US sanctions Russian government institution in connection with Trisis malware

Written by and

The U.S. Treasury Department sanctioned a Russian government research institute on Friday that it said was connected to the strain of destructive malware frequently labeled the most dangerous in the world.

Known as Trisis or Triton, the malicious software is designed to target systems used to safely control emergency shutdowns of industrial plants. Last year, security researchers at Dragos determined that the hackers behind the tool had scanned the networks of U.S. electrical utilities, after the malware initially surfaced in 2017 at a Saudi petrochemical plant.

The sanctions mark the first time any government has publicly connected Trisis to Russia.

“In recent years, the Triton malware has been deployed against U.S. partners in the Middle East, and the hackers behind the malware have been reportedly scanning and probing U.S. facilities,” Treasury said it its sanctions announcement. “The development and deployment of the Triton malware against our partners is particularly troubling given the Russian government’s involvement in malicious and dangerous cyber-enabled activities.”

Treasury pinned blame on the State Research Center of the Russian Federation FGUP Central Scientific Research Institute of Chemistry and Mechanics (TsNIIKhM) for supporting the 2017 attack in the Middle East. FireEye researchers had previously linked the research institution to the hacking group that deployed Trisis.

FireEye did not blame TsNIIKhM for the aspect of Trisis that targets industrial control systems, saying it did not have enough data to make that assessment. However, “the actors who deployed Triton used the exact same tools that the intrusion actors used,” said Nathan Brubaker, a senior manager at Mandiant Threat Intelligence.

Trisis is unique among malware in its risk to human safety at energy plants, according to Robert M. Lee, chief executive of industrial security company Dragos. He applauded the U.S. government for taking a strong stand against the dangerous malware.

“It’s appropriate for the U.S. government to focus sanctions on governments and their institutions for such attacks,” Lee added. “Focusing on naming and shaming government individuals misplaces the blame and provides an easy out for the government tasking the operation.”

The jarring attack on the Saudi petrochemical plant has been a learning experience for industrial cybersecurity experts ever since. A cybersecurity expert who responded to the incident has said that engineers at the plant missed a key opportunity to avoid a second shutdown caused by the malware, in August 2017.

The Russian Embassy in Washington, D.C., did not immediately respond to a request for comment on the sanctions.

U.S. agencies have set a blistering pace this week with warnings and punishments involving hacking and other online malfeasance connected to hostile foreign governments.

Friday’s sanctions follow those against alleged Iranian front companies that Treasury said Thursday were behind election influence operations. On Wednesday, national security officials accused Iran of being behind voter intimidation emails in Florida.

Also Thursday, the FBI and Cybersecurity and Information Security Agency blamed Russian government-linked hackers suspected in the breach of state and local networks. And the week began with the Justice Department announcing an indictment against six alleged Russian intelligence officers accused of involvement with some of the most high-profile hacking incidents in the world, such as the NotPetya outbreak. Russia faced cyber-related sanctions overseas this week, too.

-In this Story-

2020 elections, European Union, FireEye, industrial control systems (ICS), Iran, Russia, sanctions, Saudi Arabia, Treasury Department, Trisis, Triton