Month: March 2022

Posted on

Security News in Brief: Four Russian Government Employees Charged in Two Historical Hacking Campaigns Targeting Critical Infrastructure Worldwide

Source: United States Department of Justice News

Defendants’ Separate Campaigns Both Targeted Software and Hardware for Operational Technology Systems

The Department of Justice unsealed two indictments today charging four defendants, all Russian nationals who worked for the Russian government, with attempting, supporting and conducting computer intrusions that together, in two separate conspiracies, targeted the global energy sector between 2012 and 2018. In total, these hacking campaigns targeted thousands of computers, at hundreds of companies and organizations, in approximately 135 countries.

A June 2021 indictment returned in the District of Columbia, United States v. Evgeny Viktorovich Gladkikh, concerns the alleged efforts of an employee of a Russian Ministry of Defense research institute and his co-conspirators to damage critical infrastructure outside the United States, thereby causing two separate emergency shutdowns at a foreign targeted facility. The conspiracy subsequently attempted to hack the computers of a U.S. company that managed similar critical infrastructure entities in the United States.

An August 2021 indictment returned in the District of Kansas, United States v. Pavel Aleksandrovich Akulov, et al., details allegations about a separate, two-phased campaign undertaken by three officers of Russia’s Federal Security Service (FSB) and their co-conspirators to target and compromise the computers of hundreds of entities related to the energy sector worldwide. Access to such systems would have provided the Russian government the ability to, among other things, disrupt and damage such computer systems at a future time of its choosing.

“Russian state-sponsored hackers pose a serious and persistent threat to critical infrastructure both in the United States and around the world,” said Deputy Attorney General Lisa O. Monaco. “Although the criminal charges unsealed today reflect past activity, they make crystal clear the urgent ongoing need for American businesses to harden their defenses and remain vigilant. Alongside our partners here at home and abroad, the Department of Justice is committed to exposing and holding accountable state-sponsored hackers who threaten our critical infrastructure with cyber-attacks.” 

“The FBI, along with our federal and international partners, is laser-focused on countering the significant cyber threat Russia poses to our critical infrastructure,” said FBI Deputy Director Paul Abbate. “We will continue to identify and quickly direct response assets to victims of Russian cyber activity; to arm our partners with the information that they need to deploy their own tools against the adversary; and to attribute the misconduct and impose consequences both seen and unseen.”

“We face no greater cyber threat than actors seeking to compromise critical infrastructure, offenses which could harm those working at affected plants as well as the citizens who depend on them,” said U.S. Attorney Matthew M. Graves for the District of Columbia. “The department and my office will ensure that those attacking operational technology will be identified and prosecuted.”

“The potential of cyberattacks to disrupt, if not paralyze, the delivery of critical energy services to hospitals, homes, businesses and other locations essential to sustaining our communities is a reality in today’s world,” said U.S. Attorney Duston Slinkard for the District of Kansas. “We must acknowledge there are individuals actively seeking to wreak havoc on our nation’s vital infrastructure system, and we must remain vigilant in our effort to thwart such attacks. The Department of Justice is committed to the pursuit and prosecution of accused hackers as part of its mission to protect the safety and security of our nation.”

In addition to unsealing these charges, the U.S. government is taking action to enhance private sector network defense efforts and disrupt similar malicious activity.

The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) has already released numerous Technical Alerts, ICS Alerts and Malware Analysis Reports regarding Russia’s malign cyber activities, including the campaigns discussed in the indictments. These are located at: https://www.cisa.gov/shields-up

  1. United States v. Evgeny Viktorovich Gladkikh – defendant installed backdoors and launched malware designed to compromise the safety of energy facilities

In June 2021, a federal grand jury in the District of Columbia returned an indictment charging Evgeny Viktorovich Gladkikh (Евгений Викторович Гладких), 36, a computer programmer employed by an institute affiliated with the Russian Ministry of Defense, for his role in a campaign to hack industrial control systems (ICS) and operational technology (OT) of global energy facilities using techniques designed to enable future physical damage with potentially catastrophic effects.

According to the indictment, between May and September 2017, the defendant and co-conspirators hacked the systems of a foreign refinery and installed malware, which cyber security researchers have referred to as “Triton” or “Trisis,” on a safety system produced by Schneider Electric, a multinational corporation. The conspirators designed the Triton malware to prevent the refinery’s safety systems from functioning (i.e., by causing the ICS to operate in an unsafe manner while appearing to be operating normally), granting the defendant and his co-conspirators the ability to cause damage to the refinery, injury to anyone nearby, and economic harm. However, when the defendant deployed the Triton malware, it caused a fault that led the refinery’s Schneider Electric safety systems to initiate two automatic emergency shutdowns of the refinery’s operations. Between February and July 2018, the conspirators researched similar refineries in the United States, which were owned by a U.S. company, and unsuccessfully attempted to hack the U.S. company’s computer systems.

The three-count indictment alleges that Gladkikh was an employee of the State Research Center of the Russian Federation FGUP Central Scientific Research Institute of Chemistry and Mechanics’ (Государственный научный центр Российской Федерации федеральное государственное унитарное предприятие Центральный научно-исследовательский институт химии и механики, hereinafter “TsNIIKhM”) Applied Developments Center (“Центр прикладных разработок,” hereinafter “ADC”). On its website, which was modified after the Triton attack became public, TsNIIKhM described itself as the Russian Ministry of Defense’s leading research organization. The ADC, in turn, publicly asserted that it engaged in research concerning information technology-related threats to critical infrastructure (i.e., that its research was defensive in nature).

The defendant is charged with one count of conspiracy to cause damage to an energy facility, which carries a maximum sentence of 20 years in prison, one count of attempt to cause damage to an energy facility, which carries a maximum sentence of 20 years in prison, and one count of conspiracy to commit computer fraud, which carries a maximum sentence of five years in prison.

Assistant U.S. Attorneys Christopher B. Brown and Luke Jones for the District of Columbia, in partnership with the National Security Division’s Counterintelligence and Export Control Section, are prosecuting this case. The FBI’s Washington Field Office conducted the investigation.

The U.S.-based targets of the conspiracy cooperated and provided valuable assistance in the investigation. The Department of Justice and the FBI also expressed appreciation to Schneider Electric for its assistance in the investigation, particularly noting the company’s public outreach and education efforts following the overseas Triton attack.

  1. United States v. Pavel Aleksandrovich Akulov, Mikhail Mikhailovich Gavrilov, and Marat Valeryevich Tyukov – defendants undertook years-long effort to target and compromise computer systems of energy sector companies

On Aug. 26, 2021, a federal grand jury in Kansas City, Kansas, returned an indictment charging three computer hackers, all of whom were residents and nationals of the Russian Federation (Russia) and officers in Military Unit 71330 or “Center 16” of the FSB, with violating U.S. laws related to computer fraud and abuse, wire fraud, aggravated identity theft and causing damage to the property of an energy facility.

The FSB hackers, Pavel Aleksandrovich Akulov (Павел Александрович Акулов), 36, Mikhail Mikhailovich Gavrilov (Михаил Михайлович Гаврилов), 42, and Marat Valeryevich Tyukov (Марат Валерьевич Тюков), 39, were members of a Center 16 operational unit known among cybersecurity researchers as “Dragonfly,” “Berzerk Bear,” “Energetic Bear,” and “Crouching Yeti.” The indictment alleges that, between 2012 and 2017, Akulov, Gavrilov, Tyukov and their co-conspirators, engaged in computer intrusions, including supply chain attacks, in furtherance of the Russian government’s efforts to maintain surreptitious, unauthorized and persistent access to the computer networks of companies and organizations in the international energy sector, including oil and gas firms, nuclear power plants, and utility and power transmission companies. Specifically, the conspirators targeted the software and hardware that controls equipment in power generation facilities, known as ICS or Supervisory Control and Data Acquisition (SCADA) systems. Access to such systems would have provided the Russian government the ability to, among other things, disrupt and damage such computer systems at a future time of its choosing.

According to the indictment, the energy sector campaign involved two phases. In the first phase, which took place between 2012 and 2014 and is commonly referred to by cyber security researchers as “Dragonfly” or “Havex,” the conspirators engaged in a supply chain attack, compromising the computer networks of ICS/SCADA system manufacturers and software providers and then hiding malware – known publicly as “Havex” – inside legitimate software updates for such systems. After unsuspecting customers downloaded Havex-infected updates, the conspirators would use the malware to, among other things, create backdoors into infected systems and scan victims’ networks for additional ICS/SCADA devices. Through these and other efforts, including spearphishing and “watering hole” attacks, the conspirators installed malware on more than 17,000 unique devices in the United States and abroad, including ICS/SCADA controllers used by power and energy companies.

In the second phase, which took place between 2014 and 2017 and is commonly referred to as “Dragonfly 2.0,” the conspirators transitioned to more targeted compromises that focused on specific energy sector entities and individuals and engineers who worked with ICS/SCADA systems. As alleged in the indictment, the conspirators’ tactics included spearphishing attacks targeting more than 3,300 users at more than 500 U.S. and international companies and entities, in addition to U.S. government agencies such as the Nuclear Regulatory Commission. In some cases, the spearphishing attacks were successful, including in the compromise of the business network (i.e., involving computers not directly connected to ICS/SCADA equipment) of the Wolf Creek Nuclear Operating Corporation (Wolf Creek) in Burlington, Kansas, which operates a nuclear power plant. Moreover, after establishing an illegal foothold in a particular network, the conspirators typically used that foothold to penetrate further into the network by obtaining access to other computers and networks at the victim entity.

During the Dragonfly 2.0 phase, the conspirators also undertook a watering hole attack by compromising servers that hosted websites commonly visited by ICS/SCADA system and other energy sector engineers through publicly known vulnerabilities in content management software. When the engineers browsed to a compromised website, the conspirators’ hidden scripts deployed malware designed to capture login credentials onto their computers.

The conspiracy’s hacking campaign targeted victims in the United States and in more than 135 other countries.

Akulov, Gavrilov and Tyukov are charged with conspiracy to cause damage to the property of an energy facility and commit computer fraud and abuse, which carries a maximum sentence of five years in prison, and conspiracy to commit wire fraud, which carries a maximum sentence of 20 years in prison. Akulov and Gavrilov are also charged with substantive counts of wire fraud and computer fraud related to unlawfully obtaining information from computers and causing damage to computers. These offenses carry maximum sentences ranging from five to 20 years in prison. Finally, Akulov and Gavrilov are also charged with three counts of aggravated identity theft, each of which carry a minimum sentence of two years consecutive to any other sentence imposed.

Assistant U.S. Attorneys Scott Rask, Christopher Oakley and Ryan Huschka forthe District of Kansas, and Counsel for Cyber Investigations Ali Ahmad and Trial Attorney Christine Bonomo of the National Security Division’s Counterintelligence and Export Control Section are prosecuting this case. The FBI’s Portland and Richmond field offices conducted the investigation, with the assistance of the FBI’s Cyber Division.

Numerous victims, including Wolf Creek and its owners Evergy and the Kansas Electric Power Cooperative, cooperated and provided invaluable assistance in the investigation.

An indictment is merely an allegation and all defendants are presumed innocent until proven guilty beyond a reasonable doubt in a court of law. A federal district court judge will determine any sentence after considering the U.S. Sentencing Guidelines and other statutory factors.

Posted on

Security News in Brief: Real Estate Consultant Pleads Guilty to Filing False Tax Return

Source: United States Department of Justice News

The district court accepted a Michigan man’s guilty plea today to filing a false individual income tax return with the IRS.

According to court documents, Steven A. Mills, formerly of East Lansing, was a real estate consultant who managed Mills Real Estate Consulting LLC. From 2012 to 2015, Mills Real Estate Consulting LLC received payments from third parties with whom Mills was conducting real estate transactions. Mills reported on his federal income tax returns only a portion of the payments he received. For example, on his 2014 federal income tax return, Mills did not report to the IRS approximately $356,100 in such payments made to Mills Real Estate Consulting LLC.

Mills is scheduled to be sentenced on June 14 and faces up to three years in prison for filing a false tax return. He also faces a period of supervised release, restitution and monetary penalties. A federal district court judge will determine any sentence after considering the U.S. Sentencing Guidelines and other statutory factors.

Acting Deputy Assistant Attorney General Stuart M. Goldberg of the Justice Department’s Tax Division and U.S. Attorney Andrew B. Birge for the Western District of Michigan made the announcement.

IRS-Criminal Investigation is investigating the case.

Trial Attorneys Kenneth Vert and Jeffrey McLellan of the Tax Division and Assistant U.S. Attorney Ron Stella for the Western District of Michigan are prosecuting the case.

Posted on

Security News in Brief: Physician Sentenced to Prison for Health Care Fraud Scheme

Source: United States Department of Justice Criminal Division

A Florida physician was sentenced today in the Southern District of Florida to two years in prison for a health care and wire fraud scheme involving the submission of false and fraudulent claims to both Medicare and a financial services company that offered consumer loans to patients for out-of-pocket medical expenses.

According to court filings and evidence presented during court proceedings, Mark Alan Zager, 72, of Miami, conspired with Dennis Nobbe, a now-deceased chiropractor and owner of Dynamic Medical Services, located in Hialeah, Florida, to defraud Medicare, individual patients, and a financial services company. Zager opened a merchant account in his own name and allowed Nobbe to use the account in exchange for paying kickbacks and bribes to Zager. Through the account, Nobbe routinely applied for loans on patients’ behalf, purportedly for services that would be rendered months in the future but were not provided.

According to court filings and evidence presented during court proceedings, from November 2019 through July 2020, Zager and Nobbe submitted more than $193,000 in false and fraudulent loan applications to a financial services company, resulting in that company paying out approximately $165,000. Additionally, Zager allowed Nobbe to submit claims to Medicare through Zager’s National Provider Number in exchange for kickbacks and bribes. Between December 2019 and July 2020, Zager and Nobbe submitted approximately $19,000 in false and fraudulent claims to Medicare. 

Zager pleaded guilty on June 1, 2021 to one count of conspiracy to commit wire fraud and one count of health care fraud. Nobbe was charged with several federal crimes by criminal complaint on July 23, 2020, but he passed away on September 14, 2020, after which the complaint was dismissed, and he accordingly remains presumed innocent.

Assistant Attorney General Kenneth A. Polite Jr. of the Justice Department’s Criminal Division; Assistant Director Luis Quesada of the FBI’s Criminal Investigative Division; Special Agent in Charge George L. Piro of the FBI’s Miami Field Office; and Special Agent in Charge Omar Pérez Aybar of the U.S. Department of Health and Human Services Office of the Inspector General (HHS-OIG) made the announcement.

The FBI’s Miami Field Office and HHS-OIG investigated the case. 

Trial Attorney Patrick J. Queenan of the Criminal Division’s Fraud Section prosecuted the case. Assistant U.S. Attorney Sara Michele Klco forthe Southern District of Florida is handling the asset forfeiture aspects of this matter. The case was previously handled by Trial Attorney Sara M. Clingan of the Fraud Section.

The Fraud Section leads the Criminal Division’s efforts to combat health care fraud through the Health Care Fraud Strike Force Program. Since March 2007, this program, comprised of 15 strike forces operating in 24 federal districts, has charged more than 4,200 defendants who collectively have billed the Medicare program for more than $19 billion. In addition, the Centers for Medicare & Medicaid Services, working in conjunction with the Office of the Inspector General for the Department of Health and Human Services, are taking steps to hold providers accountable for their involvement in health care fraud schemes. More information can be found at https://www.justice.gov/criminal-fraud/health-care-fraud-unit.  

Posted on

Security News in Brief: Justice Department Files Voting Rights Lawsuit Against Galveston County, Texas to Challenge County Redistricting Plan

Source: United States Department of Justice News

The Justice Department announced today that it has filed a lawsuit under Section 2 of the Voting Rights Act against Galveston County, Texas, challenging the redistricting plan for its county governing body, known as the Commissioners Court. The plan was adopted by the county on Nov. 12, 2021, after release of the data from the 2020 Census. The complaint was filed in the U.S. District Court for the Southern District of Texas.

“This action is the latest demonstration of the Justice Department’s commitment to protecting the voting rights of all Americans, particularly during the current redistricting cycle,” said Assistant Attorney General Kristen Clarke for the Justice Department’s Civil Rights Division. “Our complaint alleges that Galveston County has violated Section 2 of the Voting Rights Act by devising a redistricting plan that dismantles the only district in which Black and Hispanic voters had the opportunity to elect a candidate of choice to the county’s governing body. We will continue to use all available tools to challenge voting discrimination in our country.”

“The U.S. Attorney’s Office for the Southern District of Texas is committed to protecting the voting rights of all of our citizens,” said U.S. Attorney Jennifer B. Lowery for the Southern District of Texas. “We are pleased to join the Civil Rights Division in bringing this important lawsuit under the Voting Rights Act.”

The United States’ complaint contends that the 2021 redistricting plan for the county’s governing body violates Section 2 because it has the discriminatory result of denying Black and Hispanic citizens an equal opportunity to participate in the political process and because the new map was adopted, in part with a discriminatory purpose. The complaint alleges that the county deliberately reconfigured the Commissioners Court’s sole, longstanding minority opportunity-to-elect district to eliminate Black and Hispanic voters’ opportunity to elect a representative of their choice. The complaint also alleges that over the course of the past three decades, Galveston County has on several occasions sought to diminish or eliminate electoral opportunities for the county’s Black and Hispanic voters. 

The United States’ complaint asks the court to prohibit Galveston County from conducting elections under the challenged plan and to order Galveston County to devise and implement a new redistricting plan that complies with Section 2 of the Voting Rights Act. 

More information about the Voting Rights Act and other federal voting laws is available on the Department of Justice’s website at https://www.justice.gov/crt/voting-section.

Complaints about discriminatory voting practices may be reported to the Civil Rights Division through the internet reporting portal at https://civilrights.justice.gov or by telephone at 1-800-253-3931.

For a list of the department’s actions to protect voting rights, click here.

Posted on

Security News in Brief: Two Promoters of a Nationwide Tax Scheme Sentenced to Prison

Source: United States Department of Justice News

Two men were sentenced to prison yesterday for conspiring to defraud the United States by promoting a nationwide tax fraud scheme to more than 200 participants in at least 19 states.

Iran V. Backstrom, aka Shariyf Noble, of Milledgeville, Georgia, was sentenced to 105 months in prison. His second-in-command, Mehef Bey, aka Arthur Daniels, of Charlotte, North Carolina, was sentenced to 11 years in prison.

According to court documents and statements made in court, Backstrom was the main promoter of the scheme and Bey was one of his co-conspirators. Their scheme involved recruiting clients and preparing false tax returns on the clients’ behalf by convincing them their mortgages and other debts entitled them to tax refunds. Between 2014 and 2016, Backstrom and Bey held seminars across the county to publicize the scheme. As part of the scheme, Backstrom, Bey and their co-conspirators helped prepare and file tax returns for the participants that sought more than $64 million refunds from the IRS. These tax returns falsely claimed that banks and other financial institutions had withheld large amounts of income tax from the participants, thereby entitling the clients to a refund. In reality, the financial institutions had not paid any income to, or withheld any taxes from, these individuals. To make the refund claims appear legitimate, however, Backstrom, Bey and their co-conspirators filed fraudulent tax documents with the IRS that matched the withholding information listed on the tax returns, making them appear as if they had been issued by the banks.

As part of his plea, Backstrom admitted he gave orders to others as part of the scheme. Backstrom and Bey both admitted they and their co-conspirators concealed their roles in the scheme by, among other things, indicating the false tax returns had been “self-prepared,” submitting false IRS forms designed to appear as if they were created by the participants’ financial institutions, and coaching the participants on how to conceal the scheme from the IRS. Backstrom and Bey further admitted they and their co-conspirators charged participants approximately $10,000 to $15,000 in fees for the preparation of each tax return.

Two of Backstrom and Bey’s co-conspirators, Aaron Aqueron and Yomarie Febres, have also pleaded guilty and will be sentenced at a later date. 

“Backstrom and Bey marketed a tax refund scheme throughout the country, costing the government millions of dollars,” said Acting Deputy Assistant Attorney General Stuart M. Goldberg of the Justice Department’s Tax Division. “They have now received substantial sentences for their criminal conduct. Others contemplating promoting similar schemes should recognize that they too will be identified and face significant time in prison.”

“Tax fraud is a serious crime,” stated U.S. Attorney Roger Handberg for the Middle District of Florida. “The defendants in this case employed a complex scheme to defraud the IRS out of millions of dollars. We encourage consumers to be vigilant in selecting legitimate tax preparers as we continue to work with our law enforcement partners to prosecute those who willfully violate our nation’s tax laws.”

“With tax season in full swing, the significant sentencings of the defendants is a timely reminder of the consequences awaiting those who file fraudulent returns,” said Special Agent in Charge Brian Payne of IRS-Criminal Investigation. “Dishonest return preparers use a variety of methods to cheat the government. If it seems too good to be true, it is very likely too good to be true. Remember, it is your responsibility to know what is on your income tax return. Taxpayers are encouraged to visit the IRS.gov website for tips on selecting a reputable return preparer.”

In addition to the term of imprisonment, the district judge also ordered both defendants to serve three years of supervised release and pay approximately $26,350,630 in restitution to the United States.

Acting Deputy Assistant Attorney General Goldberg and U.S. Attorney Handberg made the announcement.

IRS-Criminal Investigation is investigating the case.

Trial Attorneys Melissa S. Siskind, Kavitha Bondada and Isaiah Boyd III of the Tax Division, and Assistant U.S. Attorney Chauncey A. Bratt for the Middle District of Florida, are prosecuting the case.