Criminal cases on unlawful impact on the critical information infrastructure of the Russian Federation

2024: The engineer of Rosseti's daughter remotely turned off the power supply from his laptop in 38 settlements

The Kirillovsky District Court of the Vologda Region at the end of April sentenced^[1] to a 48-year-old category 1 engineer for disconnecting 38 settlements from power supply in Babaevsky, Ustyuzhensky, Sheksninsky municipalities of the Vologda Region, where industrial enterprises were also located. The actions of the convict led to a violation of the normal operation of electric power enterprises and harm to the critical information infrastructure of the Russian Federation.

In accordance with the case file, an employee of Rosseti North-West PJSC in the winter - February 18, 2023 - using special software launched remotely from his personal laptop, changed the settings of the overhead line controller, which led to their disabling. In addition, he turned off the ability to remotely control the controller, which he just used to disable them, which made restoration work difficult.

The court found the engineer guilty under the fourth part of Article No. 274.1 of the Criminal Code of the Russian Federation, which punishes a person using his official position for unlawful influence on the critical information infrastructure of the Russian Federation. The offender was sentenced to 2 years of suspended imprisonment with a probationary period of 1.5 years and confiscation of the defendant's personal laptop, with the help of which the crime was committed.

source = Public services

It should be canceled that at that time in the Vologda region a lot of cases of accidents on power supply networks were recorded. In particular, there are reports of the shutdown of some settlements on October 22, 2022, January 9, February 15, 18 and 19, 2023. However, it is not entirely clear that sabotage or low temperatures are the cause of these accidents. For example, on January 9, the temperature in the Vologda region dropped to minus 42 degrees.

2023

Who and how is imprisoned in criminal cases about CII. Judicial Practice Analysis

Valery Komarov, Head of the Awareness Department of the Information Security Department of the DIT of Moscow, analyzed the practice of court cases under the 187-FZ "On the Security of the Critical Information Infrastructure of the Russian Federation." He shared the results at an industry forum in early October 2023. A sufficient base of such cases has already accumulated for analysis - there are more than a hundred of them.

Valery Komarov recalled that at the time when the 187-FZ "On the Security of the Critical Information Infrastructure of the Russian Federation" was adopted, there was a package of three FZs: in addition to the law on the security of the CII, a separate law adopted amendments to the Criminal Code and introduced the appropriate composition of crimes and changes to the law on state secrets. And in addition, in 2021, amendments were made to the#/document/ 400809609/paragraph/1: 2 141-FZ to the Code of Administrative Offenses.

Administrative responsibility is already widely applied in the country. FSTEC and the FSB have the right to impose fines under the Code of Administrative Offenses. And, according to the data of the FSTEC of September 2023, checks were carried out against 900 subjects of the CII, in 600 subjects of the CII, significant violations of the requirements for ensuring the safety of the CII were revealed, not eliminated during the inspection, and instructions were issued to eliminate violations. And in relation to 40 subjects of the CII, measures were taken to bring to administrative responsibility.

From the presentation of Valery Komarov

An analysis of court decisions showed that cases in this area are characterized by the same type of crimes in different subjects of KII: for example, employees of mobile operators "break through" subscriber data. Using service access, they receive information about customers and transmit it to criminals.

It can also be seen that different courts give a characteristic and qualification in completely different ways to the same type of method of commission and nature of the crime - the legitimate one had access to protected information or not during the commission of the crime. Some courts qualify the same actions as unlawful access, and others as lawful. The same applies to intent: some of the courts exempt from criminal liability in connection with the composition of the intent to commit a crime, and some do not take into account and do not explore the intent in any way.

At the same time, the legislation and the Criminal Code lacks such a concept as "harm to critical information infrastructure," in contrast to the "classic" articles on computer crimes, where there are concepts of "damage," "major damage." Therefore, the courts interpret in completely different ways what is the harm of KII, notes Valery Komarov.

85% of the sentences of the analyzed court cases were passed against employees of the subjects of the CII, and only 15% accounted for external violators. Among the employees involved under Article 271.4 of the Criminal Code of the Russian Federation, the majority pass under Part 4 of this article - when a crime is committed by a group of persons by prior conspiracy or an organized group, or a person using his official position.

In 50% of cases when a person is found guilty, criminal punishment is commuted to a fine. And among the areas of activity to attract employees of the subjects of the CII to criminal liability, communication and healthcare are leading.

The head of the awareness department of the information security department of the DIT of Moscow announced a number of proposals. One of them is to hold accountable for Part 3. Article 271.4 of the Criminal Code of the Russian Federation, which concerns violation of the rules of operation, applying it only to significant objects of CII. And for objects of CII without a category of significance, bring to administrative responsibility. At the same time, we are talking about workers who are now attracted, and not about external crime, said Valery Komarov.

And the second proposal is to determine exactly what the "harm of CII" is. This is necessary to prevent arbitrary interpretation of criminal law.

Initially , the 187-FZ covered 13 spheres of CII, in 2023 another was added - registration of real estate rights. And now in the State Duma there is a bill, the consideration of which is scheduled for November: it adds two more areas - social security and education. This bill has already received a negative review from the Russian government, Valery Komarov specified.

Mobile consultant violated criminal article on CII, trying to fulfill Tele2 plan

The criminal story took place at the Tele2 subscriber sales and service center in Pskov: a consultant seller issued two SIM cards for a person without his knowledge and was convicted of block_2741 Art. 274.1 of the Criminal Code of the Russian Federation (unlawful impact on the critical information infrastructure of the Russian Federation).

As follows from the published verdict of the Pskov City Court of the Pskov Region in this criminal case^[2] of^[3], which entered into force in August 2023, convicted Nikitina A.A. was hired as a sales consultant at the Tele2 sales and customer service center for individual entrepreneurs - a dealer in the territory of Pskov and the Pskov region, acting on the basis of an agency agreement in the interests of St. Petersburg Telecom (Pskov branch).

She was familiarized with the job description of the consultant seller, according to which the execution of contracts for the provision of communication services, the reception and processing of applications from subscribers is possible only according to the document certifying the identity of the client. In this case, the employee is criminally liable if the connection, acceptance of the application is carried out without documents.

The court decided that the consultant seller harmed KII - AIS Billing Plus, owned by T2 Mobile (photo: RIA Novosti/Ilya Pitalev)

The management company "St. Petersburg Telecom" - "T2 Mobile" - is a subject of KII, which owns IT systems and telecom networks, including AIS settlements Billing Plus and WebDealer, which, in turn, are objects of KII in accordance with the register of significant objects of the KII of the Russian Federation and contain computer information protected by law, constituting the secret of communication and sent citizens, indicated in the verdict.

In 2021, Nikitina A.A., while at the workplace, using her official position, acting on behalf of the mobile operator T2 Mobile, violated the rules for operating the means of storing, processing protected computer information contained in the CII, information systems related to the CII, rules for accessing these systems, by entering information on registration of two SIM cards into AIS Billing Plus through the AIS WebDealer interface. The cards were issued for the passport data of a citizen who was not aware of the actions of A.A. Nikitina: she was not present at the Tele2 sales and service center when registering and did not give consent to these actions in any form.

Moreover, the citizen to whom the SIM cards were issued stated that she had never applied to Tele2 cellular salons at all.

Thus, the court found, Nikitina A.A. violated the requirements of a number of points of the 126-FZ "On Communications," Decree of the Government of the Russian Federation No. 1342 "On the Procedure for Providing Telephone Services" and "harmed KII" - AIS Billing Plus, owned by T2 Mobile. The harm, in particular, "was expressed in the modification of the information contained in the database of the specified AIS, as a result of which the information circulating in it ceased to correspond to objectivity, reliability and relevance."

At the trial, A.A. Nikitina fully admitted her guilt in committing the crime, repented of her deed, indicated in the verdict. At the same time, she explained that in view of the need to fulfill plans to connect new subscribers, transfer customers from other cellular companies, she connected a new subscriber with two SIM-cards to the Tele2 cellular operator without his personal presence and providing documents. Immediately after issuing SIM-cards, she threw them away and did not transfer them to anyone. And about the crime committed Nikitina A.A. indicated in the confession.

One of the witnesses at the trial confirmed that part of the salary of sellers depends on the number of connected subscribers.

The court found Nikitina A.A. guilty of committing a crime under Part 4 of Art. 274.1 of the Criminal Code of the Russian Federation (unlawful impact on the critical information infrastructure of the Russian Federation using her official position), and sentenced her to a milder punishment than provided for for this crime - 1 year of imprisonment conditionally with a probationary period of 1 year.

The standard punishment under this part of the article is from 3 to 8 years in prison.

Quit and deleted the files. Former defense enterprise sysadmin challenges critical infrastructure impact verdict

As TAdviser found out, in July 2023, the former leading software engineer, the administrator of the computer network of a defense enterprise located in the Vladimir region, tried for the second time to challenge the verdict passed on him last year under Part 2 of Art. 274.1 of the Criminal Code of the Russian Federation (unlawful impact on the critical information infrastructure of the Russian Federation). In accordance with the verdict of the Kovrovsky City Court of the Vladimir Region, DB Beloslyudtsev was sentenced to 1 year and 6 months of suspended imprisonment with a probationary period of 2 years and a fine of 300 thousand rubles.

The published verdict mentions the All-Russian Research Institute "Signal" (part of the Rostec Group of Companies), which is a subject of the CII of the Russian Federation, "since it carries out activities in the fields of science and defense industry," and information systems, networks and automated control systems belonging to the enterprise on the right of ownership, lease or other legal basis are objects of the CII of the Russian Federation.

As follows from the verdict^[4], according to the job description of the leading software engineer - administrator of the computer network, DB Beloslyudtsev, including: ensured the uninterrupted functioning of the information and computer network (hereinafter referred to as the IVS) of the enterprise, subscriber places of the Internet, email, computer equipment and software; took measures to restore the IVS operability in case of failures or failure of servers, network equipment and software.

In addition, it provided software installation on servers and workstations and their support in operation; Network and interworking security registered the users of the IVS and the mail server, assigned identifiers and passwords; established access rights to information resources and monitored their use; organized access to local and global networks; ensured the safety and confidentiality of information.

According to the job description of the leading software engineer - administrator of the computer network, D.B. Beloslyudtsev was assigned many duties

At some point, the employment contract with DB Beloslyudtsev was terminated at the initiative of the employee himself. As the court established, later, in February 2020, D.B. Beloslyudtsev, using the accounts of two other employees and passwords to them, which became known to him in connection with the performance of work in the company and the fulfillment of the duties of the system administrator of the enterprise's computer network, illegally connected remotely to the KII facility - the information resources of the enterprise.

He destroyed the "Service Investigations" folder (there was a spelling error in the folder name), stored on a file resource in the directory of the Bureau of Economic and Information Security and containing projects and copies of documents compiled during official inspections carried out at the enterprise during a certain period. These documents are restricted service documents.

And this was not limited to this. To eliminate the possibility of recovering destroyed computer information, the former employee also deleted system files from the directory on one of the information resources of the enterprise. This blocked the operation of software that provides control over backup and recovery of data.

The destruction of computer information contained in a folder with internal investigations, as well as system files of data backup software, entailed a significant difficulty in the work of the relevant division - BEiIS, due to the irretrievable loss of the data complex, negatively affected the performance of work to ensure the economic and information security of the enterprise, which is a subject of the CII of the Russian Federation, the verdict says.

It also follows from the verdict that DB Beloslyudtsev was aware of the security service conducting an official audit against him on the fact of selling memory modules through one of the services. One of the witnesses at the trial said that during one of the annual audits of the enterprise's property, a shortage of a number of components for computers and hard drives was established. An official check was carried out, and questions arose to DB Beloslyudtsev.

After dismissal from the defense enterprise, Beloslyudtsev planned to go through the employment procedure in the company, where they checked, among other things, information about the applicant's convictions and the presence of other incriminating information against him. And therefore, he believed that by deleting all the data of this service check from the file resource of the enterprise where he worked earlier, he would exclude all negative consequences for himself that would not allow him to find a job.

At the hearing, DB Beloslyudtsev pleaded not guilty and said that during his dismissal he had tense relations with the management of the enterprise, in connection with which, he believes, the latter have resentment and anger against him. He also stated that only when he was charged in this criminal case did he find out that the enterprise is a subject of CII, citing the fact that he did not participate in any of the meetings on CII, and no one brought this information to him. He also did not know that this enterprise was a defense company.

DB Beloslyudtsev has already filed two complaints about the verdict, asks to cancel it. The last of the complaints, cassation, was considered in July 2023 in the Second Court of Cassation of General Jurisdiction^[5], and the verdict was upheld.

Among the arguments in defense of his position, Beloslyudtsev, among other things, claims that his intent did not include causing harm to the information system of the enterprise, of which he did not know about the KII of the Russian Federation. He only wanted to remove information defaming his business reputation based on the results of an official audit conducted against him.

The appeal and cassation instances, however, upheld the verdict. The only thing - the appellate instance excluded the reference to the explanation of DB Beloslyudtsev from June 2020 as evidence of his guilt.

The verdict indicated that Beloslyudtsev works as a leading specialist in the IT infrastructure department. The name of the LLC where he holds this position is not disclosed in the published document.

Wanted to replace Cisco and save money. For which they were convicted under the article of the Criminal Code of the sysadmin of the defense enterprise

In August 2023, the history of the system administrator Yesin E.A. surfaced in the media and blogs. At the beginning of the year, the Kirovsky District Court of Samara found guilty under Part 3 of Art. 274.1 of the Criminal Code of the Russian Federation (unlawful impact on the critical information infrastructure of the Russian Federation) and sentenced to 1.5 years probation^[6]TAdviser reviewed this verdict, and also learned that in May 2023, an appeal against the verdict was considered, as a result of which it was commuted.

The verdict, published on the website of the Kirovsky District Court of Samara, states that Esin A.E., based on functional duties, was a network system administrator. He worked in the bureau for the operation of network infrastructure at one of the leading rocket and space enterprises of the military-industrial complex, which participates in the execution of the state defense order in terms of the production of launch vehicles and the manufacture of spacecraft for various purposes. The verdict, in particular, mentions the Progress RCC, this enterprise is part of Roscosmos.

As the court established, in July 2020, being aware of the rules of work in the information and computing network in force at the enterprise (IVS), established by the special provision "On the procedure for working in the IVS," Esin A.E. decided, in violation of the rules of access and operation, to organize the connection of the AWS - a virtual workstation from the closed internal range of the IVS of the enterprise - to the Internet in order to download and install software on the AWS designed to authenticate user devices in the network.

The mentioned provision "On the procedure for operation in the IVS" establishes a ban on connection to the AWS of modems, mobile phones, wireless communication and other means of communication and data transmission; prohibition of AWS connection using such means to the Internet, as well as prohibition of unauthorized installation, reinstallation of OS and software and unauthorized addition or removal of AWS components.

The story began with the fact that the enterprise needed to implement a device authentication service

As Yesin E.A. himself said at the trial, since about 2018, the department in which he worked has been faced with the task of introducing an enterprise device authentication service. And before him, this task was set around July 2020 by his immediate boss, who later went through the case by one of the witnesses.

The selection of software was carried out, as Esin suggests, "at some meeting of managers," and he was directly instructed to work with free-RADIUS - it was necessary to do and put into operation. He did not explain specific instructions on how to carry out this work, what steps to take, so he fulfilled the task at his own discretion, as he considered possible.

The tasks of free-RADIUS include solving the issue of segmentation - the distribution of department devices over the desired networks. Previously, the enterprise used CiscoACS software with fairly wide functionality, which was purchased along with CiscoACS equipment. It was impossible to buy and extend support for this software after 2014.

To install free-RADIUS, the sysadmin chose the CentOS8 OS distribution as "the most reliable." Esin E.A. used the Mikrotik router, which connected the enterprise to the IVS by physical connection in the switching cabinet - i.e. connected it in a rack to a cable with Internet access. CentOS8 was downloaded from the Internet. At the same time, according to him, he physically disconnected his computer from the IVS of the enterprise.

Where did the optical cable come from to access the Internet in the switching cabinet, he does not know, he heard that it was used for official purposes by employees of the neighboring bureau even before he got a job, he had free access to it, given that the cabinet lacked side and rear walls, the doors did not lock.

As a result of the actions of Yesin A.E., attempts arose to intercept the control of a router connected to the IVS of the enterprise - attempts to connect foreign IP addresses belonging to unknown persons abroad, the verdict says.

Internet access was also required to download free-RADIUS installation files. To do this, the sysadmin configured a proxy server on the Mikrotik router in order to quickly "release" the virtual machine to the Internet and download the necessary files.

Later, the specialist of the relevant department of the RCC, at the request of Esin A.E., on a cluster of servers physically located in the data center of the enterprise, consisting of the same type of servers (hosts), created and configured the virtual AWS CentOS8-CA-RADIUS.

The Mikrotik router was connected for about 1-2 weeks, was in standby mode, "catching" everyone who wanted to connect to the enterprise system, after which the sysadmin added them to the black list, and then connected only as needed, follows from the text of the verdict. According to Yesin, in 10 years of work at the enterprise, he connected to the Internet for the first time in order to download and install free-RADIUS CentOS8 software.

The presence of the above connection is a potential vulnerability of the enterprise's network for exploitation, which could potentially lead to negative consequences for KII facilities (two data centers of the enterprise), the published verdict says.

As a result of illegal acts of A.E. Yesin to an object CUES of the Russian Federation (DPC RCC) caused organizational (technological and operational) damage, which resulted in violation of the security of access and operation of the processed and stored computer information of the defense enterprise, the third category of significance in the CII of the Russian Federation, as a result of which it was possible for external intruders to penetrate the perimeter of the CII facilities of the Russian Federation and inflict critical damage on them up to incapacitation, loss of data and failure of processes critical to the operation of the enterprise, thereby creating a threat of serious consequences for the IVS and plant processes, including the failure to fulfill the deadlines for the execution of the state defense order, - indicated in the verdict.

In addition, as the investigation established, Yesin organized remote access to his work computer from home - to work from home after hours, that is, overtime, communicated with his wife, who is outside the perimeter of the enterprise, via the network in a created chat from his work computer. Based on the results of the audit, it was found that the CII object was harmed in terms of creating a channel for possible impact on the CII object - DPC.

The court found that E.A. Yesin committed a violation of the rules for operating information and telecommunication networks related to the critical information infrastructure (CII) of the Russian Federation, as well as a violation of the rules for accessing information and telecommunication networks, which caused harm to the CII of the Russian Federation.

Esin E.A. partially admitted his guilt. At the same time, he says that he saved the enterprise 2.4 million rubles by replacing CiscoACS with two free-RADIUS CentOS8 machines.

As a result, the court found Yesina A.E. guilty under Part 3 of Art. 274.1 of the Criminal Code of the Russian Federation, and sentenced him to imprisonment for a period of 1 year and 6 months conditionally, using Part 1 of Art. 64 of the Criminal Code of the Russian Federation (application of a milder punishment than provided for for this crime), without deprivation of the right to hold certain positions or engage in certain activities.

He was also obliged not to change his permanent place of residence without notifying the specialized state body that monitors the behavior of convicts.

Yesin filed an appeal against this verdict, which was considered by the Samara Regional Court at the end of May 2023^[7].

The appellate instance notes that the court of first instance, when sentencing, recognized the mitigating circumstances as exceptional, but did not apply the rule on these circumstances. Exceptional mitigating circumstances include the fact that Yesin partially pleaded guilty, did not dispute the actual circumstances of his act, actively contributed to the disclosure and investigation of the crime, has a dependent young child and spouse on maternity leave.

According to the court, these circumstances, coupled with the desire to fulfill the task of the management for the deployment of a service that limits unauthorized access to the IVS of the enterprise, as well as the cost savings of the enterprise, and taking into account other data on the identity of the defendant, significantly reduce the degree of his public danger, and, therefore, are exceptional.

In this regard, the Samara Regional Court changed the original sentence: instead of imprisonment conditionally, Yesin was assigned correctional labor for a period of one year with a deduction of 5% of the salary to the state income, and the punishment was considered conditional with a probationary period of 6 months.

A resident of the DPR received 2 years in prison under Art. 274.1 of the Criminal Code of the Russian Federation for DDoS attacks

The Leninsky District Court of Rostov-on-Don sentenced rubles Roman Nosachev, a Ukrainian, to two years in a penal colony and a fine of 600 thousand, who staged hacker attacks on Russian resources. This was announced in mid-August 2023 by the press service of U FSB Russia on. Rostov region

The department clarified that while living in Khartsyzsk in the DPR, the defendant attacked Russian Internet resources, and also distributed instructions for conducting DDoS attacks with links to malicious software.

Roman Nosachev received two years in prison for attacks on Russian resources

Nosachev was found guilty under Part 1 of Art. 274.1 of the Criminal Code of the Russian Federation (unlawful impact on the critical information infrastructure of the Russian Federation). The maximum punishment is up to five years in prison.

In July 2023, Secretary of the Security Council Nikolai Patrushev said that the United States oversees the Ukrainian Center for Information and Psychological Operations (CIPSO). In his opinion, the American special services are directing cyber attacks "under the Ukrainian flag" on the infrastructure of Russia. In April 2023, the FSB reported that Western countries are using Ukraine's network infrastructure to carry out cyber attacks against Russia.

Despite the fact that at the end of 2022 the number of DDoS attacks decreased significantly, StormWall experts believe that a significant increase in attacks on key industries is possible in 2023. Experts expect an increase in the number of cyber incidents to 300% for the oil and gas sector and the energy industry in February and March 2023 due to the huge impact of these industries on the current political situation in the world.

According to experts, the number of cyber attacks on other industries will also grow systematically, while DDoS attacks will be used more often to disguise other targeted attacks to disrupt system performance and steal personal data. At the same time, at the moment there is no reason to predict a significant increase in attacks on other industries, since the attacks of politically motivated activists have practically stopped, the company said.^[8]

2022

Astrakhan received 3 years in prison under Art. 274.1 of the Criminal Code of the Russian Federation for the sale of these cellular subscribers

The Kirovsky District Court of Astrakhan sentenced a specialist of the cellular sales office to three years in a general regime colony for theft and subsequent sale of personal data of subscribers. He was found guilty of committing a crime under Part 4 of Art. 274.1 of the Criminal Code of the Russian Federation (unlawful impact on the critical information infrastructure of the Russian Federation). This was announced on February 1, 2022 by the press service of the Prosecutor's Office of the Astrakhan Region.

The court found that a specialist of the cellular sales office in November 2020, in violation of the job description, employment contract and appendices to it, using the personal login and password of another office specialist, accessed the Single Window information system, which allows viewing personal data of mobile network subscribers, information about telephone numbers registered on them, communication services, tariff plans, requiring cards of two subscribers. He copied the data and handed it over for a monetary reward to another person.

As the employees of FSB Russia the Astrakhan Region Administration found out, the young man met a certain user on the Internet, who offered him to "leak" personal data of subscribers from the information systems of mobile operators for money. But the suspect for some reason did not take into account that cameras could follow him. video surveillances Therefore, the moment when he photographed the data of interest to the customer from the monitor screen and transmitted it through the messenger got into the frame and became evidence in court.

As noted by the Telegram channel "Information Leaks," this punishment for illegal access to data from critical information infrastructure turned out to be surprisingly tough and not typical of Russian realities. The usual court practice is to impose a fine and conditional imprisonment.[1]^{[9][10][11][12][13]}

A programmer who forged data on vaccination in the IT system was sentenced to 3.5 years under the article of the Criminal Code on CII

In Dagestan, a programmer who worked in a hospital was sentenced to 3.5 years probation for forging information about undergoing vaccination against COVID-19 in an information system. This was reported in January 2022 by the Dagestan media with reference to the FSB of the region.

Based on the materials collected by the FSB of the region together with the Ministry of Internal Affairs in the Republic of Dagestan, it was established that in 2021, the programmer of the Kizilyurt Central District Hospital Rashid Magomedov illegally accessed the unified state information system in the field of health care (Uniform State Health Information System) and introduced deliberately false information about vaccination of citizens against COVID-19, who actually did not pass it.

From the verdict in the criminal case published in the file cabinet of the Kizilyurt City Court of Dagestan, it follows that Magomedov entered fictitious data on the alleged vaccination for himself and several of his relatives in the federal register of vaccinated persons, which is one of the sections of the Uniform State Health Information System^[14]. He hoped to receive certificates of COVID-19 vaccination with a QR code for himself and his relatives. The programmer entered the data into the register through the Google Chrome browser, using the "account" of the head nurse of the clinic of this hospital, who had access to the federal register of vaccinated people. Magomedov learned her login and password from the account as a result of the head nurse asking him to configure the computer so that when logging into the system, the login and password were entered automatically, and Magomedov implemented this.

The Ministry of Internal Affairs in early November 2021 reported that by that time in Russia over the past four months, more than 500 criminal cases had been opened about fake vaccination certificates and other documents related to COVID-19 "(photo - TASS)"

Manipulations with vaccination data were revealed quite quickly. The same senior nurse noticed suspicious data in the register and called the programmer's aunt to find out if she had been vaccinated in fact, because data on her vaccination were present in the system. Aunt stated that she had not been vaccinated. It turned out that the nephew-programmer did not have time to inform her aunt that he had registered her in the register of vaccinated people, and she did not know about it. After that, Rashid Magomedov told the head nurse how it is, "since there was no point in hiding anything," the verdict said. And after that, law enforcement agencies joined.

One of the notable points in this case is that Rashid Magomedov was tried under Article 274.1 of the Criminal Code of the Russian Federation (unlawful impact on the critical information infrastructure of the Russian Federation). In particular, under part 4 of this article, which implies that the impact was committed using its official position.

The maximum punishment for this part is up to 8 years in prison. But the court took into account the sincere confession and repentance of the deed, as well as the positive characteristic at the place of residence of the previously not convicted Magomedov, and limited himself to a sentence of 3.5 years probation and deprivation of the right to engage in activities in the field of computer technology for 2 years.

The court notes in its verdict that the Ministry of Health of the Russian Federation, in accordance with the 187-FZ, is a subject of critical information infrastructure (CII), and IT systems and networks belonging to the department are its objects. In turn, the information of the federal register of vaccinated is protected computer information contained in the CII.

The illegal actions of R.M. Magomedov caused harm to the critical information infrastructure of the Russian Federation in the form of a violation of the security of information owned and protected by the Ministry of Health, expressed in the unlawful introduction of amendments to the federal register of vaccinated Uniform State Health Information System, the verdict says.

According to the well-known information security expert, security business consultant Cisco SystemsAlekseya Lukatsky, as in similar criminal cases, when vaccination data is illegally entered into medical information systems, there is no damage directly to CII in this case. But, the expert suggested in a conversation with TAdviser, investigators are probably following the path of least resistance: Article 274.1 of the Criminal Code of the Russian Federation is quite simple to apply and through it you can give the accused a much longer period than under other articles that could be applied in this case.

This article of the Criminal Code of the Russian Federation is quite new, and I do not exclude that law enforcement agencies may have some kind of plan to solve crimes under this article, which they carry out. The same article applies, for example, to employees of telecom operators who steal information about subscriber conversations and transmit it to attackers. This, in my opinion, rather refers to a violation of the secrecy of communication, correspondence or to a violation of the legislation on personal data than to a violation of the legislation on critical information infrastructure, says Alexey Lukatsky.

But at the same time, from a formal point of view, investigators have every right to apply Art. 274.1 of the Criminal Code of the Russian Federation in such cases, since there is unauthorized access to information that is processed in critical infrastructure, he added. Health care and telecom operators are.

From a formal point of view, law enforcement agencies are right, but in fact, based on the spirit of the legislation on CII, nevertheless, this article of the Criminal Code was originally developed for another and provided for punishment for those who, by their actions, can lead to a violation or termination of the functioning of critical infrastructure. And in the case of entering data on vaccination and theft of subscriber data, this does not happen, - said Lukatsky.

Information security expert Valery Komarov in his blog in a post about this criminal case notes that he did not understand what the harm to the critical information infrastructure was in this case^[15].

I always thought that under Art. 274.1 of the Criminal Code of the Russian Federation, illegal modification of information is punished, resulting in harm to the CII. And here it turns out that the modification itself is already harmful to KII. Convenient for the investigation, of course. There is no need to suffer with evidence of harm, says Komarov.

The expert also wonders how GIS and Uniform State Health Information System are protected as an object of KII: "It turns out that the only implemented protection measure is the user's login and password, then go through the web interface and enter any information, the main thing is to install and use the Google Chrome browser?"

2021: Increase in criminal cases of cyber attacks and other unlawful impact on CII by three times

In 2021, 70 criminal cases were opened in Russia due to cyber attacks and other unlawful impact on critical information infrastructure (CII - IT systems of government agencies, banks, transport, fuel and nuclear industry, power, etc.) against 22 a year earlier. This is evidenced by the data of the InfoWatch study conducted using statistics from the Ministry of Internal Affairs and data from the state automated system "Justice."

According to Kommersant"" with reference to this report, about half of the criminal cases in question relate to the use of programs knowingly intended for illegal use at the CII. For example, in one of the cases, workers of locomotive crews RUSSIAN RAILWAY took advantage of an abnormal one ON to pass a test for knowledge of the technical and administrative acts of railway stations. In another case, the employee Perm Powder Plant downloaded an unlicensed version, the Microsoft Word key generator for which, according to the prosecution, established a channel for the exchange of information with the "owned" USA IP address. The employee was sentenced to a year of restriction of freedom.

The number of criminal cases due to attacks on government agencies and banks in Russia has tripled

A significant part of the proceedings concerns the claims of telecom operators against their employees: in 75% of cases in 2021 it was about leaks of personal data of users.

The Law on Unlawful Impact on the Critical Information Infrastructure of the Russian Federation (Criminal Code of the Russian Federation, Article 274.1.) Was adopted in 2017, edited on July 1, 2021, and entered into force with amendments and additions on December 1, 2021.

Vice-President of the Association of Russian Detectives, Managing Partner of Intrace Alexander Aivazov, explaining the lenient punishment for the directional impact on KII that the Russian authorities are just beginning to realize the importance of the problem. For comparison: in the United States, the amount of the fine depends on the damage caused, he stressed.^[16]

See also

Critical Information Infrastructure of Russia

Security of critical information infrastructure of the Russian Federation

Critical infrastructure in healthcare

State System for Detection, Prevention and Elimination of Consequences of Computer Attacks (State system of detection, prevention and elimination of consequences of computer attacks)

Notes