Russian Research Lab Involved in the Development of TRITON Malware, Says FireEye

There are pieces of evidence that prove the involvement of a Russian-owned research institute in the development of the TRITON industrial malware, as per claims made by cybersecurity firm FireEye.

A blog post published by FireEye on October 23, 2018, says, “FireEye Intelligence assesses with high confidence that intrusion activity that led to deployment of TRITON was supported by the Central Scientific Research Institute of Chemistry and Mechanics (CNIIHM; a.k.a. ЦНИИХМ), a Russian government-owned technical research institution located in Moscow.”

The TRITON malware, it should be remembered, had caused many industrial systems, including a petrochemical plant in Saudi Arabia, to shut down last year. Also known as Trisis, this ICS malware targets the Triconex SIS (Safety Instrumented System) controllers made by Schneider Electric and used mostly in oil and gas facilities. A malware with the kind of capabilities that TRITON possesses cannot be developed by a computer hacker who doesn’t have the necessary knowledge of Industrial Control Systems (ICS).

In the blog post, FireEye discusses some attribution clues that seem to be establishing the kind of connections mentioned. The blog post states, “FireEye uncovered malware development activity that is very likely supporting TEMP.Veles activity. This includes testing multiple versions of malicious software, some of which were used by TEMP.Veles during the TRITON intrusion”, and adds, “Investigation of this testing activity reveals multiple independent ties to Russia, CNIIHM, and a specific person in Moscow. This person’s online activity shows significant links to CNIIHM.”

The blog post also points out, “An IP address registered to CNIIHM has been employed by TEMP.Veles for multiple purposes, including monitoring open-source coverage of TRITON, network reconnaissance, and malicious activity in support of the TRITON intrusion.”

It’s also stated that the behavior patterns observed in TEMP.Veles activity seem consistent with the Moscow time zone.

The FireEye post adds, “We judge that CNIIHM likely possesses the necessary institutional knowledge and personnel to assist in the orchestration and development of TRITON and TEMP.Veles operations.”

Anyhow, FireEye clarifies that there’s the possibility that one or more employees of the research firm could have done it on their own as well. The blog post states, “While we cannot rule out the possibility that one or more CNIIHM employees could have conducted TEMP.Veles activity without their employer’s approval, the details shared in this post demonstrate that this explanation is less plausible than TEMP.Veles operating with the support of the institute.”

The Russian government and the CNIIHM haven’t yet responded to the claims made by FireEye.