US charges four Russians over hacking campaign on energy sector

The US has charged four Russians government employees with cyber-attacks on the global energy sector.

They are accused of targeting hundreds of companies and organisations in around 135 countries between 2012-2018.

Their activities are said to have caused two separate emergency shutdowns at one facility in Saudi Arabia.

The conspiracy then allegedly attempted to hack the computers of a company that managed similar critical infrastructure entities in the US.

Some of the individuals are linked by the US indictment to the FSB, Russia's security service.

The UK has also sanctioned a Russian defence organisation said to be linked to the attack.

US President Joe Biden this week warned of possible cyber-attacks linked to the Ukraine conflict but these indictments involve activity dating back before it began.

US Deputy Attorney General Lisa Monaco said: "Russian state-sponsored hackers pose a serious and persistent threat to critical infrastructure both in the United States and around the world.

"Although the criminal charges unsealed today reflect past activity, they make crystal clear the urgent ongoing need for American businesses to harden their defences and remain vigilant."

The accused are alleged to have installed backdoors and launched malicious software designed to compromise the safety of energy facilities.

Two separate groups are accused.

According to the indictment, between May and September 2017, one group is accused of hacking the systems of a petro-chemical plant in Saudi Arabia and installing malware, which cyber security researchers have referred to as "Triton" or "Trisis" on a safety system produced by Schneider Electric.

This caused a fault that led the refinery's electric safety systems to initiate two automatic emergency shutdowns of the refinery's operation in Saudi Arabia.

Between February and July 2018, the conspirators are said to have researched similar refineries in the US and unsuccessfully attempted to hack the company's computer systems. The accused in this case is said to be an employee of the State Research Center of the Russian Federation FGUP Central Scientific Research Institute of Chemistry and Mechanics.

The UK said the malicious software was designed specifically to target the plant's safety override for the Industrial Control System which ran its operations.

"The malware was designed to give the actors complete control of infected systems and had the capability to cause significant impact, possibly including the release of toxic gas or an explosion - either of which could have resulted in loss of life and physical damage to the facility," the UK Foreign Office said in a statement.

UK Foreign Secretary Liz Truss has used the UK's cyber sanctions regime to designate the Central Scientific Research Institute of Chemistry and Mechanics (TsNIIKhM).

Another set of accusations is linked to three hackers who are linked to Military Unit 71330, or "Centre 16" of the FSB.

It is alleged that between 2012 and 2017 they engaged in computer intrusions of companies and organisations in the international energy sector, including oil and gas firms, nuclear power plants, and utility and power transmission companies.

They are said to have targeted the software and hardware that controls equipment in power generation facilities.

The UK's National Cyber Security Centre said it assessed that it was "almost certain" that the FSB's Centre 16 are also known by the hacker group pseudonyms of "Energetic Bear", "Berserk Bear" and "Crouching Yeti", and targeted critical IT systems and national infrastructure in Europe, the Americas and Asia.

They were indicted by the FBI for targeting the systems controlling the Wolf Creek nuclear power plant in Kansas in 2017, although this failed to have any negative impact.

This is the latest attribution of cyber attacks to Russia. It comes amid heightened concern of possible targeting of infrastructure such as energy in response to the Ukraine crisis.

In the UK, one official said they had seen ongoing Russian activity against such targets but it was not more than was seen normally.

Russia has always denied the accusations of cyber-attacks.