A Russian government "research institution" has been sanctioned by the United States for developing destructive malware directly threatening the lives of people worldwide.
Hit by sanctions from the U.S. Department of the Treasury is Russia's "State Research Center of the Russian Federation FGUP Central Scientific Research Institute of Chemistry and Mechanics" (TsNIIKhM). This government-controlled research institution builds customized tools that enable cyberattacks by Russian state hackers.
TsNIIKhM was specifically sanctioned for developing the destructive malware named "Triton." Also known also as TRISIS and HatMan, Triton was designed specifically to target and manipulate industrial safety systems. These systems allow the safe emergency shutdown of industrial processes at critical infrastructure facilities in order to protect human life.
Triton targets a specific industrial control system (ICS) controller used in some critical infrastructure facilities to initiate immediate shutdown procedures in the event of an emergency. It was initially deployed through a phishing attack against the petrochemical facility. Once the malware gained a foothold, its operators attempted to manipulate the facility's ICS controllers.
The sanctions mean all property and interests in property of TsNIIKhM "that are in or come within the possession of U.S. persons are blocked, and U.S. persons are generally prohibited from engaging in transactions with them."
In addition, any entities 50% or more owned by one or more designated persons are also blocked. Non-U.S. persons who engage in certain transactions with TsNIIKhM may themselves be exposed to sanctions.
The treasury department said cyber actors behind Triton have been referred to by the private cybersecurity industry as "the most dangerous threat activity publicly known."
"The Russian Government continues to engage in dangerous cyber activities aimed at the United States and our allies," said treasury secretary Steve Mnuchin.
The Americans said in August 2017, a petrochemical facility in the Middle East was the target of a Triton cyber-attack supported by TsNIIKhM.
During the attack, the facility automatically shut down after several of the ICS controllers entered into a failed safe state. This attack, however, ultimately led to the discovery of Triton. Researchers investigating Triton and the cyberattack reported that Triton was designed to give the attackers complete control of infected systems. Triton also has the capability to cause significant physical damage and loss of life.
In 2019, the attackers behind Triton were also reported to be scanning and probing at least 20 electric utilities in the United States for vulnerabilities.
"This was a dangerous tool that may have been used to do real physical harm," said Nathan Brubaker, senior manager of Analysis at FireEye's Mandiant Threat Intelligence to The Hill. "We're fortunate that it was found in the manner it was, giving us a chance to dig into the actors behind the scenes."
