The United States has sanctioned a Russian government research institution for developing and deploying the Triton malware to target essential systems at critical infrastructure organisations in the U.S. and in the Middle East.
The sanctions were announced by the U.S. Treasury Department under the Countering America’s Adversaries Through Sanctions Act (CAATSA) against the State Research Center of the Russian Federation FGUP Central Scientific Research Institute of Chemistry and Mechanics (TsNIIKhM) for targeting a petrochemical facility in the Middle East in August 2017.
The Central Scientific Research Institute of Chemistry and Mechanics, a Russian government research facility, developed the Triton malware to target industrial control systems at critical infrastructure organisations in order to disable critical safety mechanisms and thereby prevent response to crisis situations.
In December 2017, security researchers at FireEye said the Triconex industrial safety technology at Schneider Electric SE, which provided emergency shutdown capability for industrial processes, was targeted using the Triton malware.
The researchers said that Triton was built with a number of features, including the ability to read and write programmes, read and write individual functions and query the state of the SIS controller. The malware also had the capability to communicate with Triconex SIS controllers and remotely reprogramme them with an attacker-defined payload.
In April last year, FireEye announced that cyber criminals had used the Triton malware framework yet again to target an unnamed critical infrastructure facility. The attackers, leveraged dozens of custom and commodity intrusion tools to gain and maintain access to the facility’s IT and OT networks.
“Triton is a serious threat to critical infrastructure systems on par with the likes of Stuxnet and Industroyer because it specifically targets industrial control systems with the capability to cause physical damage or shutdown operations,” said Edgard Capdevielle, CEO of Nozomi Networks and a FireEye partner.
“The safety systems targeted are key components for critical infrastructures as they are used to monitor industrial environments to ensure the safety of workers, environmental factors and other aspects of operations.
“Industrial companies, with operations at risk, should look to proven technologies that leverage artificial intelligence and machine learning to continuously monitor industrial controls systems networks for anomalies that detect and mitigate possible attacks that could cause harm to the industrial control systems,” he added.
According to the U.S. Treasury Department, the Triton malware was deployed to target a petrochemical facility in the Middle East in 2017 and hackers behind the malware have been found scanning and probing at least 20 electric utilities in the United States for vulnerabilities.
“The development and deployment of the Triton malware against our partners is particularly troubling given the Russian government’s involvement in malicious and dangerous cyber-enabled activities. Previous examples of Russia’s reckless activities in cyberspace include, but are not limited to: the NotPetya cyber-attack, the most destructive and costly cyber-attack in history; cyber intrusions against the U.S. energy grid to potentially enable future offensive operations; the targeting of international organizations such as the Organization for the Prohibition of Chemical Weapons and the World Anti-Doping Agency; and the 2019 disruptive cyber-attack against the country of Georgia,” the department said.
“The Russian Government continues to engage in dangerous cyber activities aimed at the United States and our allies. This Administration will continue to aggressively defend the critical infrastructure of the United States from anyone attempting to disrupt it,” said Secretary of the Treasury Steven T. Mnuchin.
Terming the imposition of sanctions against the Russian research facility as the right step, Suzanne Spaulding, Nozomi Networks advisor, and former DHS Undersecretary, said sanctions against a scientific research institute may impact the individuals who developed these tools more than sanctions against the Russian government might. Scientists thrive on their reputation. Accusing them of threatening peoples’ lives, and impacting their ability to collaborate internationally, may actually impose a significant cost.
“More broadly, when combined with other recent USG activity calling out Russian cyber activity, including recent indictments and alerts, Russia should be on notice that they cannot act with impunity–or at least not without attribution. The timing may be intended to warn against hacking into election infrastructure, or it may be designed to look tough on Russia for the American electorate, or both,” she added.