In October of 2020, the US Treasury Department announced new sanctions against a Russian research institute alleged to have been key to the development of Triton, a malware strain used to attack industrial equipment. The research institute is known as the State Research Center of the Russian Federation Central Scientific Research Institute of Chemistry and Mechanics or CNIIHM.
An October 2018 report from FireEye previously identified CNIIHM as the possible author of Triton malware. Triton, also known as Trisis or HatMan, is a malware designed to target industrial control systems, specifically, Schneider Electric Triconex Safety Instrumented System or (SIS) controllers.
This latest campaign has been distributed via phishing attacks. Once downloaded, Triton searches for SIS controllers on a victim’s network and then attempts to modify controller settings. Triton can potentially either shut down a production process or allow SIS-controlled machines to work in an unsafe manner, potentially causing explosions and putting the lives of human operators at risk.
Triton Involved in Near Explosion at Saudi Petrochemical Plant
Triton was initially spotted after it was used successfully in 2017 during an attack at a Saudi petrochemical plant where it almost caused an explosion. The Treasury Department sanctions prohibit US entities from engaging with CNIIHM and allow the US government to seize any of the research institute’s US-based assets.
“The Russian Government continues to engage in dangerous cyber activities aimed at the United States and our allies,” said Secretary Steven T. Mnuchin. “This Administration will continue to aggressively defend the critical infrastructure of the United States from anyone attempting to disrupt it.”
Although the US is taking a hardline position on Russia over Triton, people will remember that the US pioneered attacks against industrial systems through its deployment of the Stuxnet malware against Iran’s nuclear program in 2010, which many people consider the first instance of state-sponsored cyberwarfare.
If you are still having trouble, consider contacting remote technical support options.
