CONFERENCE On Demand: Cyber AI & Automation Summit - Watch Now
Connect with us

Hi, what are you looking for?



Triton Malware Linked to Russian Government Research Institute

The development of the malware tracked as Triton, Trisis and HatMan was supported by a research institute owned by the Russian government, FireEye reported on Tuesday.

The development of the malware tracked as Triton, Trisis and HatMan was supported by a research institute owned by the Russian government, FireEye reported on Tuesday.

The Triton attack, aimed at industrial control systems (ICS) at a critical infrastructure organization in the Middle East, came to light in December 2017. The malware targeted Schneider Electric’s Triconex Safety Instrumented System (SIS) controllers, including via the use of a zero-day vulnerability, and it was discovered after a process shutdown that experts believe was accidentally triggered by the hackers.

Several companies have analyzed the attack and the threat actor behind it, including industrial cybersecurity firm Dragos, which tracks the group as Xenotime, and FireEye.

FireEye now says it has uncovered a strong link between the Triton intrusion –- the cybersecurity firm tracks this activity as TEMP.Veles –- and the Central Scientific Research Institute of Chemistry and Mechanics (CNIIHM), a technical research organization located in Moscow and owned by the Russian government.

FireEye has presented several pieces of evidence that show a connection between Triton and the CNIIHM, and the company claims to be in possession of even more information that reinforces the link, but which has been withheld due to its sensitive nature.

FireEye has pointed out that while there is strong evidence suggesting that the Russian institute has been involved in the development of some tools used in the Triton attack, it does not claim that the entire Triton framework is the work of this organization.

There are several aspects that have led to FireEye assessing with “high confidence” that Triton is linked to Russia, the CNIIHM, and an individual located in Moscow. One of the most important clues is related to the testing of some TEMP.Veles tools in a malware testing environment — the security firm has not named the service, but one of the most widely used is VirusTotal.

FireEye’s researchers discovered that a user who has been active in the aforementioned testing environment since 2013 has on several occasions tested various tools, including many customized versions of widely available applications such as Metasploit, Cobalt Strike, PowerSploit, the PowerShell-based WMImplant, and cryptcat.

Advertisement. Scroll to continue reading.

The goal was apparently to ensure that the custom versions would evade detection by security software. Researchers pointed out that many of the tools were used in TEMP.Veles attacks just days after being analyzed in the malware testing environment.

A path contained in one of the tested files led investigators to the online moniker of a Moscow-based individual who had been involved in vulnerability research and who had apparently been a professor at CNIIHM.

Furthermore, experts also discovered that one IP address registered to the Russian institute had been linked to Triton. This includes monitoring open source coverage of the attack, conducting reconnaissance against TEMP.Veles targets, and various other types of malicious activity in support of the Triton intrusion.

The presence of multiple files with Cyrillic names and artifacts also reinforces the link to Russia, along with behavior patterns consistent with Moscow’s time zone.

Researchers also pointed out that CNIIHM’s knowledge and personnel would make it highly capable of developing the Triton malware. It has research departments that specialize in the protection of critical infrastructure and the development of weapons and military equipment, and it collaborates with a wide range of other organizations, including ones involved in computer science, electrical engineering, defense systems, and information technologies.

It’s also possible, FireEye explained, that some employees of CNIIHM conducted these activities without the knowledge or approval of the organization. However, the company believes this scenario is less likely considering that the activity spans several years and that the institute’s capabilities are consistent with what one would expect of the entity behind the Triton campaign.

Related: Triton ICS Malware Developed Using Legitimate Code

Related: Hackers Behind ‘Triton’ Malware Attack Expand Targets

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join us as we delve into the transformative potential of AI, predictive ChatGPT-like tools and automation to detect and defend against cyberattacks.


As cybersecurity breaches and incidents escalate, the cyber insurance ecosystem is undergoing rapid and transformational change.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...


Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.


Russian espionage group Nomadic Octopus infiltrated a Tajikistani telecoms provider to spy on 18 entities, including government officials and public service infrastructures.


The overall effect of current global geopolitical conditions is that nation states have a greater incentive to target the ICS/OT of critical industries, while...

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...


Several hacker groups have joined in on the Israel-Hamas war that started over the weekend after the militant group launched a major attack.