Treasury sanctions Russian research center blamed for Trisis malware

Written by

The U.S. Treasury Department’s latest round of sanctions against Russians includes leaders of the institute that allegedly developed the infamous Trisis malware, as well as the researcher indicted earlier this month in that case.

On Thursday the department’s Office of Foreign Assets Control added the State Research Center of the Russian Federation Central Scientific Research Institute of Chemistry and Mechanics, or TsNIIKhM, to the list of entities sanctioned since Russia’s invasion of Ukraine began.

Also designated were Sergei Alekseevich Bobkov, the institute’s director; Konstantin Vasilyevich Malevanyy, its deputy director; and Evgeny Viktorovich Gladkikh, the researcher accused of developing Trisis in an indictment unsealed March 24. Cybersecurity researchers have determined that the Trisis malware, also known as Triton, was used to target a petrochemical plant in Saudi Arabia in 2017.

“Gladkikh, along with other TsNIIKhM and ADC employees, played a crucial role in the August 2017 Triton malware cyber-attack, specifically targeting the petrochemical facility’s safety instrumented systems, seeking to disrupt the facility’s cybersecurity systems, as well as the facility’s distributed controls systems,” the Treasury said in a news release Thursday. “Gladkikh’s malicious cyber actions resulted in the facility undergoing an emergency shutdown on at least two occasions.”

Trisis was built to target industrial control systems and supervisory control and data acquisition (SCADA) technology. Gladkikh is involved in that kind of research and also has “extensive experience working network exploitation and penetration testing,” Treasury said.

Prosecutors have posted a $10 million reward for information that leads to his capture.

The list of other entities sanctioned Thursday includes:

• Moscow-based OOO Serniya Engineering, which “is at the center of a procurement network engaged in proliferation activities at the direction of Russian Intelligence Services,” Treasury said.
• Moscow-based OOO Sertal, which also works “to illicitly procure dual-use equipment and technology for Russia’s defense sector.”
• Russia-based OOO Robin Treid, United Kingdom-based Majory LLP, United Kingdom-based Photon Pro LLP and Spain-based Invention Bridge SL, which are “front companies utilized by Serniya to facilitate its procurement of key equipment for the Government of the Russian Federation.”

The European Union and Japan have placed export-related restrictions on Serniya, Sertal and Photon Pro recently.

“The UK is also taking coordinated action on the companies within its jurisdiction,” Treasury said.