The US Treasury Department announced sanctions late last week on a Russian research institute allegedly involved in the development of Triton, a malware strain designed to attack industries. This is State Research Center of the Russian Federation FGUP Central Scientific Research Institute of Chemistry and Mechanics, also known as CNIIHM or TsNIIKhM.
A report of FireEye released in October 2018 recognized CNIIHM as the possible creator of Triton malware. Triton malware, also known as Trisis or HatMan, was designed to specifically target a specific type of Industrial Control System (ICS) equipment to Schneider Electric Triconex Safety Instrumented System (SIS) controllers.
According to technical reports from FireEye, Dragos and Symantec, the malware was distributed through Phishing campaigns. As soon as it managed to infect a workstation, it looked for SIS controllers in network a victim and then tried to modify the controller settings.
The researchers said the Triton contained instructions that could either shut down a production process or push SIS-controlled machines into an unsafe state, creating an explosion hazard but also endangering the lives of the people who operate the machines. .
The malware was first detected in 2017, after being successfully used during an intrusion into a petrochemical plant in Saudi Arabia owned by Tasnee. During the attack of malware, it almost exploded.
Since then, malware has targeted numerous companies around the world. In addition, the team behind it - known as TEMP.Veles or Xenotime - has targeted at least 20 U.S. power services, which it has been scanning for vulnerabilities.
Sanctions now imposed on the Russian research institute prohibit US entities from interacting with the CNIIHM, while providing for the seizure of any assets held by the institute in the US.
Minister Steven T. Mutsin commented on the incident, saying that the Russian government continues to carry out dangerous activities in cyberspace targeting the US and its allies. He also stressed that the US government will continue to protect the critical infrastructure of the country from anyone who tries to disrupt it.
Earlier last week, the US Department of Justice filed charges against six hacker of the Sandworm team, who allegedly developed the NotPetya, KillDisk, BlackEnergy and OlympicDestroyer malware. At the same time, the CISA and the FBI revealed a recent hacking campaign, behind which is the Russian team "Energetic Bear". The EU has also imposed sanctions on two Russian military intelligence officers for their role in hacking German Parliament the 2015.
However, as several security researchers have pointed out in Twitter, shortly after the announcement of the sanctions imposed by the Ministry of Finance, the US may not benefit from this move, as in the past they have carried out attacks against industrial systems through the development of Stuxnet malware against Iran's nuclear program in 2010.