{ "id": "b1b207b0-4ca9-49ca-a3b8-e2b94495f111", "created_at": "2026-04-06T00:11:59.616603Z", "updated_at": "2026-04-10T03:32:49.894054Z", "deleted_at": null, "sha1_hash": "f3071c522444ffe578cf9e80343631a7f820abdc", "title": "DOJ unseals indictments of four Russian gov’t officials for cyberattacks on energy companies", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 449857, "plain_text": "DOJ unseals indictments of four Russian gov’t officials for\r\ncyberattacks on energy companies\r\nBy Jonathan Greig\r\nPublished: 2023-01-17 · Archived: 2026-04-05 14:19:00 UTC\r\nThe indictments of four Russian nationals were unsealed by the Justice Department on Thursday, revealing a\r\nwidespread hacking campaign against energy companies around the world. \r\nEvgeny Viktorovich Gladkikh – indicted in June – was charged with one count of conspiracy to cause damage to\r\nan energy facility, one count of attempt to cause damage to an energy facility and one count of conspiracy to\r\ncommit computer fraud.\r\nThe DOJ accused the 36-year-old Gladkikh and other accomplices of using the Triton malware during attacks on a\r\nrefinery’s Schneider Electric safety systems between May and September 2017. \r\nHe is also accused of launching other attacks on the industrial control systems (ICS) and operational technology\r\n(OT) of global energy facilities, with the intention of physically damaging the facilities. \r\nGladkikh and others designed Triton – also known as Trisis – to prevent the refinery’s safety systems from\r\nfunctioning. When he launched the attack, the DOJ says it “caused a fault that led the refinery’s Schneider Electric\r\nsafety systems to initiate two automatic emergency shutdowns of the refinery’s operations.”\r\nThey added that Gladkikh and others did research into US-based refineries and tried to hack into other systems\r\nbetween February and July 2018. \r\nGladkikh worked for the State Research Center of the Russian Federation FGUP Central Scientific Research\r\nInstitute of Chemistry and Mechanics’ Applied Developments Center, which said it “engaged in research\r\nconcerning information technology-related threats to critical infrastructure.”\r\nhttps://therecord.media/doj-unseals-indictments-of-four-russian-govt-officials-for-cyberattacks-on-energy-companies/\r\nPage 1 of 6\n\nGladkikh is facing a maximum of 20 years in prison for two of the charges respectively and five years for the third\r\ncharge. \r\n“We face no greater cyber threat than actors seeking to compromise critical infrastructure, offenses which could\r\nharm those working at affected plants as well as the citizens who depend on them,” said U.S. Attorney Matthew\r\nGraves. \r\nThree military officers indicted\r\nThe other indictment – returned in August – involved 36-year-old Pavel Aleksandrovich Akulov, 42-year-old\r\nMikhail Mikhailovich Gavrilov, and 39-year-old Marat Valeryevich Tyukov, who are accused of launching attacks\r\nagainst oil and gas firms, nuclear power plants, and utility and power transmission companies. \r\nThe DOJ said the three – who are identified as officers in Military Unit 71330 or “Center 16” of the FSB –\r\nspecifically targeted ICS and SCADA systems. Center 16 was known by cybersecurity researchers as “Dragonfly,”\r\n“Berzerk Bear,” “Energetic Bear,” and “Crouching Yeti.” \r\nhttps://therecord.media/doj-unseals-indictments-of-four-russian-govt-officials-for-cyberattacks-on-energy-companies/\r\nPage 2 of 6\n\nAkulov, Gavrilov and Tyukov are facing charges related to computer fraud and abuse, wire fraud, aggravated\r\nidentity theft and causing damage to the property of an energy facility.\r\nBetween 2012 and 2017, the three are accused of launching supply chain attacks that gave the Russian\r\ngovernment “surreptitious, unauthorized and persistent access” to the networks of several energy companies. \r\nFrom 2012 to 2014, they compromised several ICS/SCADA system manufacturers and software providers before\r\nhiding the “Havex” malware inside networks. They used a range of spearphishing and “watering hole” attacks to\r\ninstall malware on more than 17,000 devices in the US and other countries. \r\nBetween 2014 and 2017, the DOJ said the group went after “specific energy sector entities and individuals and\r\nengineers who worked with ICS/SCADA systems.” These attacks targeted more than 3,300 users at more than 500\r\nU.S. and international companies and entities, in addition to US government agencies such as the Nuclear\r\nRegulatory Commission. \r\nhttps://therecord.media/doj-unseals-indictments-of-four-russian-govt-officials-for-cyberattacks-on-energy-companies/\r\nPage 3 of 6\n\n“After unsuspecting customers downloaded Havex-infected updates, the conspirators would use the malware to,\r\namong other things, create backdoors into infected systems and scan victims’ networks for additional ICS/SCADA\r\ndevices,” the DOJ explained. \r\nThe group was successful in compromising the business systems of the Wolf Creek Nuclear Operating\r\nCorporation (Wolf Creek) in Burlington, Kansas through spearphishing. They also found success with watering\r\nhole attacks, which captured the login credentials of energy sector engineers through compromised websites. \r\nThese attacks targeted people in more than 136 countries. The three are facing a maximum of five years in prison\r\nfor the conspiracy to cause damage to the property of an energy facility and commit computer fraud and abuse\r\ncharge and 20 years in prison for the conspiracy to commit wire fraud charge. \r\nAkulov and Gavrilov were separately charged with wire fraud and computer fraud, which carry sentences ranging\r\nfrom five to 20 years in prison. The two are also facing three counts of aggravated identity theft, each of which\r\ncarry a minimum sentence of two years consecutive to any other sentence imposed. \r\n“Russian state-sponsored hackers pose a serious and persistent threat to critical infrastructure both in the United\r\nStates and around the world,” said Deputy Attorney General Lisa O. Monaco. “Although the criminal charges\r\nunsealed today reflect past activity, they make crystal clear the urgent ongoing need for American businesses to\r\nharden their defenses and remain vigilant.”\r\nJoint government advisory \r\nhttps://therecord.media/doj-unseals-indictments-of-four-russian-govt-officials-for-cyberattacks-on-energy-companies/\r\nPage 4 of 6\n\nAlongside the unsealed indictments, The Cybersecurity and Infrastructure Security Agency (CISA), FBI and\r\nDepartment of Energy released a joint advisory that highlights historical tactics, techniques, and procedures as\r\nwell as mitigations that energy companies can take to protect their networks.\r\nCISA Director Jen Easterly said that while the intrusions highlighted in the advisory span an earlier period of time,\r\nthe associated tactics, techniques, procedures, and mitigation steps “are still highly relevant in the current threat\r\nenvironment.”\r\n“The potential of cyberattacks to disrupt, if not paralyze, the delivery of critical energy services to hospitals,\r\nhomes, businesses and other locations essential to sustaining our communities is a reality in today’s world,” said\r\nU.S. Attorney Duston Slinkard. \r\n“We must acknowledge there are individuals actively seeking to wreak havoc on our nation’s vital infrastructure\r\nsystem, and we must remain vigilant in our effort to thwart such attacks.”\r\nNo previous article\r\nNo new articles\r\nhttps://therecord.media/doj-unseals-indictments-of-four-russian-govt-officials-for-cyberattacks-on-energy-companies/\r\nPage 5 of 6\n\nJonathan Greig\r\nis a Breaking News Reporter at Recorded Future News. Jonathan has worked across the globe as a journalist since\r\n2014. Before moving back to New York City, he worked for news outlets in South Africa, Jordan and Cambodia.\r\nHe previously covered cybersecurity at ZDNet and TechRepublic.\r\nSource: https://therecord.media/doj-unseals-indictments-of-four-russian-govt-officials-for-cyberattacks-on-energy-companies/\r\nhttps://therecord.media/doj-unseals-indictments-of-four-russian-govt-officials-for-cyberattacks-on-energy-companies/\r\nPage 6 of 6", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://therecord.media/doj-unseals-indictments-of-four-russian-govt-officials-for-cyberattacks-on-energy-companies/" ], "report_names": [ "doj-unseals-indictments-of-four-russian-govt-officials-for-cyberattacks-on-energy-companies" ], "threat_actors": [ { "id": "649b5b3e-b16e-44db-91bc-ae80b825050e", "created_at": "2022-10-25T15:50:23.290412Z", "updated_at": "2026-04-10T02:00:05.257022Z", "deleted_at": null, "main_name": "Dragonfly", "aliases": [ "TEMP.Isotope", "DYMALLOY", "Berserk Bear", "TG-4192", "Crouching Yeti", "IRON LIBERTY", "Energetic Bear", "Ghost Blizzard" ], "source_name": "MITRE:Dragonfly", "tools": [ "MCMD", "Impacket", "CrackMapExec", "Backdoor.Oldrea", "Mimikatz", "PsExec", "Trojan.Karagany", "netsh" ], "source_id": "MITRE", "reports": null }, { "id": "1a76ed30-4daf-4817-98ae-87c667364464", "created_at": "2022-10-25T16:47:55.891029Z", "updated_at": "2026-04-10T02:00:03.646466Z", "deleted_at": null, "main_name": "IRON LIBERTY", "aliases": [ "ALLANITE ", "ATK6 ", "BROMINE ", "CASTLE ", "Crouching Yeti ", "DYMALLOY ", "Dragonfly ", "Energetic Bear / Berserk Bear ", "Ghost Blizzard ", "TEMP.Isotope ", "TG-4192 " ], "source_name": "Secureworks:IRON LIBERTY", "tools": [ "ClientX", "Ddex Loader", "Havex", "Karagany", "Loek", "MCMD", "Sysmain", "xfrost" ], "source_id": "Secureworks", "reports": null }, { "id": "3a0be4ff-9074-4efd-98e4-47c6a62b14ad", "created_at": "2022-10-25T16:07:23.590051Z", "updated_at": "2026-04-10T02:00:04.679488Z", "deleted_at": null, "main_name": "Energetic Bear", "aliases": [ "ATK 6", "Blue Kraken", "Crouching Yeti", "Dragonfly", "Electrum", "Energetic Bear", "G0035", "Ghost Blizzard", "Group 24", "ITG15", "Iron Liberty", "Koala Team", "TG-4192" ], "source_name": "ETDA:Energetic Bear", "tools": [ "Backdoor.Oldrea", "CRASHOVERRIDE", "Commix", "CrackMapExec", "CrashOverride", "Dirsearch", "Dorshel", "Fertger", "Fuerboos", "Goodor", "Havex", "Havex RAT", "Hello EK", "Heriplor", "Impacket", "Industroyer", "Karagany", "Karagny", "LightsOut 2.0", "LightsOut EK", "Listrix", "Oldrea", "PEACEPIPE", "PHPMailer", "PsExec", "SMBTrap", "Subbrute", "Sublist3r", "Sysmain", "Trojan.Karagany", "WSO", "Webshell by Orb", "Win32/Industroyer", "Wpscan", "nmap", "sqlmap", "xFrost" ], "source_id": "ETDA", "reports": null }, { "id": "5cbf6c32-482d-4cd2-9d11-0d9311acdc28", "created_at": "2023-01-06T13:46:38.39927Z", "updated_at": "2026-04-10T02:00:02.958273Z", "deleted_at": null, "main_name": "ENERGETIC BEAR", "aliases": [ "BERSERK BEAR", "ALLANITE", "Group 24", "Koala Team", "G0035", "ATK6", "ITG15", "DYMALLOY", "TG-4192", "Crouching Yeti", "Havex", "IRON LIBERTY", "Blue Kraken", "Ghost Blizzard" ], "source_name": "MISPGALAXY:ENERGETIC BEAR", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434319, "ts_updated_at": 1775791969, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/f3071c522444ffe578cf9e80343631a7f820abdc.pdf", "text": "https://archive.orkl.eu/f3071c522444ffe578cf9e80343631a7f820abdc.txt", "img": "https://archive.orkl.eu/f3071c522444ffe578cf9e80343631a7f820abdc.jpg" } }