Skip to content

U.S. Issues Sanctions on Russian Center Involved in Potentially Deadly Cyberattacks

The United States on Friday imposed economic sanctions against a Russian government research organization that was responsible for a potentially deadly cyberattack on a Saudi petrochemical facility in 2017.

The sanctions did not name the target, but its description of the attack matched with a hacking that year of Petro Rabigh, the Saudi oil giant, that shut off the safety systems that are used to prevent an explosion. The attackers may have succeeded had a mistake in their code not inadvertently shut down the plant.

Private cybersecurity researchers have called the group that pulled off the attacks “the most dangerous threat activity publicly known.”

According to the sanctions, Russia’s State Research Center of the Russian Institute of Chemistry and Mechanics built the custom tools used in a spate of 2017 attacks on oil facilities in the Middle East as well as attempted hackings of at least 20 electric facilities in the United States. The tools, officials said, had the “capability to cause significant physical damage and loss of life.”

The Russian Embassy did not immediately respond to a request for comment.

The first attack on Petro Rabigh, in August 2017, compromised industrial controllers made by Schneider Electric, which keep equipment operating safely by regulating voltage, pressure and temperature. Russian hackers used their access to shut off the safety locks in those controllers, leading investigators to believe the attack was most likely intended to cause an explosion that would have killed people.

The episode prompted an investigation by the National Security Agency, the F.B.I., the Department of Homeland Security and the Pentagon’s Defense Advanced Research Projects Agency, as well as investigators at Schneider, the security firm FireEye’s Mandiant security team and Dragos, a security firm that specializes in industrial control security.

“Explicitly calling out attacks on industrial control systems is very important,” said Nathan Brubaker, a senior analyst at Mandiant, which first connected the attacks to the Russian research lab in 2018. “The longer you let this activity go, the more OK it becomes, which is really dangerous when you are talking about systems that are core to human life.”

Schneider controllers are used in more than 18,000 plants around the world, including nuclear and water treatment facilities, oil and gas refineries, and chemical plants.

“Such systems provide for the safe emergency shutdown of industrial processes at critical infrastructure facilities in order to protect human life,” Treasury Department officials said in their statement on Friday announcing the sanctions.

After the cyberattack on Petro Rabigh, private investigators caught the same group targeting energy companies in Northern Europe and conducting digital drive-bys of more than a dozen electric companies in the United States, looking for ways to gain access to their systems.

“They’re not only sophisticated, but they’re the only actor who has tried to cross the line into killing people,” said Robert M. Lee, the chief executive of Dragos. “Not only did they demonstrate the capability but the intent to hurt people, which no other actor had done.”

They came days after the Justice Department unsealed charges against six Russian military intelligence officers accused of aggressive cyberattacks on the 2017 French elections, the 2018 Winter Olympics and power grids in Ukraine, as well as another 2017 attack that hit companies like Merck, Mondelez, FedEx and Pfizer and caused billions of dollars of damage.

On Thursday, the F.B.I. and the Cybersecurity and Infrastructure Security Agency accused the same Russian hackers who have been making incursions into the American power grid of hacking state and local systems, including some election support systems.

Federal prosecutors have publicly played down the timing of the indictments and sanctions, but some officials said privately that they were intended to send a clear message that American officials are closely tracking Russia’s information-warfare systems ahead of the Nov. 3 presidential election, whether they are poised to hack election systems, amplify America’s political fissures or get inside the minds of voters.

The sanctions did not name the Russian hackers behind the attacks. As a result of Friday’s actions, Russia’s government-connected research center and people connected to it will have any assets or properties they hold in the United States frozen.

The sanctions also expose anyone who does business or research with the center to similar punishment. “Nobody internationally is going to touch them now,” Mr. Lee said.