking of US energy facilities. In one set of charges, filed in August 2021, authorities name three officers of Russia's FSB intelligence agency accused of being members of a notorious hacking group known as Berserk Bear, Dragonfly 2.0, or Havex, known for targeting electrical utilities and other critical infrastructure worldwide, and widely suspected of working in the service of the Russian government.
The second indictment, filed in June 2021, levels charges against a member of an arguably more dangerous team of hackers: a Russian group known variously as the Triton or Trisis actor, Xenotime or Temp.Veles. That second group didn't merely target energy infrastructure worldwide but also took the rare step of inflicting real disruption in the Saudi oil refinery Petro Rabigh in 2017, infecting its networks with potentially destructive malware, and—the indictment alleges for the first time—attempting to break into a US oil-refining company with what appeared to be similar intentions. At the same time, a new advisory from the FBI cyber division warns that Triton "remains [a] threat," and that the hacker group associated with it "continues to conduct activity targeting the global energy sector."
Most PopularThe End of Airbnb in New YorkBusiness
The indictment of Evgeny Viktorovich Gladkikh, a staffer at the Moscow-based Kremlin-linked Central Scientific Research Institute of Chemistry and Mechanics (typically abbreviated TsNIIKhM), charges him and unnamed coconspirators with developing the the Triton malware and deploying it to sabotage Petro Rabigh's so-called safety instrumented systems, sabotaging equipment intended to automatically monitor for and respond to unsafe conditions. The hacking of those safety systems could have led to disastrous leaks or explosions but instead triggered a fail-safe mechanism that twice shut down the Saudi plant's operations. Prosecutors also suggest that Gladkikh and his collaborators appear to have tried to inflict a similar disruption on a specific but unnamed US oil refining firm, but failed.
"Now we have confirmation from the government," says Joe Slowik, a researcher at security firm Gigamon who analyzed the Triton malware when it first appeared and has tracked the hackers behind it for years. "We have an entity that was playing around with a safety-instrumented system in a high-risk environment. And to try to do that not just in Saudi Arabia, but in the United States, is concerning."
The indictment alleges that in February 2018, just two months after the Triton malware deployed at Petro Rabigh had been discovered by cybersecurity firms FireEye and Dragos, staffers at TsNIIKhM began researching US refineries, seeking out US government research papers that could detail which US refineries had the most capacity, the potential effects of fires or explosions at those facilities, and their vulnerability to nuclear attacks or other disasters.
The next month, prosecutors say, Gladkikh began searching for job postings that might reveal which industrial control system software was used at a specific US company that owned multiple refineries named in those government reports. From March until July of 2018, Gladkikh then allegedly targeted that company's network with attempted SQL injection attacks, a technique that exploits vulnerabilities in a web interface to try to gain access to underlying databases, as well as repeatedly scanning the company's systems for other vulnerabilities. None of those intrusion attempts ever succeeded, the indictment suggests.
As limited as those details may be, the indictment against Gladkikh represents the most concrete claims yet that the hackers behind Triton tried—and failed—to inflict disruption on US systems. But it isn't the first time they've been revealed to be probing American systems. In 2019, cybersecurity firm Dragos found that the Triton hackers—which Dragos calls "Xenotime"—had scanned the networks of at least 20 different US electric system targets, including every element of the US grid from power generation plants, transmission stations, and distribution stations, though the company never released evidence of more than surface-level attempts at intrusion against those US energy firms. "The whole Xenotime operation is bigger than what the Justice Department dropped," says Sergio Caltagirone, the vice president of threat intelligence at Dragos. "That's just a slice of what has been going on."
Aside from the Gladkikh indictment, the Justice Department's charges against three FSB hackers—Pavel Aleksandrovich Akulov, Mikhail Mikhailovich Gavrilov, and Marat Valeryevich Tyukov—puts names for the first time to a decade-long series of intrusions targeting power grids and other critical infrastructure worldwide. The indictment confirms the FSB association of that group, most commonly known as Berserk Bear, which has been tied to breaches of those infrastructure targets stretching back to 2012, with victims ranging from the Wolf Creek nuclear energy facility to the San Francisco International Airport. Unlike the Triton hackers, however, that FSB-linked group has strangely never actually triggered disruptive effects in a confirmed case, even when it had fingers-on-the-switch access to US electric utilities.
Most PopularThe End of Airbnb in New YorkBusiness
On top of the two indictments, the Department of Energy, FBI, and CISA released advisories Thursday to US critical infrastructure firms, listing the techniques of both the TsNIIKhM-based hackers responsible for Triton and the FSB-linked group, along with recommended countermeasures. The FBI warns in its advisory that the potential effects of attacks by the Triton hackers, specifically, “could be similar to cyberattacks previously attributed to Russia that caused blackouts in Ukraine in 2015 and 2016”—incidents that were, in fact, caused by a different hacker group known as Sandworm, working in the service of Russia's GRU military intelligence agency.
Both advisories—and the unsealing of indictments against the two groups—follow vague but foreboding White House warnings earlier this week that Russia has engaged in "preparatory activity" for cyberattacks on US critical infrastructure. The intention, argues Gigamon's Slowik, isn't merely to warn US network defenders to bolster their defenses but also to demonstrate to the Kremlin that the US government has been able to track—and identify the people responsible for—its hacking activity, stretching back years. "The message is that the US government has good insight and visibility into Russian cyberoperations," says Slowik. “The message is ‘hey, we’re tracking you, and tracking you quite thoroughly.’”
Additional reporting by Lily Hay Newman.
More Great WIRED Stories📩 The latest on tech, science, and more: Get our newsletters!The infinite reach of Facebook's man in WashingtonOf course we're living in a simulationA big bet to kill the password for goodHow to block spam calls and text messagesThe end of infinite data storage can set you free👁️ Explore AI like never before with our new database✨ Optimize your home life with our Gear team’s best picks, from robot vacuums to affordable mattresses to smart speakers