The U.S. Department of Justice has announced charges against four Russian government employees for a years-long hacking campaign targeting critical infrastructure, including a U.S. nuclear power operator and a Saudi petrochemical facility.

The first indictment, from June 2021, charges Evgeny Viktorovich Gladkikh, 36, a computer programmer at the Russian Ministry of Defense, and two co-conspirators, of planning to hack industrial control systems — the critical devices that keep industrial facilities operational — at global energy facilities. Gladkikh is believed to be behind the infamous Triton malware, which was used to target a petrochemical plant in Saudi Arabia in 2017. Hackers used the malware in an attempt to disable safety systems in the plant designed to prevent dangerous conditions that could lead to leaks or explosions. Triton was first linked to Russia in October 2018.

Following their failed plot to blow up the Saudi plant, the hackers attempted to hack the computers of a company that managed similar critical infrastructure entities in the U.S, according to the DOJ.

The second indictment, filed in August 2021, charges Pavel Aleksandrovich Akulov, Mikhail Mikhailovich Gavrilov and Marat Valeryevich Tyukov, all allegedly members of Military Unit 71330 of Russia's Federal Security Bureau (FSB), with a number of attacks targeting the energy sector between 2012 and 2017. The hackers, better known to security researchers as "DragonFly," "Energetic Bear" and "Crouching Yeti," attempted to gain access to computer networks of companies in the international energy sector, including oil and gas firms, nuclear power plants and utility and power transmission companies, the DOJ said.

In the first stage of their attacks, which took place between 2012 and 2014, the threat actors compromised the networks of industrial control device makers and software providers, then hid Havex malware inside software updates. This, along with spearphishing and watering hole attacks — a form of attack that targets users by infecting websites that they commonly visit — enabled the attackers to install malware on more than 17,000 unique devices in the United States and abroad.