South Africa has emerged as one of about 135 countries the US claims Russian government employees targeted as part of two massive hacking campaigns aimed at disrupting energy companies and critical infrastructure.

The alleged aim was to “undertake a sophisticated campaign to target and compromise (i.e. ‘hack’), and maintain persistent access to the networks of critical infrastructure and energy companies worldwide”.

According to the US’s Federal Bureau of Investigation (FBI), this access would enable “the Russian government to disrupt and damage such systems, if it wished”.

South Africa’s state-owned electricity utility, Eskom, this week, in response to DM168 questions on whether Russian hackers targeted it, did not refer to Russia, but said: “Eskom, like every other organisation, combat[s] regular attempted attacks.

“We are aware that, daily, cybercriminals are actively targeting various sectors, including ours. We have an information and cybersecurity team and tools that assist us with combatting attempted attacks and for security reasons will not share the details of these.”

The Mineral Resources and Energy ministry, as well as PetroSA, did not respond to DM168 queries by the time of publication. Neither did the Russian embassy in South Africa.

Details of Russia’s alleged energy sector cyberattacks are surfacing as South Africa has taken a rather neutral stance on the Russian invasion of Ukraine. In early March, President Cyril Ramaphosa said it was hoped that negotiations would bring about peace.

In a previous statement that focused on 30 years of diplomatic ties with South Africa, stretching back to 1992, the Russian embassy had glowing words.

It said: “Our countries have been walking together on the path of mutual understanding, respect and friendship… With the rich history of bilateral ties that we already have, we are ready to expand this legacy further, and explore new ways and areas of cooperation for the benefit of our nations.”

This week, amaBhungane also reported that Gazprombank, owned by Russia’s state-owned gas supplier, was considering a bid for what could be a multibillion-rand contract relating to “a gas aggregator to help secure liquified natural gas (LNG) for various gas-to-power projects planned for the Coega special economic zone in the Eastern Cape”.

Should Gazprombank be awarded the contract, amaBhungane reported, this “would raise questions on whether South Africa’s stance on Ukraine is being influenced by its thirst for gas”.

In the hacking saga, among the many other claimed targets were a US government agency responsible for nuclear power plants and a Saudi Arabian petrochemical plant. The hackers behind the attack on the petrochemical plant are accused of using malware aimed at industrial safety systems, making their acts exceptionally dangerous.

Details of the scope and scale of the alleged worldwide energy sector hack are contained in two indictments – one against an individual from Russia and the second against three others – unsealed in the US on 24 March. The US has offered a reward of up to $10-million for information on the whereabouts of each of the four accused.

These individuals are also wanted by the FBI and are listed as international flight risks.

The FBI has linked three of the four accused – Pavel Aleksandrovich Akulov, Mihkail Mikhailovich Gavrilov and Marat Valeryevich Tyukov – to operations targeting countries including South Africa.

SA among targeted countries

The indictment against the trio provides exceptionally detailed information about just how far-reaching their alleged activities are.

“Hundreds of foreign victims and targets of the conspiracy were based in more than 135 countries, including Albania, Australia, Belgium, Brazil, Canada, China, Croatia, Denmark, Finland, France, Germany, Hungary, India, Ireland, Italy, the Netherlands, New Zealand, Norway, Pakistan, Singapore, Slovakia, South Africa, South Korea, Spain, Sweden, Switzerland and the United Kingdom,” the indictment said.

“This group included global oil and gas firms, utility and electrical grid companies, nuclear power plants, renewable energy companies, consulting and engineering groups, and advanced technology firms.”

The indictment did not name any South African entities or detail what happened to these – whether they were successfully targeted. These broad hacking activities allegedly occurred from July 2012 to November 2017.

South Africa has a history with Russia in the energy sector. In early 2017, the Western Cape High Court ruled that a nuclear procurement process involving Russia was unlawful and unconstitutional. This procurement process became a key marker of former president Jacob Zuma’s presidency. Later that year, in September 2017, Daily Maverick reported on a deal between PetroSA and Rosgeo involving a partnership that would see the Russian company invest about $400-million (R5.8-billion) to develop oil and gas blocks off the Cape coast.

However, based on what the US has now revealed, it seems that while these deals were waxing and waning, Russia was allegedly involved in trying to hack aspects of the energy sector around the world, including in South Africa.

In July last year, the same month as an attempted insurrection in South Africa saw deadly riots flare up mainly in KwaZulu-Natal after the jailing of Jacob Zuma, cybercriminals targeted Transnet and Transnet Port Terminals.

It was reported the attack could have been carried out by eastern European or Russian criminals. However, no cyberattacks in South Africa have outright or officially been attributed to Russia.

The recently unsealed indictment against Akulov, Gavrilov and Tyukov said they worked in a unit concealed within another unit beneath an overall unit.

According to the indictment, Russia operated an intelligence and law enforcement agency called the Federal Security Service that was headquartered in Moscow.

The Federal Security Service consisted of several units, including one called Military Unit 771330, known within the service’s circles as Center 16.

According to the US, Akulov, Gavrilov and Tyukov were members of “a discreet operation unit” working within Center 16.

Eight things you need to know about US’s claims of Russian cyberattack on SA

‘Crouching Yeti’s’ two-phase attack

Cybersecurity researchers know the discreet unit by various names, including “Dragonfly”, “Berzerk Bear”, “Energetic Bear” and “Crouching Yeti”.

The alleged campaign was carried out in two phases.

A common focus for both phases was software and hardware controlling equipment in power generation facilities, known as Industrial Control Systems (ICS) or Supervisory Control and Data Acquisition (Scada) systems.

Phase one of the alleged operation was known as “Dragonfly” or “Havex” and was carried out between 2012 and 2014. It involved the accused compromising networks of ICS/Scada manufacturers and software providers, then hiding malware inside legitimate software updates for such systems. When downloaded by unsuspecting clients, malicious software compromised their ICS/Scada systems. “The [accused],” the US alleged, “installed malware on more than 17,000 unique devices in the United States and elsewhere, including ICS/Scada controllers used by power and energy companies.”

Phase two, known as “Dragonfly 2.0”, was more targeted and was carried out between 2014 and 2017. It focused on individuals and engineers who worked with ICS/Scada systems. This phase allegedly targeted “more than 3,300 users at more than 500 US and international companies and entities”. Servers that hosted websites visited by engineers in the energy sector were also compromised.

The indictment against Akulov, Gavrilov and Tyukov said: “[Their] goals remained the same: to establish and maintain surreptitious, unauthorised access to networks, computers, and devices of companies and other entities in the energy sector, including power generation facilities, in the United States and elsewhere.

“Such accesses enabled the Russian government to disrupt and damage such systems, if it wished.”

Aside from hundreds of big US and international energy sector companies, the US believed “small commercial companies working with the energy sector, including companies that provide software and hardware used to control ICS/Scada systems”, were targeted.

Among the targets was the US’s Nuclear Regulatory Commission, a government agency “responsible for regulating entities that use nuclear materials, including nuclear power plants”, as well as the Wolf Creek Nuclear Operating Corporation, a company in Kansas operating the Wolf Creek Generating station, a nuclear power plant.

‘Potentially catastrophic’ hacking plans

A second indictment unsealed in the US about a week ago was against Evgeny Viktorovich Gladkikh, also from Russia and now also wanted by the FBI.

This indictment did not mention South Africa.

According to the US, Gladkikh worked as a computer programmer for an institute affiliated with Russia’s defence ministry.

It was alleged that around May and September 2017, Gladkikh and others “gained unauthorised access to the systems of a refinery outside of the United States using techniques and tools designed to enable an attacker to cause effects including physical damage, with potentially catastrophic effects, rather than merely causing a plant shutdown”.

“They triggered an emergency shutdown of that facility’s operations.”

The US alleged Gladkikh was linked to Triton malware, widely reported to have been used to target a petrochemical plant in Saudi Arabia in 2017.

In October 2020, the US sanctioned the State Research Center of the Russian Federation FGUP Central Scientific Research Institute of Chemistry and Mechanics (also known as TsNIIKhM) over Triton malware.

“The Triton malware … was designed specifically to target and manipulate industrial safety systems,” the US’s Treasury said at the time.

“Such systems provide for the safe emergency shutdown of industrial processes at critical infrastructure facilities in order to protect human life. The cyber actors behind the Triton malware have been referred to by the private cybersecurity industry as ‘the most dangerous threat activity publicly known’.”

In apparent reference to the Saudi Arabia attack, the US’s Treasury said researchers who investigated it found Triton “was designed to give the attackers complete control of infected systems and had the capability to cause significant physical damage and loss of life”.

In a statement last week, Duston Slinkard, the US attorney for the Kansas district, said: “The potential of cyberattacks to disrupt, if not paralyse, the delivery of critical energy services to hospitals, homes, businesses and other locations essential to sustaining our communities is a reality in today’s world.”

The US’s Cybersecurity and Infrastructure Security Agency has detailed broader Russian cybersecurity threats.

“The Russian government engages in malicious cyberactivities to enable broad-scope cyber espionage, to suppress certain social and political activity, to steal intellectual property, and to harm regional and international adversaries,” its website said.

In November last year, DM168 reported how cyberattacks on government entities had shown how vulnerable South Africa is to cybercriminals and ransomware assaults. A few months earlier, in September, the Department of Justice and Constitutional Development became the victim of an attack. DM168

This story first appeared in our weekly Daily Maverick 168 newspaper which is available for R25 at Pick n Pay, Woolworths, Spar, Checkers, Exclusive Books and airport bookstores. For your nearest stockist, please click here.