Indictment of Russian national offers glimpse into methodical targeting of energy firm

A 2021 indictment that was unsealed this week against a Russian national for allegedly attacking an oil refinery in Saudi Arabia in 2017 has provided a glimpse into the methodical — and sometimes chilling — rigor that state-backed actors can put into breaching target networks and systems.

Details contained in the indictment also showed how actors can leverage their access on an organization’s IT network to make their way into OT networks and business-critical industrial control system environments.

The US government Thursday unsealed a three-count indictment charging Russian national Evgeny Viktorovich Gladkikh and unnamed co-conspirators for their role in a 2017 attack that twice triggered emergency shutdowns of an oil refinery in Saudi Arabia. Gladkikh and his partners are accused of attempting to cause physical damage to the energy facility and of intentionally damaging systems controlling critical safety equipment at the site. The indictment was one of two the US government unsealed this week. The second involved three Russian Federal Security Service officers who allegedly were behind a long-running series of cyberattacks against organizations in the energy sector.

Gladkikh’s attacks garnered considerable attention when they happened because they involved the use of malware — which some have dubbed Triton and others Trisis — specifically designed to cause catastrophic damage to an industrial plant. The malware targeted specific models of a safety instrumentation system (SIS) called Triconex from Schneider Electric that the plant was using at the time to monitor systems responsible for tasks like burn management and sulfur recovery. A malfunction of those systems could have resulted in explosions and the release of toxic gases at the facility.

Details in the indictment show that Gladkikh and his partners — using resources from an outfit associated with Russia’s Ministry of Defense — systematically targeted systems at the oil refinery to try to plant Triton on the facility’s Triconex systems. The four-month campaign began in May 2017 when Gladkikh gained initial access to the energy company’s IT network. The indictment did not provide details on how he might have gained that initial foothold.

He, along with partners, then went about systematically gathering technical log files on the Triconex systems while also trying to disable cybersecurity controls that were designed to prevent unauthorized access to the systems.

To read the complete article, visit Dark Reading.