Russian Research Lab Helped Develop TRITON Industrial Malware
FireEye, a cybersecurity company that provides services to protect against cyber attacks, claim they have discovered evidence of Russian involvement in the development of TRITON malware.
About TRITON Malware
TRITON malware, sometimes called Trisis, is Industrial Control System (ICS) malware that targets the Triconex Safety Instrumented System (SIS) controllers produced by Schneider Electric. These controllers are frequently used in oil and gas facilities and function autonomously, taking immediate action if a dangerous state is detected from its monitoring.
In December 2017 Symantec reported at a petrochemical plant in Saudi Arabia had been compromised by TRITON malware. It was believed at the time to be a state-sponsored attack.
Who is behind TRITON?
The attack on the Saudi Arabian petrochemical plant was believed to be state-sponsored from the beginning because the hacking group would have to possess advanced knowledge of Industrial Control Systems, something that is possible but unlikely from independent hackers.
FireEye believes with “high confidence” that a Moscow based lab is responsible for helping attacks with the industrial knowledge required, and additionally helped test its components in a targeted environment. The lab is called Central Scientific Research Institute of Chemistry and Mechanics (CNIIHM).
In a statement of their findings, FireEye stated
An IP address [ 18.104.22.168] registered to CNIIHM has been employed by TEMP.Veles for multiple purposes, including monitoring open-source coverage of TRITON, network reconnaissance, and malicious activity in support of the TRITON intrusion,” FireEye wrote while pointing out evidence.
In addition to this behavioural patterns are consistent with Moscow time.FireEye state that they are not suggesting that the Moscow based lab is responsible for the end to end implementation of TRITON in the wild, but that it is highly likely that they were involved.
Russia hasn’t responded to the allegations but it is expected they will deny any involvement. The TRITON hacking group remain a major risk to critical infrastructure around the world