Sanctions Slapped on Russian Entities for U.S. Grid Cyber Intrusions

The U.S. Department of the Treasury on June 11 slapped sanctions on five Russian firms and three Russian individuals for several “significant” malicious cyber-enabled activities, including cyber intrusions in the U.S. energy grid.

The department’s Office of Foreign Assets Control said the sanctions are authorized under President Obama’s Executive Order 13694, “Blocking the Property of Certain Persons Engaging in Significant Malicious Cyber-Enabled Activities,” as amended, and Section 224 of the Countering America’s Adversaries Through Sanctions Act (CAATSA).

While the Treasury’s announcement is vague—and it declined to provide details when asked by POWER—on why the firms or individuals were designated to receive sanctions under the two measures, the government agency said at least three firms provided “material and technological support” to Russia’s Federal Security Service (FSB) and several entities and individuals were owned or controlled by, or acted for or on behalf of, three entities that enabled the FSB.

The Murky World of Cyber Intrusions

Examples of Russia’s “malign and destabilizing cyber activities” cited by the Treasury include the NotPetya cyber-attack and “cyber intrusions against the U.S. energy grid to potentially enable future offensive operations.”

It also points to “global compromises of network infrastructure devices, including routers and switches, also to potentially enable disruptive cyber-attacks,” as well as Russian government activity to track undersea communication cables, “which carry the bulk of the world’s telecommunications data.”

As POWERhas repeatedly reported, the power sector, along with other energy sectors that rely on industrial control systems (ICS), has seen a surge in increasingly sophisticated cyber threat activity, which some firms say is spearheaded by state-sponsored actors.

Global ICS cybersecurity firm Dragos Inc. recently published a series of special reports detailing major malware families that have been designed and deployed to attack electric grids. The company in March noted that before last year, only three families of ICS-specific malware were known: STUXNET, discovered before 2010; BLACKENERGY 2, discovered in 2012; and HAVEX, which emerged in 2013. Over 2017, two new samples emerged. One was CRASHOVERRIDE, the first-ever malware framework identified to have been designed and deployed to attack electric grids, and which impacted a single transmission level substation in Ukraine in December 2016. The second was TRISIS/TRITON, the attack framework which was used to modify application memory on safety instrumented system (SIS) controllers at a Middle Eastern facility to prevent it from functioning correctly, increasing the likelihood of a failure and other physical consequences.

Dragos on June 14 told POWER it has identified five specific motives for targeted malicious cyber activities focused on industrial networks. The recognized reasons are “economic espionage (theft of process detail), intelligence gathering (identify disruption opportunities), actual disruption, training and access to environments, and political posturing and influence.”

On June 14, Sergio Caltagirone, director of Threat Intelligence at Dragos told POWER that “Cyber intrusions into electric grid operational networks are almost exclusively the domain of state-sponsored actors.” Cyber operations require significant resources, long access times, and lack the financial rewards or other motivation for non-state actors, he noted. “Also, given that the consequences of disrupting an industrial process could be catastrophic, many are wary of treading there—given the likely retribution they’d face.”

Who Is Sanctioned?

Russian entities whose property, interests, and transactions are blocked in the U.S. as a result of the June 11 sanctions, include Digital Security, which the Treasury said worked on a “project that would increase Russia’s offensive cyber capabilities for the Russian Intelligence Services, to include the FSB.”

Also blocked are ERPScan and Embedi, which the Treasury said was owned or controlled by Digital Security. Kvant Scientific Research Institute is also included for its “extensive ties” to the FSB, and for serving as a prime contractor on a project for which FSB was allegedly an end user.

The fifth firm, Divetechnoservices, provided material and technological support to the FSB since 2007, including “a variety of underwater equipment and diving systems,” for Russian government agencies, to include the FSB. The three individualslisted in the Treasury’s press release are reportedly associated with Divetechnoservices.

 

—Sonal Patel is a POWER associate editor (@sonalcpatel, @POWERmagazine)