Malware deployed against industrial control systems in the Middle East has origins in a Russian state-run research institution, cybersecurity experts said Tuesday.
FireEye, a Silicon Valley-based security firm investigating the cyberattacks, said it found several indicators connecting Moscow to malware known as “Triton,” effectively linking the Russian government to campaigns including an assault on a critical infrastructure facility in Saudi Arabia last August, among others.
“FireEye Intelligence assesses with high confidence that intrusion activity that led to deployment of TRITON was supported by the Central Scientific Research Institute of Chemistry and Mechanics (CNIIHM; a.k.a. ЦНИИХМ), a Russian government-owned technical research institution located in Moscow,” the company said in a blog post.
Discovered last year by Mandiant, a division of FireEye, Triton is designed to manipulate industrial safety systems, including specifically Triconex Safety Instrumented System (SIS) controllers sold by Schneider Electric, a multinational energy firm with customers in more than 100 countries, security researchers revealed previously.
“The targeted systems provided emergency shutdown capability for industrial processes,” Mandiant said when the firm published its initial findings last year. “We assess with moderate confidence that the attacker was developing the capability to cause physical damage and inadvertently shut down operations.”
More recently, The New York Times reported in March that “a petrochemical company with a plant in Saudi Arabia” was infected with Triton in August 2017, and that investigators believed the malware was “meant to sabotage the firm’s operations and trigger an explosion.”
Researchers analyzing the malware and related activity found “multiple independent” ties to Russia, CNIIHM and a particular person in Moscow with significant links to the research facility, according to the latest FireEye report.
Researchers did not links any specific attacks to the Russia government, but rather cited multiple clues linking Triton to Moscow, including computer code related to the malware and a particular IP address registered to CNIIHM.
Code analyzed by researchers contained a reference to either a “unique handle or user name” that is the same as an alias that has been active in the Russian information security communities since at least 2011, FireEye found. The same moniker has been previously credited with discovering security vulnerabilities, and a defunct social media profile placed them as being a professor at CNIIHM.
Researchers also traced malicious activity suspected of being related to Triton to a specific internet address registered to CNIIHM, 87.245.143.140, and found that the same address was used to monitor public reports involving the malware, FireEye found.
“We infer that CNIIHM likely maintains the institutional expertise needed to develop and prototype TRITON based on the institute’s self-described mission and other public information,” FireEye concluded.
FireEye’s analyses was first reported by Süddeutsche Zeitung, a German newspaper.
Officials in neither Russia nor Saudi Arabia immediately commented publicly on FireEye’s report.
• Andrew Blake can be reached at ablake@washingtontimes.com.
Please read our comment policy before commenting.