Last Friday the Department of the Treasury’s Office of Foreign Assets Control (OFAC) designated, pursuant to Section 224 of the Countering America’s Adversaries Through Sanctions Act (CAATSA), a Russian government research institution that is connected to the destructive Triton malware. In 2018 FireEye stated it exposed strong connections between Triton malware and the Central Scientific Research Institute of Chemistry and Mechanics (CNIIHM), a research organization owned by the Russian government. Triton malware attacks industrial control systems (ICS) and can affect safety protocols during an emergency situation. OFAC has described Triton as “the most dangerous activity publicly known.” The treasury department now says CNIIHM is responsible for the development of customized tools that were used in a 2017 Triton attack on a Saudi Arabian petrochemical facility. The sanctions against CNIIHM will prohibit American organizations from engaging with the Moscow based research institute.
Analyst Notes
OFAC stated the Triton malware was created to attack ICS that are used within critical infrastructure facilities to ensure immediate shutdown in the event of an emergency. Deployed via phishing emails, the malware was designed to manipulate these safety controllers, providing attackers with full control over the infected systems. The malware can cause “significant physical damage and loss of life,” the US government said. Companies and organizations that operate critical infrastructure should be aware that most threat actors targeting industrial control systems start by infiltrating the business IT network and then move from the IT network to the Operational Technology (OT) network, or take advantage of any Remote Desktop facilities that allow operators to connect directly to control systems user interface computers. It is important to monitor both the IT and OT networks for unusual activity and respond quickly to prevent damage to equipment. Skilled analysts in a 24/7 Security Operations Center, such as the Binary Defense Security Operations Task Force, are crucial to monitor for security alerts and respond appropriately.
Source: https://home.treasury.gov/news/press-releases/sm1162
FireEye research blog: https://www.fireeye.com/blog/threat-research/2018/10/triton-attribution-russian-government-owned-lab-most-likely-built-tools.html