The next month, prosecutors say, Gladkikh began searching for job postings that might reveal which industrial control system software was used at a specific US company that owned multiple refineries named in those government reports. From March until July of 2018, Gladkikh then allegedly targeted that company’s network with attempted SQL injection attacks, a technique that exploits vulnerabilities in a web interface to try to gain access to underlying databases, as well as repeatedly scanning the company’s systems for other vulnerabilities. None of those intrusion attempts ever succeeded, the indictment suggests.

As limited as those details may be, the indictment against Gladkikh represents the most concrete claims yet that the hackers behind Triton triedand failedto inflict disruption on US systems. But it isn’t the first time they’ve been revealed to be probing American systems. In 2019, cybersecurity firm Dragos found that the Triton hackerswhich Dragos calls “Xenotime”had scanned the networks of at least 20 different US electric system targets, including every element of the US grid from power generation plants, transmission stations, and distribution stations, though the company never released evidence of more than surface-level attempts at intrusion against those US energy firms. “The whole Xenotime operation is bigger than what the Justice Department dropped,” says Sergio Caltagirone, the vice president of threat intelligence at Dragos. “That’s just a slice of what has been going on.”

Aside from the Gladkikh indictment, the Justice Department’s charges against three FSB hackersPavel Aleksandrovich Akulov, Mikhail Mikhailovich Gavrilov, and Marat Valeryevich Tyukovputs names for the first time to a decade-long series of intrusions targeting power grids and other critical infrastructure worldwide. The indictment confirms the FSB association of that group, most commonly known as Berserk Bear, which has been tied to breaches of those infrastructure targets stretching back to 2012, with victims ranging from the Wolf Creek nuclear energy facility to the San Francisco International Airport. Unlike the Triton hackers, however, that FSB-linked group has strangely never actually triggered disruptive effects in a confirmed case, even when it had fingers-on-the-switch access to US electric utilities.


On top of the two indictments, the Department of Energy, FBI, and CISA released advisories Thursday to US critical infrastructure firms, listing the techniques of both the TsNIIKhM-based hackers responsible for Triton and the FSB-linked group, along with recommended countermeasures. The FBI warns in its advisory that the potential effects of attacks by the Triton hackers, specifically, could be similar to cyberattacks previously attributed to Russia that caused blackouts in Ukraine in 2015 and 2016incidents that were, in fact, caused by a different hacker group known as Sandworm, working in the service of Russia’s GRU military intelligence agency.

Both advisoriesand the unsealing of indictments against the two groupsfollow vague but foreboding White House warnings earlier this week that Russia has engaged in “preparatory activity” for cyberattacks on US critical infrastructure. The intention, argues Gigamon’s Slowik, isn’t merely to warn US network defenders to bolster their defenses but also to demonstrate to the Kremlin that the US government has been able to trackand identify the people responsible forits hacking activity, stretching back years. “The message is that the US government has good insight and visibility into Russian cyberoperations,” says Slowik. The message is hey, were tracking you, and tracking you quite thoroughly.

Additional reporting by Lily Hay Newman.