Russian FSB Officials Accused of hacking US Critical Infrastructure are being offered a $10 Million Reward
Russian FSB Officials Accused of hacking US Critical Infrastructure are being offered a $10 Million Reward
The US offers $10 million for Russian FSB officials Tyukov, Gavrilov, and Akulov, who are alleged to have attacked more than 500 energy companies globally, including US critical infrastructure.
In order to allow the Russian government to interfere with and harm these facilities, the officers sought to acquire and preserve “unauthorized persistent access to hundreds of U.S. and international energy companies.”
In 135 countries, he and his accomplices attacked over 380 foreign energy-related businesses. According to the page on the Rewards for Justice website created for each officer, “targeted companies included U.S. and foreign global oil and gas firms, utility and electrical grid companies, nuclear power plants, renewable energy companies, consulting and engineering groups, and advanced technology firms.”
The FSB’s Center 16 unit, also known as Dragonfly, Berzerk Bear, Energetic Bear, and Crouching Yeti, is comprised of the three officers.
The three FSB officers—Marat Valeryevich Tyukov, Mikhail Mikhailovich Gavrilov, and Pavel Aleksandrovich Akulov—were accused by the US Department of Justice in August 2021.
The energy sector’s ICS (Supervisory Control and Data Acquisition) systems, including those of nuclear power plants, oil and gas businesses, utility companies, and power transmission companies, were the target of several attacks by the Dragonfly APT between 2012 and 2017.
The indictment states that there were two stages to the campaign against the energy industry. During the first phase, which lasted from 2012 to 2014, the nation-state actor was identified as “Dragonfly” or “Havex” and launched a supply chain attack, breaching software providers and manufacturers of OT network systems that were using the “Havex” implant.
Additionally, the attackers utilized spear-phishing and “watering hole” assaults to infect over 17,000 distinct systems both domestically and internationally, including ICS/SCADA controllers used by energy and power firms, with malware.
The APT group known as “Dragonfly 2.0” concentrated on more focused attacks against particular energy sector firms, as well as engineers and individuals who worked with ICS/SCADA systems, during the second phase, which lasted from 2014 to 2017. In addition to U.S. government agencies, including the Nuclear Regulatory Commission, the group targeted over 3,300 users at over 500 U.S. and foreign businesses and organizations.
The FBI issued a warning in August 2025 that the Russian-affiliated threat actor Static Tundra targets organizations both domestically and internationally by taking advantage of end-of-life networking devices that have an unpatched vulnerability (CVE-2018-0171) in Cisco Smart Install (SMI) and Simple Network Management Protocol (SNMP).
Cisco IOS and Cisco IOS XE software’s Smart Install capability is impacted by CVE-2018-0171 (CVSS score of 9.8). An unauthenticated, remote attacker might use the vulnerability to force a susceptible device to reload or to run arbitrary code on a compromised device.
“Attributable to the Russian Federal Security Service’s (FSB) Center 16, the FBI is alerting the public, private sector, and international community to the threat that cyber actors pose to computer networks and critical infrastructure,” reads the FBI’s warning. “The FBI discovered that Russian FSB cyber actors were using end-of-life networking devices with an unpatched vulnerability (CVE-2018-0171) in Cisco Smart Install (SMI) and Simple Network Management Protocol (SNMP) to target entities both domestically and internationally.”
The FSB’s Center 16 unit, which has been in operation for more than ten years, is associated with the Russian actor Static Tundra. For long-term intelligence collecting operations, the cyber espionage organization specializes in breaking into network equipment.
The FBI watched FSB’s Center 16, also known as Berserk Bear/Dragonfly, gather configurations from thousands of critical infrastructure equipment in the United States over the course of the previous year. The hackers showed interest in ICS-related protocols by changing some configurations for spying and backdoor access. They have been in operation for more than ten years, using tools like the Cisco “SYNful Knock” malware to take advantage of vulnerable, outdated protocols (SMI, SNMP v1/v2).
The majority of victims are located in Ukraine and its allies, according to Talos analysts.
“The group targets unpatched and end-of-life network devices to steal configuration data and establish persistent access by actively exploiting a seven-year-old vulnerability (CVE-2018-0171) in Cisco IOS software’s Smart Install feature, which was patched at the time of the vulnerability publication,” reads a report from Cisco Talos.
Organizations in the manufacturing, telecommunications, and higher education sectors in North America, Asia, Africa, and Europe are the main targets; victims are chosen based on their strategic value to the Russian government.
Static Tundra uses CVE-2018-0171 and weak SNMP strings to exploit unpatched Cisco IOS/IOS XE devices in order to obtain persistent access, exfiltrate configurations, and facilitate long-term espionage. Stealth, persistence, and intelligence gathering are their top priorities, and they employ GRE tunnels, SYNful Knock implants, and custom tools.
A modular, covert router firmware backdoor, SYNful Knock employs non-standard packets for authentication, guarantees persistence, and avoids detection. Mandiant initially described the backdoor in 2015.
About The Author:
Yogesh Naager is a content marketer who specializes in the cybersecurity and B2B space. Besides writing for the News4Hackers blogs, he also writes for brands including Craw Security, Bytecode Security, and NASSCOM.
Read More:
Rajasthan Mastermind’s Mule made Rs 20 Crore Cyber Loot via Web Links
About Author
English