The US Treasury Department announced sanctions against a Russian research institute for its alleged role in the development of the Triton malware.
“Today, the Department of the Treasury’s Office of Foreign Assets Control (OFAC) designated, pursuant to Section 224 of the Countering America’s Adversaries Through Sanctions Act (CAATSA), a Russian government research institution that is connected to the destructive Triton malware.” reads a press release published by the Department of the Treasury.
Triton is a strain of malware specifically designed to target industrial control systems (ICS) system that has been spotted by researchers at FireEye in December 2017.
The malware was first spotted after it was employed in 2017 in an attack against a Saudi petrochemical plant owned by the privately-owned Saudi company Tasnee. According to the experts, the infection caused an explosion.
“In August 2017, a petrochemical facility in the Middle East was the target of a cyber-attack involving the Triton malware. This cyber-attack was supported by the State Research Center of the Russian Federation FGUP Central Scientific Research Institute of Chemistry and Mechanics (TsNIIKhM), a Russian government-controlled research institution that is responsible for building customized tools that enabled the attack.” continues the press release.
The Triton malware is designed to target Schneider Electric’s Triconex Safety Instrumented System (SIS) controllers that are used in industrial environments to monitor the state of a process and restore it to a safe state or safely shut it down if parameters indicate a potentially hazardous situation.
“Mandiant recently responded to an incident at a critical infrastructure organization where an attacker deployed malware designed to manipulate industrial safety systems. The targeted systems provided emergency shutdown capability for industrial processes.” reads the analysis published by FireEye in 2017.
“We assess with moderate confidence that the attacker was developing the capability to cause physical damage and inadvertently shutdown operations. This malware, which we call TRITON, is an attack framework built to interact with Triconex Safety Instrumented System (SIS) controllers.”
Once gained access to the SIS system, the threat actor deployed the TRITON malware, a circumstance that indicates that attackers had a knowledge of such systems. According to FireEye the attackers pre-built and tested the tool which would require access to hardware and software that is not widely available. TRITON is also designed to communicate using the proprietary TriStation protocol which is not publicly documented, this implies that the attackers reverse engineered the protocol to carry out the attack.
The Triton malware interacts with Triconex SIS controllers., it is able to read and write programs and functions to and from the controller.
The hackers deployed the Triton malware on a Windows-based engineering workstation, the malicious code added its own programs to the execution table. In case of a failure, the malware attempts to return the controller to a running state, it also overwrites the malicious program with junk data if the attempt fails, likely to delete any track of the attack.
The US Treasury Department imposed sanctions on the State Research Center of the Russian Federation FGUP Central Scientific Research Institute of Chemistry and Mechanics (also known as CNIIHM or TsNIIKhM).
In October 2018, FireEye experts discovered a link between the Triton malware, tracked by the company as TEMP.Veles, and the Central Scientific Research Institute of Chemistry and Mechanics (CNIIHM), a Russian government research institute in Moscow.
FireEye collected strong evidence suggesting that the Russian CNIIHM institute has been involved in the development of some of the tools used in the Triton attack.
“FireEye Intelligence assesses with high confidence that intrusion activity that led to deployment of TRITON was supported by the Central Scientific Research Institute of Chemistry and Mechanics (CNIIHM; a.k.a. ЦНИИХМ), a Russian government-owned technical research institution located in Moscow. The following factors supporting this assessment are further detailed in this post.” reads the analysis published by FireEye.
Experts pointed out that Triton is linked to Russia, the CNIIHM, and an individual located in Moscow. Some of the TEMP.Veles hacking tools were tested using an unnamed online scan service. A specific user of the service who has been active since 2013 has tested various tools across the time.
The user also tested several customized versions of widely available tools, including Metasploit, Cobalt Strike, PowerSploit, the PowerShell-based WMImplant, and cryptcat.
In many cases, the custom versions of the tools were used in TEMP.Veles attacks just days after being submitted to the testing environment.
The experts discovered that a PDB path contained in a tested file included a string that appears to be an online moniker associated with a Russia-based individual active in Russian information security communities since at least 2011.
According to a now-defunct social media profile, the individual was a professor at CNIIHM.
FireEye also discovered that one IP address registered to the Russian research institute was involved in the Triton attacks.
The sanctions prohibit US entities from engaging with CNIIHM and also seize any asset on the US soil belonging to the research institute.
“The Russian Government continues to engage in dangerous cyber activities aimed at the United States and our allies,” said Secretary Steven T. Mnuchin. “This Administration will continue to aggressively defend the critical infrastructure of the United States from anyone attempting to disrupt it.”
“TsNIIKhM is being designated pursuant to Section 224 of CAATSA for knowingly engaging in significant activities undermining cybersecurity against any person, including a democratic institution, or government on behalf of the Government of the Russian Federation.” concludes the press release.
“As a result of today’s designation, all property and interests in property of TsNIIKhM that are in or come within the possession of U.S. persons are blocked, and U.S. persons are generally prohibited from engaging in transactions with them. Additionally, any entities 50 percent or more owned by one or more designated persons are also blocked. Moreover, non-U.S. persons who engage in certain transactions with TsNIIKhM may themselves be exposed to sanctions.”
On Thursday, the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) issued a joint report that provides details about a hacking campaign of a Russian hacking group known as Energetic Bear.
(SecurityAffairs – hacking, Triton)