The Rostov Regional Court has issued a guilty verdict against a former engineer of an enterprise of the military-industrial complex (MIC), who hacked a computer at his place of work. The IT engineer, being at the place of work, disabled the means of protecting computer information of the software and hardware complex.
Convicted of IT hacking
The Rostov Regional Court upheld the verdict of Valery Shaburov, a former employee of the defense industry enterprise, who was sentenced to three years in a penal colony for illegally influencing the information infrastructure of the enterprise. This was announced on June 5, 2024 by the press service of the Rostov Region Department of the Federal Security Service (FSB) of Russia.
According to the FSB, an engineer of one of the Don defense industry enterprises intended to get into the company's database. While at work, the IT engineer neutralized the computer information protection tool of the software and hardware complex, planning to copy data about the production process for their subsequent modification.
A criminal case was opened against Valery Shaburov under Part 4 of Article 274.1 of the Criminal Code of the Russian Federation ("Unlawful influence on the critical information infrastructure (CII) of Russia").
The Kamensky District Court found Valery Shaburov guilty of committing a crime under part 4 of Article 274.1, and also imposed a sentence of three years ' imprisonment to be served in a general regime penal colony, with deprivation of the right to engage in activities related to access to the CII of Russia for a period of two years. The Rostov Regional Court upheld the verdict in early June 2024.
Critical information infrastructure
Critical information infrastructure refers to a set of automated production and technological process management systems for critical Russian facilities and information and telecommunications networks that ensure their interaction, as well as IT systems and communication networks designed to solve public administration, defense, security and law enforcement tasks.
In early May 2024, the Federal Service for Technical and Export Control (FSTEC) published a methodology for assessing the state of technical information protection and security of significant CII facilities in Russia. The rules apply to government agencies, organizations in the field of communications, energy, banking, and other significant sectors of the economy.
The FSTEC document states that the methodology defines an indicator that characterizes the current state of technical protection of information that is not a state secret, and (or) ensuring the security of significant CII objects. The assessment should be carried out at least once every six months. Organizations should conduct an extraordinary security check in the event of an information security incident with negative consequences or when the architecture of information systems changes. In addition, such verification can be initiated at the request of the FSTEC.
The initial data required for assessing the security indicator can be: reports, protocols or other documents compiled based on the results of internal security level control; results of an inventory of information systems; internal organizational and administrative documents regulating the organization of information protection; reports compiled based on the results of an external assessment. The FSTEC separately explained that the results of a survey of employees of an organization about their performance of functions using information systems (IS) and (or) information security (IS) can be taken into account.
Legislation
In order to form a regulatory framework regarding criminal liability for violations of the law on CII, the legislator amended the Criminal Code (CC) of Russia by adopting a separate Federal Law No. 194-FZ of 26.07.2017 "On Amendments to Certain Legislative Acts of Russia in connection with the adoption of the Federal Law "On the Security of Critical Information Infrastructure of the Russian Federation". Article 274.1. Undue influence on CII of Russia.
In the third part, it is stated that the violation of the rules for the operation of means of storing, processing or transmitting protected computer information contained in the CII of Russia, or IP, information and telecommunications networks, automated control systems, telecommunications networks related to the CII of Russia, or the rules for access to the specified information, information systems, information and telecommunications networks if it has caused harm to the CII of Russia, - is punishable by forced labor for a term of up to five years with or without deprivation of the right to hold certain positions or engage in certain activities for a term of up to three years, or by deprivation of liberty for a term of up to six years with deprivation of the right to hold certain positions activity for a period of up to three years or without it.
In the fourth part, it is reported that the acts provided for in part one, two or three of this article, committed by a group of persons by prior agreement or an organized group, or by a person using his official position, are punishable by imprisonment for a term of three to eight years with deprivation of the right to hold certain positions or engage in certain activities for three years or less.
The fifth part states that the acts provided for in part one, two, three or four of this article, if they have entailed grave consequences, are punishable by imprisonment for a term of five to ten years with or without deprivation of the right to hold certain positions or engage in certain activities for a term of up to five years.
Convicted of IT hacking
The Rostov Regional Court upheld the verdict of Valery Shaburov, a former employee of the defense industry enterprise, who was sentenced to three years in a penal colony for illegally influencing the information infrastructure of the enterprise. This was announced on June 5, 2024 by the press service of the Rostov Region Department of the Federal Security Service (FSB) of Russia.
According to the FSB, an engineer of one of the Don defense industry enterprises intended to get into the company's database. While at work, the IT engineer neutralized the computer information protection tool of the software and hardware complex, planning to copy data about the production process for their subsequent modification.
A criminal case was opened against Valery Shaburov under Part 4 of Article 274.1 of the Criminal Code of the Russian Federation ("Unlawful influence on the critical information infrastructure (CII) of Russia").
The Kamensky District Court found Valery Shaburov guilty of committing a crime under part 4 of Article 274.1, and also imposed a sentence of three years ' imprisonment to be served in a general regime penal colony, with deprivation of the right to engage in activities related to access to the CII of Russia for a period of two years. The Rostov Regional Court upheld the verdict in early June 2024.
Critical information infrastructure
Critical information infrastructure refers to a set of automated production and technological process management systems for critical Russian facilities and information and telecommunications networks that ensure their interaction, as well as IT systems and communication networks designed to solve public administration, defense, security and law enforcement tasks.
In early May 2024, the Federal Service for Technical and Export Control (FSTEC) published a methodology for assessing the state of technical information protection and security of significant CII facilities in Russia. The rules apply to government agencies, organizations in the field of communications, energy, banking, and other significant sectors of the economy.
The FSTEC document states that the methodology defines an indicator that characterizes the current state of technical protection of information that is not a state secret, and (or) ensuring the security of significant CII objects. The assessment should be carried out at least once every six months. Organizations should conduct an extraordinary security check in the event of an information security incident with negative consequences or when the architecture of information systems changes. In addition, such verification can be initiated at the request of the FSTEC.
The initial data required for assessing the security indicator can be: reports, protocols or other documents compiled based on the results of internal security level control; results of an inventory of information systems; internal organizational and administrative documents regulating the organization of information protection; reports compiled based on the results of an external assessment. The FSTEC separately explained that the results of a survey of employees of an organization about their performance of functions using information systems (IS) and (or) information security (IS) can be taken into account.
Legislation
In order to form a regulatory framework regarding criminal liability for violations of the law on CII, the legislator amended the Criminal Code (CC) of Russia by adopting a separate Federal Law No. 194-FZ of 26.07.2017 "On Amendments to Certain Legislative Acts of Russia in connection with the adoption of the Federal Law "On the Security of Critical Information Infrastructure of the Russian Federation". Article 274.1. Undue influence on CII of Russia.
In the third part, it is stated that the violation of the rules for the operation of means of storing, processing or transmitting protected computer information contained in the CII of Russia, or IP, information and telecommunications networks, automated control systems, telecommunications networks related to the CII of Russia, or the rules for access to the specified information, information systems, information and telecommunications networks if it has caused harm to the CII of Russia, - is punishable by forced labor for a term of up to five years with or without deprivation of the right to hold certain positions or engage in certain activities for a term of up to three years, or by deprivation of liberty for a term of up to six years with deprivation of the right to hold certain positions activity for a period of up to three years or without it.
In the fourth part, it is reported that the acts provided for in part one, two or three of this article, committed by a group of persons by prior agreement or an organized group, or by a person using his official position, are punishable by imprisonment for a term of three to eight years with deprivation of the right to hold certain positions or engage in certain activities for three years or less.
The fifth part states that the acts provided for in part one, two, three or four of this article, if they have entailed grave consequences, are punishable by imprisonment for a term of five to ten years with or without deprivation of the right to hold certain positions or engage in certain activities for a term of up to five years.
