Cybersecurity firm FireEye have discovered proof about the involvement of a Russian Research Lab in the development of the TRITON malware which had prompted several industrial systems to unexpectedly shut down last year, including a petrochemical plant in Saudi Arabia.
TRITON which is also called as Trisis, is a piece of ICS malware designed to target the Triconex Safety Instrumented System (SIS) controllers made by Schneider Electric and are used in oil and gas facilities.
Triconex Safety Instrumented System is an autonomous control system designed to independently monitor the performance of critical systems and in case of any dangerous situations have to automatically take necessary actions.
Malware with such potential cannot be created by a computer hacker unless having proper knowledge of Industrial Control Systems (ICS). So, the researchers believe that Moscow-based lab Central Scientific Research Institute of Chemistry and Mechanics (CNIIHM) have supported the attackers, dubbed as “TEMP.Veles,” with sufficient institutional knowledge in order to develop the TRITON framework and test its components in a targeted environment.
FireEye have reported in their blog that they have exposed various clues that relates the development and testing procedures of Triton malware to the Russian government, CNIIHM and a former professor at CNIIHM.
The blog says “An IP address [ 22.214.171.124] registered to CNIIHM has been employed by TEMP.Veles for multiple purposes, including monitoring open-source coverage of TRITON, network reconnaissance, and malicious activity in support of the TRITON intrusion.”
The working patterns noted in the TEMP.Veles group activity are also compatible with the Moscow time zone, where the CNIIHM institute is located.
CNIIHM researchers have experience in critical infrastructure and the development of weapons and military equipment. Even then FireEye does not have any evidence whether institute was involved in deploying the Triton malware in the wild.
The FireEye researchers concludes that one possibility is that one or more CNIIHM employees could have performed any activity that connects TEMP.Veles to CNIIHM without the knowledge of their employer.
The Russian government and the CNIIHM institute have not replied to the FireEye report. Any such previous allegations from private cyber security firms were normally denied by the Russian government.
The malware however has the capability to cause severe, life-threatening damages to an organization or shut down its operations and so the main concern is that the hackers behind Triton still remains as an active threat to critical infrastructure across the globe.