A 2021 indictment that was unsealed this week against a Russian national for allegedly attacking an oil refinery in Saudi Arabia in 2017 has provided a glimpse into the methodical – and sometimes chilling – rigor that state-backed actors can put into breaching target networks and systems.
Details contained in the indictment also showed how actors can leverage their access on an organization’s IT network to make their way into OT networks and business-critical industrial control system environments.
The US government on Thursday unveiled a three-count indictment charging Russian national Evgeny Viktorovich Gladkikh and unnamed co-conspirators for their role in a 2017 attack that twice triggered emergency shutdowns of an oil refinery in Saudi Arabia. Gladkikh and his partners are accused of attempting to cause physical damage to the energy facility and of intentionally damaging systems controlling critical safety equipment at the site. The indictment was one of two the US government unsealed this week. The second involved three Russian Federal Security Service officers who were allegedly behind a long-running series of cyberattacks against organizations in the energy sector.
Gladkikh’s attacks garnered considerable attention when they happened because they involved the use of malware – which some have dubbed Triton and others Trisis – specifically designed to cause catastrophic damage to an industrial plant. The malware targeted specific models of a safety instrumentation system (SIS) called Triconex from Schneider Electric that the plant was using at the time to monitor systems responsible for tasks like burn management and sulfur recovery. A malfunction of those systems could have resulted in explosions and the release of toxic gases at the facility.
Details in the indictment show that Gladkikh and his partners – using resources from an outfit associated with Russia’s Ministry of Defense – systematically targeted systems at the oil refinery to try to plant Triton on the facility’s Triconex systems. The four-month campaign began in May 2017 when Gladkikh gained initial access to the energy company’s IT network. The indictment did not provide details on how he might have gained that initial foothold.
He, along with partners, then went about systematically gathering technical log files on the Triconex systems while also trying to disable cybersecurity controls that were designed to prevent unauthorized access to the systems.
As part of his effort to familiarize himself with the Triconex environment, Gladkikh accessed historical log data on the systems stored in the refinery’s data historian servers. These are systems connected to an organization’s control system environment that are responsible for collecting, storing, and logging data from there. He then used the historian server – and stolen credentials – as a gateway to remotely access an engineering workstation that was part of the refinery’s distributed control system environment, which typically serves as a bridge between an organization’s IT and OT environment.
In this case, the workstation that Gladkikh and his partners broke into was connected to the Saudi energy company’s Triconex safety instrumentation systems.
Extensive Reconnaissance
He then proceeded to install a backdoor on the workstation to ensure continued access to it, and once again methodically went about trying to understand the protocols that the system used to communicate with the connected Triconex systems. In the process, Gladkikh and his accomplices discovered that some Triconex systems were configured in such a way that they required a physical key to be turned to a “program” mode before the new code could be introduced to the devices. But some systems – it’s unclear how many – were running in program mode.
Gladkikh found one of those devices – connected to systems handling tasks like sulfur recovery and burn management – and proceeded to install an early version of Triton on it. But safety controls in the SIS quickly caught the malicious code and in minutes initiated an emergency shutdown of the oil refinery.
Several weeks later, Gladkikh and his conspirators installed credential-harvesting malware on the historian server and later installed an updated version of Triton on another Triconex SIS that was also set to run in program mode. The malware this time was specifically designed and customized to run on the specific model of Triconex devices, and in a matter of hours it had copied itself to other Triconex devices. But as happened the first time, a Triconex safety feature spotted something amiss and triggered a second emergency shutdown of the refinery.
In a somewhat chilling demonstration of attacker persistence, Gladkikh got back on the energy company’s IT network several weeks later and this time broke into a file server containing business records. The goal was to find information on how the refinery had responded to the emergency shutdown, presumably so he could use that information to make recovery harder next time.
The US indictment alleged that while Gladkikh’s malware triggered emergency shutdowns, his real goal was to cause extensive damage to the facility. The indictment alleged that the Russian operative and his partners had obtained the knowledge to disable or disturb the Saudi plant’s safety shutdown procedures in such a way as to cause catastrophic plant failure.