{ "id": "5ed341d4-ade4-414f-bcfc-aa6ae2d2d95b", "created_at": "2026-04-06T15:52:42.592894Z", "updated_at": "2026-04-10T13:12:22.270989Z", "deleted_at": null, "sha1_hash": "7fa852e194f6a7edc5e0f6c9f11c83fc675ace68", "title": "Four Russian Government Employees Charged in Two Historical Hacking Campaigns Targeting Critical Infrastructure Worldwide", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 70181, "plain_text": "Four Russian Government Employees Charged in Two Historical\r\nHacking Campaigns Targeting Critical Infrastructure Worldwide\r\nPublished: 2022-03-24 · Archived: 2026-04-06 15:39:39 UTC\r\nThe Department of Justice unsealed two indictments today charging four defendants, all Russian nationals who\r\nworked for the Russian government, with attempting, supporting and conducting computer intrusions that\r\ntogether, in two separate conspiracies, targeted the global energy sector between 2012 and 2018. In total, these\r\nhacking campaigns targeted thousands of computers, at hundreds of companies and organizations, in\r\napproximately 135 countries.\r\nA June 2021 indictment returned in the District of Columbia, United States v. Evgeny Viktorovich Gladkikh,\r\nconcerns the alleged efforts of an employee of a Russian Ministry of Defense research institute and his co-conspirators to damage critical infrastructure outside the United States, thereby causing two separate emergency\r\nshutdowns at a foreign targeted facility. The conspiracy subsequently attempted to hack the computers of a U.S.\r\ncompany that managed similar critical infrastructure entities in the United States.\r\nAn August 2021 indictment returned in the District of Kansas, United States v. Pavel Aleksandrovich Akulov, et\r\nal., details allegations about a separate, two-phased campaign undertaken by three officers of Russia’s Federal\r\nSecurity Service (FSB) and their co-conspirators to target and compromise the computers of hundreds of entities\r\nrelated to the energy sector worldwide. Access to such systems would have provided the Russian government the\r\nability to, among other things, disrupt and damage such computer systems at a future time of its choosing.\r\n“Russian state-sponsored hackers pose a serious and persistent threat to critical infrastructure both in the United\r\nStates and around the world,” said Deputy Attorney General Lisa O. Monaco. “Although the criminal charges\r\nunsealed today reflect past activity, they make crystal clear the urgent ongoing need for American businesses to\r\nharden their defenses and remain vigilant. Alongside our partners here at home and abroad, the Department of\r\nJustice is committed to exposing and holding accountable state-sponsored hackers who threaten our critical\r\ninfrastructure with cyber-attacks.” \r\n“The FBI, along with our federal and international partners, is laser-focused on countering the significant cyber\r\nthreat Russia poses to our critical infrastructure,” said FBI Deputy Director Paul Abbate. “We will continue to\r\nidentify and quickly direct response assets to victims of Russian cyber activity; to arm our partners with the\r\ninformation that they need to deploy their own tools against the adversary; and to attribute the misconduct and\r\nimpose consequences both seen and unseen.”\r\n“We face no greater cyber threat than actors seeking to compromise critical infrastructure, offenses which could\r\nharm those working at affected plants as well as the citizens who depend on them,” said U.S. Attorney Matthew\r\nM. Graves for the District of Columbia. “The department and my office will ensure that those attacking\r\noperational technology will be identified and prosecuted.”\r\nhttps://www.justice.gov/opa/pr/four-russian-government-employees-charged-two-historical-hacking-campaigns-targeting-critical\r\nPage 1 of 6\n\n“The potential of cyberattacks to disrupt, if not paralyze, the delivery of critical energy services to hospitals,\r\nhomes, businesses and other locations essential to sustaining our communities is a reality in today’s world,” said\r\nU.S. Attorney Duston Slinkard for the District of Kansas. “We must acknowledge there are individuals actively\r\nseeking to wreak havoc on our nation’s vital infrastructure system, and we must remain vigilant in our effort to\r\nthwart such attacks. The Department of Justice is committed to the pursuit and prosecution of accused hackers as\r\npart of its mission to protect the safety and security of our nation.”\r\nIn addition to unsealing these charges, the U.S. government is taking action to enhance private sector network\r\ndefense efforts\r\nand disrupt similar malicious activity\r\n.\r\nThe Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) has already\r\nreleased numerous Technical Alerts, ICS Alerts and Malware Analysis Reports regarding Russia’s malign cyber\r\nhttps://www.justice.gov/opa/pr/four-russian-government-employees-charged-two-historical-hacking-campaigns-targeting-critical\r\nPage 2 of 6\n\nactivities, including the campaigns discussed in the indictments. These are located at:\r\nhttps://www.cisa.gov/shields-up\r\n1. United States v. Evgeny Viktorovich Gladkikh – defendant installed backdoors and launched malware\r\ndesigned to compromise the safety of energy facilities\r\nIn June 2021, a federal grand jury in the District of Columbia returned an indictment charging Evgeny Viktorovich\r\nGladkikh (Евгений Викторович Гладких), 36, a computer programmer employed by an institute affiliated with\r\nthe Russian Ministry of Defense, for his role in a campaign to hack industrial control systems (ICS) and\r\noperational technology (OT) of global energy facilities using techniques designed to enable future physical\r\ndamage with potentially catastrophic effects.\r\nAccording to the indictment, between May and September 2017, the defendant and co-conspirators hacked the\r\nsystems of a foreign refinery and installed malware, which cyber security researchers have referred to as “Triton”\r\nor “Trisis,” on a safety system produced by Schneider Electric, a multinational corporation. The conspirators\r\ndesigned the Triton malware to prevent the refinery’s safety systems from functioning (i.e., by causing the ICS to\r\noperate in an unsafe manner while appearing to be operating normally), granting the defendant and his co-conspirators the ability to cause damage to the refinery, injury to anyone nearby, and economic harm. However,\r\nwhen the defendant deployed the Triton malware, it caused a fault that led the refinery’s Schneider Electric safety\r\nsystems to initiate two automatic emergency shutdowns of the refinery’s operations. Between February and July\r\n2018, the conspirators researched similar refineries in the United States, which were owned by a U.S. company,\r\nand unsuccessfully attempted to hack the U.S. company’s computer systems.\r\nThe three-count indictment alleges that Gladkikh was an employee of the State Research Center of the Russian\r\nFederation FGUP Central Scientific Research Institute of Chemistry and Mechanics’ (Государственный научный\r\nцентр Российской Федерации федеральное государственное унитарное предприятие Центральный научно-исследовательский институт химии и механики, hereinafter “TsNIIKhM”) Applied Developments Center\r\n(“Центр прикладных разработок,” hereinafter “ADC”). On its website, which was modified after the Triton\r\nattack became public, TsNIIKhM described itself as the Russian Ministry of Defense’s leading research\r\nhttps://www.justice.gov/opa/pr/four-russian-government-employees-charged-two-historical-hacking-campaigns-targeting-critical\r\nPage 3 of 6\n\norganization. The ADC, in turn, publicly asserted that it engaged in research concerning information technology-related threats to critical infrastructure (i.e., that its research was defensive in nature).\r\nThe defendant is charged with one count of conspiracy to cause damage to an energy facility, which carries a\r\nmaximum sentence of 20 years in prison, one count of attempt to cause damage to an energy facility, which carries\r\na maximum sentence of 20 years in prison, and one count of conspiracy to commit computer fraud, which carries\r\na maximum sentence of five years in prison.\r\nAssistant U.S. Attorneys Christopher B. Brown and Luke Jones for the District of Columbia, in partnership with\r\nthe National Security Division’s Counterintelligence and Export Control Section, are prosecuting this case. The\r\nFBI’s Washington Field Office conducted the investigation.\r\nThe U.S.-based targets of the conspiracy cooperated and provided valuable assistance in the investigation. The\r\nDepartment of Justice and the FBI also expressed appreciation to Schneider Electric for its assistance in the\r\ninvestigation, particularly noting the company’s public outreach and education efforts following the overseas\r\nTriton attack.\r\n2. United States v. Pavel Aleksandrovich Akulov, Mikhail Mikhailovich Gavrilov, and Marat Valeryevich\r\nTyukov – defendants undertook years-long effort to target and compromise computer systems of energy\r\nsector companies\r\nOn Aug. 26, 2021, a federal grand jury in Kansas City, Kansas, returned an indictment charging three computer\r\nhackers, all of whom were residents and nationals of the Russian Federation (Russia) and officers in Military Unit\r\n71330 or “Center 16” of the FSB, with violating U.S. laws related to computer fraud and abuse, wire fraud,\r\naggravated identity theft and causing damage to the property of an energy facility.\r\nThe FSB hackers, Pavel Aleksandrovich Akulov (Павел Александрович Акулов), 36, Mikhail Mikhailovich\r\nGavrilov (Михаил Михайлович Гаврилов), 42, and Marat Valeryevich Tyukov (Марат Валерьевич Тюков), 39,\r\nwere members of a Center 16 operational unit known among cybersecurity researchers as “Dragonfly,” “Berzerk\r\nBear,” “Energetic Bear,” and “Crouching Yeti.” The indictment alleges that, between 2012 and 2017, Akulov,\r\nGavrilov, Tyukov and their co-conspirators, engaged in computer intrusions, including supply chain attacks, in\r\nfurtherance of the Russian government’s efforts to maintain surreptitious, unauthorized and persistent access to the\r\ncomputer networks of companies and organizations in the international energy sector, including oil and gas firms,\r\nnuclear power plants, and utility and power transmission companies. Specifically, the conspirators targeted the\r\nsoftware and hardware that controls equipment in power generation facilities, known as ICS or Supervisory\r\nControl and Data Acquisition (SCADA) systems. Access to such systems would have provided the Russian\r\ngovernment the ability to, among other things, disrupt and damage such computer systems at a future time of its\r\nchoosing.\r\nAccording to the indictment, the energy sector campaign involved two phases. In the first phase, which took place\r\nbetween 2012 and 2014 and is commonly referred to by cyber security researchers as “Dragonfly” or “Havex,” the\r\nconspirators engaged in a supply chain attack, compromising the computer networks of ICS/SCADA system\r\nmanufacturers and software providers and then hiding malware – known publicly as “Havex” – inside legitimate\r\nsoftware updates for such systems. After unsuspecting customers downloaded Havex-infected updates, the\r\nconspirators would use the malware to, among other things, create backdoors into infected systems and scan\r\nhttps://www.justice.gov/opa/pr/four-russian-government-employees-charged-two-historical-hacking-campaigns-targeting-critical\r\nPage 4 of 6\n\nvictims’ networks for additional ICS/SCADA devices. Through these and other efforts, including spearphishing\r\nand “watering hole” attacks, the conspirators installed malware on more than 17,000 unique devices in the United\r\nStates and abroad, including ICS/SCADA controllers used by power and energy companies.\r\nIn the second phase, which took place between 2014 and 2017 and is commonly referred to as “Dragonfly 2.0,”\r\nthe conspirators transitioned to more targeted compromises that focused on specific energy sector entities and\r\nindividuals and engineers who worked with ICS/SCADA systems. As alleged in the indictment, the conspirators’\r\ntactics included spearphishing attacks targeting more than 3,300 users at more than 500 U.S. and international\r\ncompanies and entities, in addition to U.S. government agencies such as the Nuclear Regulatory Commission. In\r\nsome cases, the spearphishing attacks were successful, including in the compromise of the business network (i.e.,\r\ninvolving computers not directly connected to ICS/SCADA equipment) of the Wolf Creek Nuclear Operating\r\nCorporation (Wolf Creek) in Burlington, Kansas, which operates a nuclear power plant. Moreover, after\r\nestablishing an illegal foothold in a particular network, the conspirators typically used that foothold to penetrate\r\nfurther into the network by obtaining access to other computers and networks at the victim entity.\r\nDuring the Dragonfly 2.0 phase, the conspirators also undertook a watering hole attack by compromising servers\r\nthat hosted websites commonly visited by ICS/SCADA system and other energy sector engineers through publicly\r\nknown vulnerabilities in content management software. When the engineers browsed to a compromised website,\r\nthe conspirators’ hidden scripts deployed malware designed to capture login credentials onto their computers.\r\nThe conspiracy’s hacking campaign targeted victims in the United States and in more than 135 other countries.\r\nAkulov, Gavrilov and Tyukov are charged with conspiracy to cause damage to the property of an energy facility\r\nand commit computer fraud and abuse, which carries a maximum sentence of five years in prison, and conspiracy\r\nto commit wire fraud, which carries a maximum sentence of 20 years in prison. Akulov and Gavrilov are also\r\ncharged with substantive counts of wire fraud and computer fraud related to unlawfully obtaining information\r\nfrom computers and causing damage to computers. These offenses carry maximum sentences ranging from five to\r\n20 years in prison. Finally, Akulov and Gavrilov are also charged with three counts of aggravated identity theft,\r\neach of which carry a minimum sentence of two years consecutive to any other sentence imposed.\r\nAssistant U.S. Attorneys Scott Rask, Christopher Oakley and Ryan Huschka forthe District of Kansas, and\r\nCounsel for Cyber Investigations Ali Ahmad and Trial Attorney Christine Bonomo of the National Security\r\nDivision’s Counterintelligence and Export Control Section are prosecuting this case. The FBI’s Portland and\r\nRichmond field offices conducted the investigation, with the assistance of the FBI’s Cyber Division.\r\nNumerous victims, including Wolf Creek and its owners Evergy and the Kansas Electric Power Cooperative,\r\ncooperated and provided invaluable assistance in the investigation.\r\nAn indictment is merely an allegation and all defendants are presumed innocent until proven guilty beyond a\r\nreasonable doubt in a court of law. A federal district court judge will determine any sentence after considering the\r\nU.S. Sentencing Guidelines and other statutory factors.\r\nhttps://www.justice.gov/opa/pr/four-russian-government-employees-charged-two-historical-hacking-campaigns-targeting-critical\r\nPage 5 of 6\n\nNote: View the concurrent announcement by the Department of State of a $10 million reward\r\n for information leading to the arrest of a defendant or identification of other conspirators as part of its Rewards\r\nfor Justice program.\r\nView the concurrent announcement by the FBI, Department of Energy and Department of Homeland Security’s\r\nCybersecurity and Infrastructure Security Agency (CISA) of a  Joint Cybersecurity Advisory\r\n containing technical details, indicators of compromise and mitigation measures.\r\nSource: https://www.justice.gov/opa/pr/four-russian-government-employees-charged-two-historical-hacking-campaigns-targeting-critical\r\nhttps://www.justice.gov/opa/pr/four-russian-government-employees-charged-two-historical-hacking-campaigns-targeting-critical\r\nPage 6 of 6", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "origins": [ "web" ], "references": [ "https://www.justice.gov/opa/pr/four-russian-government-employees-charged-two-historical-hacking-campaigns-targeting-critical" ], "report_names": [ "four-russian-government-employees-charged-two-historical-hacking-campaigns-targeting-critical" ], "threat_actors": [ { "id": "649b5b3e-b16e-44db-91bc-ae80b825050e", "created_at": "2022-10-25T15:50:23.290412Z", "updated_at": "2026-04-10T02:00:05.257022Z", "deleted_at": null, "main_name": "Dragonfly", "aliases": [ "TEMP.Isotope", "DYMALLOY", "Berserk Bear", "TG-4192", "Crouching Yeti", "IRON LIBERTY", "Energetic Bear", "Ghost Blizzard" ], "source_name": "MITRE:Dragonfly", "tools": [ "MCMD", "Impacket", "CrackMapExec", "Backdoor.Oldrea", "Mimikatz", "PsExec", "Trojan.Karagany", "netsh" ], "source_id": "MITRE", "reports": null }, { "id": "90307967-d5eb-4b7b-b8de-6fa2089a176e", "created_at": "2022-10-25T15:50:23.501119Z", "updated_at": "2026-04-10T02:00:05.347826Z", "deleted_at": null, "main_name": "Dragonfly 2.0", "aliases": [ "Dragonfly 2.0", "IRON LIBERTY", "DYMALLOY", "Berserk Bear" ], "source_name": "MITRE:Dragonfly 2.0", "tools": [ "netsh", "Impacket", "MCMD", "CrackMapExec", "Trojan.Karagany", "PsExec" ], "source_id": "MITRE", "reports": null }, { "id": "1a76ed30-4daf-4817-98ae-87c667364464", "created_at": "2022-10-25T16:47:55.891029Z", "updated_at": "2026-04-10T02:00:03.646466Z", "deleted_at": null, "main_name": "IRON LIBERTY", "aliases": [ "ALLANITE ", "ATK6 ", "BROMINE ", "CASTLE ", "Crouching Yeti ", "DYMALLOY ", "Dragonfly ", "Energetic Bear / Berserk Bear ", "Ghost Blizzard ", "TEMP.Isotope ", "TG-4192 " ], "source_name": "Secureworks:IRON LIBERTY", "tools": [ "ClientX", "Ddex Loader", "Havex", "Karagany", "Loek", "MCMD", "Sysmain", "xfrost" ], "source_id": "Secureworks", "reports": null }, { "id": "3a0be4ff-9074-4efd-98e4-47c6a62b14ad", "created_at": "2022-10-25T16:07:23.590051Z", "updated_at": "2026-04-10T02:00:04.679488Z", "deleted_at": null, "main_name": "Energetic Bear", "aliases": [ "ATK 6", "Blue Kraken", "Crouching Yeti", "Dragonfly", "Electrum", "Energetic Bear", "G0035", "Ghost Blizzard", "Group 24", "ITG15", "Iron Liberty", "Koala Team", "TG-4192" ], "source_name": "ETDA:Energetic Bear", "tools": [ "Backdoor.Oldrea", "CRASHOVERRIDE", "Commix", "CrackMapExec", "CrashOverride", "Dirsearch", "Dorshel", "Fertger", "Fuerboos", "Goodor", "Havex", "Havex RAT", "Hello EK", "Heriplor", "Impacket", "Industroyer", "Karagany", "Karagny", "LightsOut 2.0", "LightsOut EK", "Listrix", "Oldrea", "PEACEPIPE", "PHPMailer", "PsExec", "SMBTrap", "Subbrute", "Sublist3r", "Sysmain", "Trojan.Karagany", "WSO", "Webshell by Orb", "Win32/Industroyer", "Wpscan", "nmap", "sqlmap", "xFrost" ], "source_id": "ETDA", "reports": null }, { "id": "5cbf6c32-482d-4cd2-9d11-0d9311acdc28", "created_at": "2023-01-06T13:46:38.39927Z", "updated_at": "2026-04-10T02:00:02.958273Z", "deleted_at": null, "main_name": "ENERGETIC BEAR", "aliases": [ "BERSERK BEAR", "ALLANITE", "Group 24", "Koala Team", "G0035", "ATK6", "ITG15", "DYMALLOY", "TG-4192", "Crouching Yeti", "Havex", "IRON LIBERTY", "Blue Kraken", "Ghost Blizzard" ], "source_name": "MISPGALAXY:ENERGETIC BEAR", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e2a4bc0b-6745-4e55-9d7c-3d169d70b025", "created_at": "2022-10-25T16:07:23.386907Z", "updated_at": "2026-04-10T02:00:04.576815Z", "deleted_at": null, "main_name": "Berserk Bear", "aliases": [ "Berserk Bear", "Dragonfly 2.0", "Dymalloy", "G0074" ], "source_name": "ETDA:Berserk Bear", "tools": [ "Fuerboos", "Goodor", "Impacket", "Karagany", "Karagny", "LOLBAS", "LOLBins", "Living off the Land", "Phishery", "Trojan.Karagany", "Trojan.Phisherly", "xFrost" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775490762, "ts_updated_at": 1775826742, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/7fa852e194f6a7edc5e0f6c9f11c83fc675ace68.pdf", "text": "https://archive.orkl.eu/7fa852e194f6a7edc5e0f6c9f11c83fc675ace68.txt", "img": "https://archive.orkl.eu/7fa852e194f6a7edc5e0f6c9f11c83fc675ace68.jpg" } }