The U.S. Department of Justice charged the three FSB officers in August 2021 for their alleged involvement in a series of attacks that targeted over 500 U.S. and foreign energy firms. The indictment outlines a multi-phased campaign spanning from 2012 to 2017. The first phase, from 2012 to 2014, saw the group, known as “Dragonfly” or “Havex,” execute a supply chain attack. They compromised the networks of industrial control systems (ICS) and SCADA system manufacturers, embedding malware into software updates. This malicious code was then deployed on more than 17,000 devices globally, including those used by power and energy companies.
The second phase of the operation, from 2014 to 2017, involved a more targeted approach. The group, now tracked as “Dragonfly 2.0,” focused on spear-phishing and “watering hole” attacks to compromise specific energy sector entities and individuals. They targeted over 3,300 users at more than 500 companies in the U.S. and abroad, including the U.S. Nuclear Regulatory Commission. The objective of these campaigns was to gain unauthorized, persistent access to these networks, which would enable the Russian government to disrupt and damage critical facilities if it chose to do so.
The FSB’s Center 16 unit, known by various names including Dragonfly, Berzerk Bear, and Static Tundra, has been a persistent threat for over a decade. In addition to the activities outlined in the 2021 indictment, the FBI issued a warning in August 2025 about the same unit’s ongoing activities. The FBI alert stated that Russian FSB cyber actors are exploiting legacy vulnerabilities in networking devices, specifically an unpatched flaw (CVE-2018-0171) in Cisco’s Smart Install feature, to target critical infrastructure in the U.S. and globally.
The exploitation of this seven-year-old vulnerability, which has a CVSS score of 9.8, allows an unauthenticated, remote attacker to execute arbitrary code on a vulnerable device. According to the FBI, the threat actors are using this method to broadly collect configuration files from thousands of networking devices in the U.S. across critical infrastructure sectors. This intelligence gathering is aimed at supporting long-term espionage operations and establishing persistent access to network environments, demonstrating the group’s continued focus on targeting foundational network infrastructure for strategic purposes.
The reward for justice offer underscores the U.S. government’s commitment to holding foreign state-sponsored cyber actors accountable for their attacks on American and international infrastructure. The charges against Akulov, Gavrilov, and Tyukov, coupled with the recent FBI warning, highlight the persistent and evolving nature of these threats. The U.S. and its partners continue to track and publicize the activities of these groups, urging companies and agencies to patch vulnerabilities and strengthen their cyber defenses against ongoing espionage and potential sabotage campaigns.
Reference:
