The United States on Friday imposed economic sanctions on a Russian government research body responsible for a potentially fatal cyberattack on a Saudi petrochemical facility in 2017.
The sanctions did not name the target, but his description of the attack matched a hack that year of Petro Rabigh, the Saudi oil giant, which shut down security systems used to prevent an explosion. Attackers may have been successful if an error in their code did not inadvertently shut down the plant.
Private cybersecurity researchers have called the group that succeeded in the attacks “the most dangerous threat activity known publicly.”
According to the sanctions, the Russian state research center of the Russian Institute of Chemistry and Mechanics built the custom tools used in a series of 2017 attacks on oil facilities in the Middle East, as well as attempts to hack at least 20 electrical installations in the United States. . The tools, officials said, had the “ability to cause significant physical damage and loss of life.”
The Russian Embassy did not immediately respond to a request for comment.
The first attack on Petro Rabigh, in August 2017, compromised industrial controllers made by Schneider Electric, which keep equipment operating safely by regulating voltage, pressure and temperature. Russian hackers used their access to close the security locks of these controllers, leading investigators to believe the attack was most likely intended to cause an explosion that would have killed people.
The episode sparked an investigation by the National Security Agency, FBI, Department of Homeland Security, and the Pentagon’s Defense Advanced Research Projects Agency, as well as investigators from Schneider, the security company’s Mandiant security team. FireEye and Dragos, a specialized security company. in industrial control security.
“It’s very important to explicitly speak out against attacks on industrial control systems,” said Nathan Brubaker, senior analyst at Mandiant, who first connected the attacks to the Russian research lab in 2018. “The more you let go. this activity, the better. becomes, which is really dangerous when you talk about systems that are at the heart of human life.
Schneider controllers are used in more than 18,000 factories around the world, including nuclear and water treatment facilities, oil and gas refineries and chemical plants.
“These systems provide for the safe emergency shutdown of industrial processes in critical infrastructure to protect human life,” Treasury Department officials said in their statement announcing the sanctions on Friday.
After the cyberattack on Petro Rabigh, private investigators caught up with the same group targeting northern European energy companies and conducting digital tours of more than a dozen electricity companies in the United States, looking for ways to ” access their systems.
“They are not only sophisticated, but they are the only actor who has tried to cross the line by killing people,” said Robert M. Lee, Managing Director of Dragos. “Not only did they demonstrate their ability but also their intention to hurt people, which no other actor had done.”
They came days after the Justice Ministry exposed charges against six Russian military intelligence officers accused of aggressive cyberattacks on the 2017 French elections, the 2018 Winter Olympics and power grids in Ukraine, as well. than another 2017 attack that hit companies like Merck, Mondelez, FedEx and Pfizer and caused billions of dollars in damage.
On Thursday, the FBI and the Cybersecurity and Infrastructure Security Agency accused the same Russian hackers who made forays into the U.S. electricity grid of hacking into state and local systems, including some election support systems.
Federal prosecutors have publicly downplayed the timing of indictments and sanctions, but some officials have said privately they intend to send a clear message that U.S. officials are closely monitoring the war systems of the Russia’s information ahead of the November 3 presidential election, whether they are about to hack electoral systems, amplify American political cracks, or enter the minds of voters.
The sanctions did not name the Russian hackers behind the attacks. As a result of Friday’s actions, the Russian research center connected to the government and people linked to it will see any assets or property they hold in the United States frozen.
The sanctions also expose anyone who does business or does research with the center to similar sanctions. “No one at the international level is going to touch them now,” Mr. Lee said.