The United States Treasury has imposed sanctions on a Russian state-funded research institute that was linked to malware used in an attack on a Middle East petrochemical facility.
In October 2018, researchers at FireEye attributed industrial control system (ICS) intrusion activity known as TRITON to a professor at the Moscow-based Central Scientific Research Institute of Chemistry and Mechanics (CNIIHM). The malware is known also as TRISIS and HatMan in open source reporting.
TRITON was deployed against a Saudi Arabian petrochemical facility in August 2017, where it was observed targeting emergency shutdown capabilities for industrial processes.
Researchers who investigated the cyber-attack reported that the malware was designed to give the attackers complete control of infected systems and had the capability to cause significant physical damage and loss of life.
The Treasury Department said that CNIIHM built customized tools that enabled the assault, producing malware designed to tamper with the facility’s critical safety mechanisms.
“The Russian Government continues to engage in dangerous cyber activities aimed at the United States and our allies,” said Secretary Steven Mnuchin. “This Administration will continue to aggressively defend the critical infrastructure of the United States from anyone attempting to disrupt it.”
In a designation released October 23, the department said that the institute is “connected to the destructive TRITON malware” which “was designed specifically to target and manipulate industrial safety systems.”
According to the department, TRITON’s operators had turned their attention to targets in the United States.
“In 2019, the attackers behind the Triton malware were also reported to be scanning and probing at least 20 electric utilities in the United States for vulnerabilities,” said the department.
As a result of the sanctions on CNIIHM, people in the United States are prohibited from engaging in transactions with the institute.
“While the Russian government claims to be a responsible actor in cyberspace, it continues to engage in dangerous and malicious activities that threaten the security of the United States and our allies,” said US Secretary of State Mike Pompeo.
“We will not relent in our efforts to respond to these activities using all the tools at our disposal, including sanctions.”