The U.S. federal government, continuing its multifaceted effort to deter private groups and state actors involved in offensive cyber activity, has sanctioned a research institute funded by the Russian government that it says is connected with the development of the Triton ICS malware.
The Department of the Treasury’s Office of Foreign Assets Control on Friday announced the sanctions of the State Research Center of the Russian Federation FGUP Central Scientific Research Institute of Chemistry and Mechanics, alleging that the institute is “responsible for building customized tools that enabled the attack” on a petrochemical plant in Saudi Arabia in 2017. The Triton malware framework was specifically designed for use against Triconex Safety Instrumented System controllers built by Schneider Electric and it was first discovered in the 2017 incident investigated by FireEye’s Mandiant unit. Triton was discovered thanks to some safety features in the system, which prevented the malware from fully functioning.
“The attacker gained remote access to an SIS engineering workstation and deployed the TRITON attack framework to reprogram the SIS controllers. During the incident, some SIS controllers entered a failed safe state, which automatically shutdown the industrial process and prompted the asset owner to initiate an investigation. The investigation found that the SIS controllers initiated a safe shutdown when application code between redundant processing units failed a validation check -- resulting in an MP diagnostic failure message,” the original report on Triton from Mandiant in December 2017 says.
“The Russian Government continues to engage in dangerous cyber activities aimed at the United States and our allies."
The Triton incident was significant for several reasons, mainly because it was the first strain of malware specifically targeted at ICS systems to emerge since Stuxnet. The two share some similarities in terms of goals and functionality, though the results of the intrusions tied to them are wildly different. Where Triton did not ultimately succeed in causing any physical damage, Stuxnet did and led to years of speculation and intrigue in the security community about its origins. But within a year of the Triton incident, FireEye researchers had publicly attributed the use of the malware to the Central Scientific Research Institute of Chemistry and Mechanics, having traced it through a testing environment used by the TEMP.Veles Russian threat actor group.
“FireEye Intelligence assesses with high confidence that intrusion activity that led to deployment of TRITON was supported by the Central Scientific Research Institute of Chemistry and Mechanics (CNIIHM; a.k.a. ЦНИИХМ), a Russian government-owned technical research institution located in Moscow,” the attribution report from October 2019 says.
“While we know that TEMP.Veles deployed the TRITON attack framework, we do not have specific evidence to prove that CNIIHM did (or did not) develop the tool. We infer that CNIIHM likely maintains the institutional expertise needed to develop and prototype TRITON based on the institute’s self-described mission and other public information.”
The action by the OFAC means that U.S. persons can not do business with the Central Scientific Research Institute of Chemistry and Mechanics and any property or interests in the institute that U.S. persons have are blocked. Economic sanctions like this are part of the strategy that the U.S. government has used to deal with terrorist organizations for many years, and it has begun to employ the same principles in trying to hem in the activity of cybercrime groups and state actors.
“The Russian Government continues to engage in dangerous cyber activities aimed at the United States and our allies,” said Treasury Secretary Steven T. Mnuchin. “This Administration will continue to aggressively defend the critical infrastructure of the United States from anyone attempting to disrupt it.”