{ "id": "e33fb9cc-7758-49eb-91c1-2f1393fd89de", "created_at": "2026-04-06T00:09:18.856064Z", "updated_at": "2026-04-10T13:12:35.702146Z", "deleted_at": null, "sha1_hash": "4a2f9db02a39d7834748b596110a9bfaa78bf06d", "title": "US charges 4 Russian govt employees with critical infrastructure hacks", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 4223228, "plain_text": "US charges 4 Russian govt employees with critical infrastructure hacks\r\nBy Sergiu Gatlan\r\nPublished: 2022-03-24 ยท Archived: 2026-04-05 14:22:50 UTC\r\nThe U.S. has indicted four Russian government employees for their involvement in hacking campaigns targeting hundreds\r\nof companies and organizations from the global energy sector between 2012 and 2018.\r\n\"In total, these hacking campaigns targeted thousands of computers, at hundreds of companies and organizations, in\r\napproximately 135 countries,\" the Department of Justice said.\r\nThe Department of Justice unsealed two indictments on Thursday, one from June 2021 and one from August 2021, charging\r\none employee of the Russian Federation Central Scientific Research Institute of Chemistry and Mechanics (TsNIIKhM) and\r\nthree officers of Russia's Federal Security Service (FSB).\r\nhttps://www.bleepingcomputer.com/news/security/us-charges-4-russian-govt-employees-with-critical-infrastructure-hacks/\r\nPage 1 of 4\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/us-charges-4-russian-govt-employees-with-critical-infrastructure-hacks/\r\nPage 2 of 4\n\nVisit Advertiser websiteGO TO PAGE\r\nEvgeny Viktorovich Gladkikh, a computer programmer at TsNIIKhM, and co-conspirators were behind attacks that caused\r\ntwo emergency shutdowns at a Middle East-based refinery facility between May and September 2017.\r\nThey did that by hacking the refinery's systems and installing malware known as Triton or Trisis on Schneider Electric\r\nTriconex Tricon PLCs used by safety systems.\r\nThe malware infects the Triconex Tricon PLCs by modifying in-memory firmware, which allowed the attackers to add\r\nadditional programming and control the compromised systems remotely.\r\nSubsequently, the group also tried to hack into the systems of a U.S. refinery between February and July 2018.\r\nPavel Aleksandrovich Akulov, Mikhail Mikhailovich Gavrilov, and Marat Valeryevich Tyukov, the ones charged in August\r\n2021, were officers in Military Unit 71330 or 'Center 16' of the FSB.\r\nThey were also part of a hacking group tracked under multiple names, including Dragonfly, Berzerk Bear, Energetic Bear,\r\nand Crouching Yeti.\r\nWanted posters (FBI)\r\nThe FSB \"Dragonfly\" hacking campaigns\r\nBetween 2012 and 2017, the three FSB hackers and their team were behind multiple breaches and supply chain attacks\r\ntargeting ICS or Supervisory Control and Data Acquisition (SCADA) systems used in the international energy sector,\r\nincluding oil and gas firms, nuclear power plants, as well as utility and power transmission companies.\r\nIn the first campaign, which took place between 2012 and 2014 and is known as Dragonfly or Havex, they infiltrated the\r\nnetworks of multiple ICS/SCADA system manufacturers and software providers and infected legitimate software updates\r\nwith the Havex remote access Trojan (RAT).\r\nTogether with spearphishing and \"watering hole\" attacks, this supply chain attack enabled them to infect more than 17,000\r\nunique devices in the United States and worldwide with malware.\r\nBetween 2014 and 2017, as part of the Dragonfly 2.0 campaign, they switched to spearphishing attacks and targeted over\r\n3,300 users at more than 500 U.S. and international companies and entities, including U.S. government agencies such as the\r\nNuclear Regulatory Commission.\r\n\"Russian state-sponsored hackers pose a serious and persistent threat to critical infrastructure both in the United States and\r\naround the world,\" said Deputy Attorney General Lisa O. Monaco.\r\n\"Although the criminal charges unsealed today reflect past activity, they make crystal clear the urgent ongoing need for\r\nAmerican businesses to harden their defenses and remain vigilant.\"\r\nCISA, the FBI, and the U.S. Department of Energy also published a joint cybersecurity advisory detailing the state-sponsored Russians' hacking campaigns targeting the U.S. and international Energy Sector, including oil refineries, nuclear\r\nfacilities, and energy companies.\r\nhttps://www.bleepingcomputer.com/news/security/us-charges-4-russian-govt-employees-with-critical-infrastructure-hacks/\r\nPage 3 of 4\n\nThe U.S. Department of State is offering a reward of up to $10 million for any information leading to the identification or\r\nlocation of state-sponsored Russian hackers targeting U.S. critical infrastructure.\r\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/us-charges-4-russian-govt-employees-with-critical-infrastructure-hacks/\r\nhttps://www.bleepingcomputer.com/news/security/us-charges-4-russian-govt-employees-with-critical-infrastructure-hacks/\r\nPage 4 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://www.bleepingcomputer.com/news/security/us-charges-4-russian-govt-employees-with-critical-infrastructure-hacks/" ], "report_names": [ "us-charges-4-russian-govt-employees-with-critical-infrastructure-hacks" ], "threat_actors": [ { "id": "649b5b3e-b16e-44db-91bc-ae80b825050e", "created_at": "2022-10-25T15:50:23.290412Z", "updated_at": "2026-04-10T02:00:05.257022Z", "deleted_at": null, "main_name": "Dragonfly", "aliases": [ "TEMP.Isotope", "DYMALLOY", "Berserk Bear", "TG-4192", "Crouching Yeti", "IRON LIBERTY", "Energetic Bear", "Ghost Blizzard" ], "source_name": "MITRE:Dragonfly", "tools": [ "MCMD", "Impacket", "CrackMapExec", "Backdoor.Oldrea", "Mimikatz", "PsExec", "Trojan.Karagany", "netsh" ], "source_id": "MITRE", "reports": null }, { "id": "90307967-d5eb-4b7b-b8de-6fa2089a176e", "created_at": "2022-10-25T15:50:23.501119Z", "updated_at": "2026-04-10T02:00:05.347826Z", "deleted_at": null, "main_name": "Dragonfly 2.0", "aliases": [ "Dragonfly 2.0", "IRON LIBERTY", "DYMALLOY", "Berserk Bear" ], "source_name": "MITRE:Dragonfly 2.0", "tools": [ "netsh", "Impacket", "MCMD", "CrackMapExec", "Trojan.Karagany", "PsExec" ], "source_id": "MITRE", "reports": null }, { "id": "1a76ed30-4daf-4817-98ae-87c667364464", "created_at": "2022-10-25T16:47:55.891029Z", "updated_at": "2026-04-10T02:00:03.646466Z", "deleted_at": null, "main_name": "IRON LIBERTY", "aliases": [ "ALLANITE ", "ATK6 ", "BROMINE ", "CASTLE ", "Crouching Yeti ", "DYMALLOY ", "Dragonfly ", "Energetic Bear / Berserk Bear ", "Ghost Blizzard ", "TEMP.Isotope ", "TG-4192 " ], "source_name": "Secureworks:IRON LIBERTY", "tools": [ "ClientX", "Ddex Loader", "Havex", "Karagany", "Loek", "MCMD", "Sysmain", "xfrost" ], "source_id": "Secureworks", "reports": null }, { "id": "3a0be4ff-9074-4efd-98e4-47c6a62b14ad", "created_at": "2022-10-25T16:07:23.590051Z", "updated_at": "2026-04-10T02:00:04.679488Z", "deleted_at": null, "main_name": "Energetic Bear", "aliases": [ "ATK 6", "Blue Kraken", "Crouching Yeti", "Dragonfly", "Electrum", "Energetic Bear", "G0035", "Ghost Blizzard", "Group 24", "ITG15", "Iron Liberty", "Koala Team", "TG-4192" ], "source_name": "ETDA:Energetic Bear", "tools": [ "Backdoor.Oldrea", "CRASHOVERRIDE", "Commix", "CrackMapExec", "CrashOverride", "Dirsearch", "Dorshel", "Fertger", "Fuerboos", "Goodor", "Havex", "Havex RAT", "Hello EK", "Heriplor", "Impacket", "Industroyer", "Karagany", "Karagny", "LightsOut 2.0", "LightsOut EK", "Listrix", "Oldrea", "PEACEPIPE", "PHPMailer", "PsExec", "SMBTrap", "Subbrute", "Sublist3r", "Sysmain", "Trojan.Karagany", "WSO", "Webshell by Orb", "Win32/Industroyer", "Wpscan", "nmap", "sqlmap", "xFrost" ], "source_id": "ETDA", "reports": null }, { "id": "5cbf6c32-482d-4cd2-9d11-0d9311acdc28", "created_at": "2023-01-06T13:46:38.39927Z", "updated_at": "2026-04-10T02:00:02.958273Z", "deleted_at": null, "main_name": "ENERGETIC BEAR", "aliases": [ "BERSERK BEAR", "ALLANITE", "Group 24", "Koala Team", "G0035", "ATK6", "ITG15", "DYMALLOY", "TG-4192", "Crouching Yeti", "Havex", "IRON LIBERTY", "Blue Kraken", "Ghost Blizzard" ], "source_name": "MISPGALAXY:ENERGETIC BEAR", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e2a4bc0b-6745-4e55-9d7c-3d169d70b025", "created_at": "2022-10-25T16:07:23.386907Z", "updated_at": "2026-04-10T02:00:04.576815Z", "deleted_at": null, "main_name": "Berserk Bear", "aliases": [ "Berserk Bear", "Dragonfly 2.0", "Dymalloy", "G0074" ], "source_name": "ETDA:Berserk Bear", "tools": [ "Fuerboos", "Goodor", "Impacket", "Karagany", "Karagny", "LOLBAS", "LOLBins", "Living off the Land", "Phishery", "Trojan.Karagany", "Trojan.Phisherly", "xFrost" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434158, "ts_updated_at": 1775826755, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/4a2f9db02a39d7834748b596110a9bfaa78bf06d.pdf", "text": "https://archive.orkl.eu/4a2f9db02a39d7834748b596110a9bfaa78bf06d.txt", "img": "https://archive.orkl.eu/4a2f9db02a39d7834748b596110a9bfaa78bf06d.jpg" } }