US Treasury Imposes Sanctions Against Russian Research Institute Over Triton Malware Attack

The Triton malware was allegedly developed by Russia's Research Institute of Chemistry and Mechanics for a cyberattack on a Saudi oil refinery and U.S. utility companies

In the last four years, U.S. intelligence agencies have found evidence of state-backed Russian hackers targeting government networks and businesses. But the U.S. government never imposed sanctions on Russian government agencies, until now. The U.S. Treasury Department in a statement called out Russia's Research Institute of Chemistry and Mechanics (TsNIIKhM) for developing a tool that was used in a cyberattack on a Saudi Arabian oil refinery in 2017.

As per the statement, TsNIIKhM, a government-owned research institute, developed Triton malware to target the industrial control system controller that is used in critical infrastructure. With the sanctions, the institute will not be able to engage in any activity with or in the U.S. This is also the first time that a Russian government agency has been held accountable.

"The Russian government continues to engage in dangerous cyber activities aimed at the United States and our allies. This administration will continue to aggressively defend the critical infrastructure of the United States from anyone attempting to disrupt it," said Steven Mnuchin, Treasury Secretary.

Cyber attack
This is the first time, the U.S. has imposed sanctions on a government-backed institute for cyberattack Pixabay

Triton Malware

The main reason behind the sanction is the development of Triton malware. Cybersecurity firm Dragos found that the malware was used by a group of hackers and dubbed it as Xenotime. Deployed through a phishing attack, Triton was designed to disable the safety mechanism of Schneider Electric's Triconex Safety Instrumented System controllers. Another cybersecurity firm Symantec claimed that the malware exploited a vulnerability in the Windows operating system.

Once the hackers gained remote access to the safety mechanism workstation, Triton was deployed, inducing a failed safe state. It automatically shut down the plan, cybersecurity research company FireEye found. Further investigation validated the claims and observed that safety instrument system controllers initiated a safe shutdown.

Security researchers found that the malware was linked to the Moscow-based research institute. FireEye found that someone from TsNIIKhM tested Triton with a malware-testing platform. They also noticed a file that contained a hacker handle of an individual from the institute. Later, they found that the individual was a professor at TsNIIKhM.

What's Next?

However, since then the hacker group has used the malware to target U.S. utility companies. Triton was modified to target industrial control systems of even water and manufacturing plants. While it remains to be seen whether the sanctions actually prevent further cyberattacks by Xenotime, Dragos' cybersecurity researcher Joe Slowik who tracked the malware said it was a welcome move.

"Really this is taking the possibilities of a cyberphysical event beyond process disruption or destruction, to the possibility of using a cyber capability to kill someone," he told Wired, adding that by doing so the U.S. had sent a strong signal to Russia. "Cyberactivity that contains the potential—if not the outright intention of—harming or putting at risk human life is unacceptable."

This comes at a time when the U.S. intelligence agencies have constantly been warning against cyber threats from state-backed hackers from Russia, Iran and China. Recently, the FBI and Homeland Security revealed that Russian hackers were able to steal sensitive data from government networks. Earlier this week, the U.S. Justice Department indicted six hackers who were working on behalf of the GRU, Russia's military agency.

Related topics : Cybersecurity