U.S. authorities have accused three Russian intelligence officers of hacking U.S. nuclear companies and others for nearly six years, charging them and another man employed by the Russian Defense Ministry of computer conspiracy and other crimes.
The federal indictments, issued in 2021 but only unsealed on March 24, were the latest in a series of accusations and revelations showing the scope and skill of Russia’s state-sponsored spies and hackers and their efforts to penetrate U.S. computer systems, private and public.
Prosecutors said three men working for a unit called Center 16 of the Federal Security Service (FSB), Russia’s leading domestic intelligence agency, spent five years, 2012 to 2017, sending fake e-mails with infected attachments to energy companies in the United States.
Once opened or clicked on, the attachments, which sometimes were disguised as resumes from interested job seekers, would then allow the officers to insert harmful computer code, and then monitor internal computer systems.
“Russian state-sponsored hackers pose a serious and persistent threat to critical infrastructure both in the United States and around the world,” Deputy Attorney General Lisa Monaco said in a statement announcing the indictments.
It wasn’t immediately clear why the indictments were unsealed on March 24.
But U.S. authorities for more than a decade have gone after Russian hackers — both from the private sector and state-sponsored — seeking arrests in countries across the globe and demanding their extradition to the United States to stand trial.
The efforts have infuriated Moscow, which accuses the United States of hunting down Russian citizens around the world.
The issue of hackers working for Russian intelligence agencies came into sharp focus after the 2016 U.S. election, when, according to U.S. Special Counsel Robert Mueller, Russian agents hacked the computer systems of Democratic Party officials, stole e-mails, then leaked them in a bid to embarrass then-presidential candidate Hillary Clinton.
The agency named by Mueller was Russia’s military intelligence agency, known as the GRU. Another intelligence agency, known as the SVR, has also been identified in several high-profile hacking incidents, as well.
In 2017, two FSB officers were implicated in the hack of Yahoo and theft of nearly 1 billion e-mail accounts, one of the largest-ever such computer thefts.
In the new indictments, U.S. authorities accuse the three officers from the FSB’s Center 16 of hacking hundreds of computers system from energy companies in the United States and other countries. Center 16, which is also known as Military Unit 71330, was dubbed by the nicknames “Berzerk Bear,” “Dragonfly,” and “Energetic Bear” by cyber-researchers who have tracked it for years.
According to the indictment, the three used spearphishing attacks that targeted more than 3,300 users at more than 500 U.S. and international companies. They also targeted U.S. government agencies such as the Nuclear Regulatory Commission.
A separate indictment targeted a programmer who worked for an institute under the Russian Defense Ministry. That man, Yevgeny Gladkikh, allegedly used a type of highly powerful malware known as Triton to hack a petrochemical plant in 2017.
The indictment does not identify the plant, but the details in the indictment suggest the facility was in Saudi Arabia.
Researchers who have studied Russia’s hacking community have warned that Russian intelligence agencies routinely seek to hire, or coerce, capable private-sector hackers into working for the state. In another case, the FSB’s cyberunit hired a former hacker and made him an officer.
The FSB’s Center 16 gained publicity in 2019 when a hacker group purportedly breached a Moscow research institute and said it found files showing that the institute had been hired by Center 16 to work on a project to “de-anonymize” the Tor browser.
Tor is an Internet privacy tool, originally funded by the U.S. government, that bounces Internet users’ traffic through “relays” around the world, making it extremely hard for anyone to identify the source of the information or users’ locations.