The indictment against Yevgeny Viktorovich Gladkikh, an employee at the Kremlin-linked Moscow-based Central Research Institute of Chemistry and Mechanics (commonly abbreviated TsNIIHM), accuses him and unnamed co-conspirators of developing the Triton malware and deploying it to sabotage so-called systems with safety tools, tamper equipment designed to automatically monitor and respond to unsafe conditions. Hacking these safety systems could have led to catastrophic leaks or explosions, but instead triggered a safety mechanism that twice shut down the Saudi plant. Prosecutors also suggest that Gladkich and his associates appear to have tried and failed to inflict a similar disruption on a specific, but unnamed, U.S. oil refining firm.
“We now have confirmation from the government,” said Joe Slovik, a researcher at security firm Gigamon who analyzed the Triton malware when it first appeared and has been tracking the hackers behind it for years. “We have an organization that was playing with a safety tool system in a high-risk environment. And to try to do that not only in Saudi Arabia, but in the United States, is alarming.”
The indictment alleges that in February 2018, just two months after the Triton malware deployed at Petro Rabigh was discovered by cybersecurity firms FireEye and Dragos, TsNIIKhM officials began probing US refineries looking for scientific US government documents that could detail which US refineries had the largest capacity, the potential consequences of fires or explosions at those facilities, and their vulnerability to nuclear impact attacks or other disasters.
The next month, prosecutors say, Gladkich began searching for job postings that could reveal which industrial control system software was used at a particular U.S. company that owned multiple refineries named in those government reports. March to July 2018 Gladkikh then allegedly attacked that company’s network with attempted SQL injection attacks, a technique that uses vulnerabilities in a web interface to try to gain access to core databases, as well as repeatedly scanning the company’s systems for other vulnerabilities. None of those break-in attempts were successful, the indictment said.
As limited as those details are, the indictment against Gladkich represents the most specific allegations yet that the hackers behind Triton tried — and failed — to disrupt U.S. systems. But this is not the first time they have been revealed to be probing US systems. In 2019 cybersecurity firm Dragos found that the Triton hackers — which Dragos calls “Xenotime” — scanned the networks of at least 20 different targets on the U.S. electric system, including every element of the U.S. grid of power plants, transmission stations, and distribution stations, although the company has never published evidence of more than surface-level hacking attempts against these US energy firms. “The whole Xenotime operation is bigger than what the DOJ let on,” said Sergio Caltagirone, vice president of threat intelligence at Dragos. “That’s just part of what’s going on.”
