FireEye links Russia-owned lab to group behind Trisis

Written by

A Russian-owned research institute very likely helped build tools used by an infamous hacking group that caused a petrochemical plant in Saudi Arabia to shut down last year, cybersecurity company FireEye said Tuesday.

A series of clues implicates the Central Scientific Research Institute of Chemistry and Mechanics (CNIIHM), a Moscow-based lab, in developing tools used by the group known as Xenotime or TEMP.Veles, according to FireEye. The group is known for malware, dubbed Triton or Trisis, designed to disrupt industrial control system (ICS) software that allows industrial plants to safely shut down.

FireEye has tied the testing of malware used by TEMP.Veles to CNIIHM, specifically someone who has been identified as a professor at the institute. Further, an IP address registered to CNIIHM has been employed by Triton’s operators for multiple purposes, “including monitoring open-source coverage of Triton, network reconnaissance, and malicious activity in support of the Triton intrusion,” FireEye said in a blog post.

FireEye’s attribution of CNIIHM’s involvement with TEMP.Veles did not extend to the specific Triton attack framework: the company said it did not have evidence proving that CNIIHM developed that ICS-tailored toolset. However, the Russian lab likely does have “the institutional expertise needed to develop and prototype Triton,” the blog post states.

FireEye has not identified the target of last year’s incident, but reporting by CyberScoop and other news outlets has revealed it to be a petrochemical plant in Saudi Arabia. The Triton malware has turned heads in the ICS cybersecurity world because of its potential to cause physical harm. In May, CyberScoop reported that the hacking group behind Triton had expanded operations beyond the Middle East and was targeting U.S. companies.

CNIIHM could not be reached for comment.

FireEye was able to gather multiple attribution clues from the malware testing environment due to what appeared to be lax operational security precautions in that environment, according to John Hultquist, the company’s director of threat intelligence. TEMP.Veles went back and forth between the testing environment and the target until the group fine-tuned the malware, he said.

Hultquist said malicious hackers’ willingness to target ICS safety-related systems had raised the stakes in cyberspace. “We may yet see an incident that’s entirely accidental that appears to be a deliberate attack,” he told CyberScoop.

German newspaper Süddeutsche Zeitung was first to report on FireEye’s attribution.

FireEye’s linking of CNIIHM with TEMP.Veles comes at prolific time for Russian hackers.

Last week, cybersecurity company ESET published research showing that the broad set of hackers who disrupted the Ukrainian power grid in 2015 and 2016 had evolved while continuing to target Eastern European energy companies. Western governments have linked the group known as Sandworm, which was behind the 2015 Ukrainian grid attack, to Russia’s military intelligence directorate.

The Kremlin has denied being behind such cyberattacks on critical infrastructure.