Security Experts:

U.S. Treasury Sanctions Russian Institute Linked to Triton Malware

The United States Department of the Treasury’s Office of Foreign Assets Control (OFAC) has announced sanctions against a Russian government institute connected to the destructive Triton malware.

Initially identified in 2017 on the systems of a Saudi Arabian oil and gas company and also referred to as Trisis and HatMan, Triton is known for the targeting of Schneider Electric’s Triconex Safety Instrumented System (SIS) controllers.

Referred to by some as Xenotime, the threat actor behind the malware is believed to have been active since at least 2014, and at one point it expanded activities to Australia, Europe, and the US, and added electric utilities to its target list.

In 2018, FireEye associated Triton with the Russian technical research organizations Central Scientific Research Institute of Chemistry and Mechanics (CNIIHM).

At SecurityWeek’s 2019 ICS Cyber Security Conference in Singapore, FireEye revealed that evidence connecting Triton with CNIIHM started disappearing following the publishing of their 2018 report, including photos, details on internal structure, and information on associated IP addresses.

OFAC, which notes that Triton has been labeled “the most dangerous activity publicly known,” announced on Friday sanctions against CNIIHM, or TsNIIKhM (the State Research Center of the Russian Federation FGUP Central Scientific Research Institute of Chemistry and Mechanics), essentially prohibiting Americans from engaging with the institution.

This Russian government-controlled research organization, the Treasury Department says, is responsible for the development of customized tools that made possible the 2017 attack against the Saudi Arabian petrochemical facility.

Pursuant to section 224 of the Countering America’s Adversaries Through Sanctions Act (CAATSA), the Treasury Department designated TTsNIIKhM “for knowingly engaging in significant activities undermining cybersecurity against any person, including a democratic institution, or government on behalf of the Government of the Russian Federation.”

The Triton malware, OFAC says, was specifically created to target industrial control systems (ICS) that are used within critical infrastructure facilities to ensure immediate shutdown in the event of an emergency.

Deployed via phishing emails, the malware was designed to manipulate these safety controllers, providing attackers with full control over the infected systems. The malware can cause “significant physical damage and loss of life,” the US government said.

In an emailed comment, Robert M. Lee, CEO and co-founder of industrial cybersecurity firm Dragos, said, “An OFAC sanction by the U.S. Treasury is significant and compelling; not only will it impact this research institution in Russia, but anyone working with them will have their ability to be successful on the international stage severely hampered.”

“The most important aspect of this development, however, is the attribution to Russia for the TRISIS attack by the USG officially and the explicit call out of industrial control systems in the sanction. This is a norm setting moment and the first time an ICS cyber-attack has ever been sanctioned. This is entirely appropriate as this cyber-attack was the first ever targeted explicitly towards human life. We are fortunate no one died and I'm glad to see governments take a strong stance condemning such attacks," he continued.

Nathan Brubaker, senior manager of analysis at Mandiant Threat Intelligence, commented, “TRITON malware was designed to disable the safety systems which form one of the last lines of protection in industrial systems. With control of these safety systems hackers could potentially allow an unsafe state to occur or worse yet, use their access to other control systems to cause an unsafe state, then allow that state to continue, potentially causing dangerous conditions and threaten human life.

“Fortunately, TRITON was discovered when safety systems recognized an abnormality during an intrusion and shut operations down at a plant. In the following months, Mandiant was able to track the intrusion to the Russian lab that is being sanctioned and publicly expose their involvement. This was a dangerous tool that may have been used to do real physical harm. We’re fortunate that it was found in the manner it was, giving us a chance to dig into the actors behind the scenes.”

Related: Nine Distinct Threat Groups Targeting Industrial Systems: Dragos

view counter