Cybersecurity company that offers security products and services, FireEye claims to find evidence that the development of the TRITON malware is directly linked to a Russian research institute.
TRITON malware, also known as Trisis, is an ICS malware that has been developed in order to target the Triconex Safety Instrumented System, also known as SIS, controllers, created by Schneider Electric. The Triconex SIS controllers are widely used in oil and gas facilities, to keep equipment and production operating safely.
Triconex Safety Instrumented System is an autonomous control system that is developed to monitor the performance of critical systems, in case of any suspicious and dangerous state, the SIS takes immediate actions.
It is worth to mention that the malware having such capabilities cannot be developed by an attacker without knowledge and experience in Industrial Control Systems (ICS), security experts at FireEye, claims that there is a high possibility, that Moscow-based lab Central Scientific Research Institute of Chemistry and Mechanics, aka ЦНИИХМ, provided hacking team known as TEMP.Veles with some institutional knowledge and help to develop the TRITON malware framework.
FireEye has uncovered a range of attribution clues that directly link the TRITON malware development and testing activities to the Russian government.
An IP address [ 18.104.22.168] registered to CNIIHM has been employed by TEMP.Veles for multiple purposes, including monitoring open-source coverage of TRITON, network reconnaissance, and malicious activity in support of the TRITON intrusion.
In addition, behavior patterns that have been observed by the hacking group are consistent with the Moscow time zone. However, even though researchers at CNIIHM have proven experience in critical infrastructure and the development of weapons and military equipment, FireEye do not claim that the Moscow-based Research Institute was deploying the malware in the wild.
Some possibility remains that one or more CNIIHM employees could have conducted the activity linking TEMP.Veles to CNIIHM without their employer’s approval. However, this scenario is highly unlikely.
The Russian government has not responded to the report yet, nor the CNIIHM institute.
However, it is not that hard to predict Russia’s response, knowing that the country and its government has repeatedly denied any allegations from private cybersecurity companies in the past.
It is worth to mention that the hacking group behind the malware is active and poses real threats to critical infrastructure around the world. The Triton malware is able to cause severe damage or even shut down the operations.