Connect with us

Hi, what are you looking for?



Russian Hackers Scrambled to Erase Digital Footprints After Triton Attribution Report

FireEye on Triton malware at ICS Cyber Security Conference

FireEye on Triton malware at ICS Cyber Security Conference

SINGAPORE — SECURITYWEEK 2019 ICS CYBER SECURITY CONFERENCE — Some of the pieces of digital evidence that led to security researchers linking the notorious Triton malware to a Russian research institute were removed after the information was made public.

A blog post published in October 2018 by cybersecurity firm FireEye assessed with “high confidence” that the Triton malware, also known as Trisis and HatMan, was linked to Russia, specifically the Central Scientific Research Institute of Chemistry and Mechanics (CNIIHM), a technical research organization located in Moscow and owned by the Russian government.

FireEye, which tracks this activity as TEMP.Veles, analyzed some of the Triton-associated tools uploaded to online malware analysis services and stumbled upon a path that led researchers to the online moniker of a Moscow-based individual who had been involved in vulnerability research and who had apparently been a professor at CNIIHM.

However, a few weeks after FireEye published its attribution report, the company noticed that some of the evidence had started disappearing from the internet, Yihao Lim, senior cyber threat intelligence analyst at FireEye, said on Wednesday at SecurityWeek’s ICS Cyber Security Conference in Singapore.

Nathan Brubaker, who leads the FireEye Intelligence Cyber-Physical team, told SecurityWeek that within 2-4 weeks of FireEye’s blog post being published they noticed that CNIIHM had removed many photos from its website, including one showing the individual who allowed them to make the connection between Triton and the institute.

Brubaker said they also noticed that some information related to the department the individual worked in was also altered.

Furthermore, registrant (WHOIS) data associated with an IP address range used by the institute had been masked a little over two weeks after FireEye’s blog post was published — it initially clearly showed that the IP range belonged to CNIIHM, but all references to CNIIHM were later removed. FireEye had seen one of these IPs doing network reconnaissance against critical infrastructure organizations and it had been involved in other malicious activity supporting TEMP.Veles.

Registrant data changed for Triton-linked IPs

The cybersecurity firm has not made public all the evidence that led it to conclude that CNIIHM has contributed to the development of the Triton framework, but it has disclosed several of the clues it has found. FireEye has highlighted that it does not claim the entire Triton framework is the work of this organization.

Advertisement. Scroll to continue reading.

It pointed out that CNIIHM’s knowledge and personnel would make it highly capable of developing the Triton malware. It has research departments that specialize in the protection of critical infrastructure and the development of weapons and military equipment, and it collaborates with a wide range of other organizations, including ones involved in computer science, electrical engineering, defense systems, and information technologies.

When it published its attribution report, FireEye mentioned that while it’s possible some CNIIHM employees conducted these activities without the knowledge of the organization, this scenario is unlikely considering that the activity spans several years. The apparent clean-up effort seems to reinforce CNIIHM’s involvement.

The existence of Triton came to light in 2017 after the malware triggered a Schneider Electric safety system and caused disruptions at an oil and gas plant in Saudi Arabia. FireEye’s Mandiant was called in to investigate the incident and the company said it recently responded to another attack carried out by the Triton group against a critical infrastructure facility. However, it could not share any information about the target of this second attack, but it did clarify that the actual Triton malware was not observed in the operation.

The security firm recently published more details on the techniques and tools used by the Triton attackers and noted that the group focused on maintaining access, moving laterally, conducting reconnaissance, and avoiding being detected, rather than stealing information from compromised devices.

Industrial cybersecurity firm Dragos, which tracks the group behind Triton as Xenotime, reported last year that the hackers had expanded their list of targets to outside the Middle East and had started targeting a wider range of safety systems.

Related: Industry Reactions to New Triton Attacks on Critical Infrastructure

Related: Triton ICS Malware Developed Using Legitimate Code

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Gain valuable insights from industry professionals who will help guide you through the intricacies of industrial cybersecurity.


Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.


WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.