FireEye claims that TRITON malware is linked to Russian research institute

by Julie Splinters - -

Cybersecurity company that offers security products and services, FireEye[1] claims to find evidence that the development of the TRITON malware is directly linked to a Russian research institute.

triton linked to russia

TRITON malware, also known as Trisis malware, is an ICS malicious program that has been developed in order to target the Triconex Safety Instrumented System, also known as SIS, controllers, created by Schneider Electric. The Triconex SIS controllers are widely used in oil and gas facilities, to keep equipment and production operating safely.[2]

Triconex Safety Instrumented System is an autonomous control system that is developed to monitor the performance of critical systems, in case of any suspicious and dangerous state, the SIS takes immediate actions.

It is worth to mention that the malware having such capabilities cannot be developed by an attacker without knowledge and experience in Industrial Control Systems (ICS), security experts at FireEye, claims that there is a high possibility, that Moscow-based lab Central Scientific Research Institute of Chemistry and Mechanics, aka ЦНИИХМ, provided hacking team known as TEMP.Veles with some institutional knowledge and help to develop the TRITON malware framework.[3]

FireEye has uncovered a range of attribution clues that directly link the TRITON malware development and testing activities to the Russian government.

An IP address [] registered to CNIIHM has been employed by TEMP.Veles for multiple purposes, including monitoring open-source coverage of TRITON, network reconnaissance, and malicious activity in support of the TRITON intrusion.

In addition, behavior patterns that have been observed by the hacking group are consistent with the Moscow time zone. However, even though researchers at CNIIHM have proven experience in critical infrastructure and the development of weapons and military equipment, FireEye do not claim that the Moscow-based Research Institute was deploying the malware in the wild.

Some possibility remains that one or more CNIIHM employees could have conducted the activity linking TEMP.Veles to CNIIHM without their employer’s approval. However, this scenario is highly unlikely.

The Russian government has not responded to the report yet, nor the CNIIHM institute.

However, it is not that hard to predict Russia’s response, knowing that the country and its government has repeatedly denied any allegations from private cybersecurity companies in the past.

It is worth to mention that the hacking group behind the malware is active and poses real threats to critical infrastructure around the world. The Triton malware is able to cause severe damage or even shut down the operations.

Make sure to protect your devices against malicious and unwanted software by using only reputable security software.

Important! Make sure to run a full system scan using a legitimate and reliable antivirus and internet security software for your PC which will detect and remove all kinds of PUPs, malware and viruses. If you are not sure what security software to choose, make sure to check out our Security page.

We highly recommend you the following:

Our security team at Reviewed by Pro constantly tries new products in order to provide you with up-to-date information and reviews of the latest Internet security and antivirus applications not just for your Windows PC, but also for your Mac and Android devices.

About the author

Julie Splinters
Julie Splinters - VPN service analyst

Julie Splinters is a VPN service analyst at, who specializes in VPN services and anti-spyware applications. Her major of English Philology and her passion for IT helped her choose the path of an IT writer.

Contact Julie Splinters
About the company Esolutions


Your opinion regarding FireEye claims that TRITON malware is linked to Russian research institute

now online
Like us on Facebook