U.S. Accuses 4 Russians of Hacking Infrastructure, Including Nuclear Plant

WASHINGTON — The Justice Department unsealed charges on Thursday accusing four Russian officials of carrying out a series of cyberattacks targeting critical infrastructure in the United States, including a nuclear power plant in Kansas, and evidently compromising a petrochemical facility in Saudi Arabia.

The announcement covered hackings from 2012 to 2018, but served as yet another warning from the Biden administration of Russia’s ability to conduct such operations. It came days after President Biden told businesses that Moscow could wage such attacks to retaliate against countries that have forcefully opposed the Russian invasion of Ukraine.

“Although the criminal charges unsealed today reflect past activity, they make crystal clear the urgent ongoing need for American businesses to harden their defenses and remain vigilant,” Deputy Attorney General Lisa O. Monaco said in a statement. “Russian state-sponsored hackers pose a serious and persistent threat to critical infrastructure both in the United States and around the world.”

The four officials, including three members of Russia’s domestic intelligence agency, the Federal Security Service, or F.S.B., are accused of breaching hundreds of energy companies around the world, showing the “dark art of the possible,” a Justice Department official said at a briefing with reporters.

The indictments essentially confirm what cyberresearchers have said for years, that Russia was to blame for the intrusions. None of the Russian officials accused of the attacks have been apprehended.

In his warning to private companies on Monday, Mr. Biden urged them to strengthen their defenses. National security experts have said that companies should report any unusual activity to the F.B.I. and other agencies that can respond to potential breaches.

In one of the indictments unsealed on Thursday, a computer programmer for the Russian Ministry of Defense, Evgeny V. Gladkikh, 36, is accused of using a type of malware known as Triton to infiltrate a foreign petrochemical plant in 2017, leading to two emergency shutdowns at the facility. The indictment did not identify the location of the plant, but the details of the attack suggest the facility was in Saudi Arabia.

Investigators believed at the time that the intrusion was meant to trigger an explosion, but said that a mistake in the code prevented one. The safety system detected the malware and prompted a system shutdown, leading researchers to discover the code.

Undeterred, the next year Mr. Gladkikh and other hackers researched refineries in the United States and tried to breach the computers of an American company that managed similar critical infrastructure facilities in the United States, according to court filings.

Mr. Gladkikh was charged with one count of conspiracy to cause damage to an energy facility, one count of attempt to cause damage to an energy facility and one count of conspiracy to commit computer fraud, which carries a maximum sentence of five years in prison.

Cybersecurity experts consider the Triton malware to be particularly dangerous because of its potential to create disasters at power plants around the world, many of which use the same software that was targeted in the Saudi Arabian plant. Its use in 2017 signaled a dangerous escalation of Russia’s cyberabilities, demonstrating that Russia was willing and able to destroy critical infrastructure and inflict a cyberattack that could have deadly consequences.

“It was different than what we’d seen before because it was a new leap in what was possible,” said John Hultquist, a vice president of intelligence analysis at the cybersecurity firm Mandiant.

In a separate indictment, federal prosecutors accused three Federal Security Service officers, Pavel A. Akulov, 36, Mikhail M. Gavrilov, 42, and Marat V. Tyukov, 39, of a yearslong effort to target and compromise the computer systems of hundreds of energy sector businesses around the world.

The three men are all believed to be members of a unit in the security agency that carries out cybercrimes, and is known by various names including “Dragonfly,” “Berzerk Bear,” “Energetic Bear” and “Crouching Yeti.”

The group has “a decade of experience going after U.S. critical infrastructure,” Mr. Hultquist said. “In 2020, they were digging into state and local systems as well as airports.”

Mr. Akulov, Mr. Gavrilov and Mr. Tyukov are accused of hacking Wolf Creek Nuclear Operating Corporation, which runs a nuclear power plant near Burlington, Kan., as well as other businesses that operate critical infrastructure, such as oil and gas firms and utility companies.

From 2012 to 2017, the three men gained unauthorized access to the computer systems of oil and gas, energy, nuclear power plant and utilities companies and surreptitiously monitored those systems, the indictment said.

They targeted the software and hardware that controls equipment in power generation facilities, giving the Russian government the ability to disrupt and damage such computer systems, according to court filings.

They used several tactics to gain access to computer networks, including spearphishing attacks that targeted more than 3,300 users at more than 500 American and international companies. They targeted government agencies such as the Nuclear Regulatory Commission, and in some cases they were successful.

The three Russian security agents were charged with conspiracy to cause damage to the property of an energy facility, and commit computer fraud and abuse; and they were charged with conspiracy to commit wire fraud. Mr. Akulov and Mr. Gavrilov were separately charged with aggravated identity theft.

Russian hacking groups often study critical infrastructure, compromising it and then lurking in computer systems for months or years without taking action, Mr. Hultquist said.

“It’s this process of them gaining access but not necessarily pulling the trigger. It’s the preparation for contingency,” he said. “The point is to let us know that they can respond.”