The possibility that Russian research institutions are involved in 'TRITON' malware aiming at safety equipment of important infrastructure facilities

by Robin Sommer

The malware " TRITON " targeting safety equipment of facilities handling oil and gas had been suspected of "involvement of the state" from before. In this regard, FireEye, a provider of cyber security products, investigated and reported that "research institutions owned by the Russian government are likely involved."

TRITON Attribution: Russian Government - Owned Lab Most Likely Built Custom Intrusion Tools for TRITON Attackers «TRITON Attribution: Russian Government - Owned Lab Most Likely Built Custom Intrusion Tools for TRITON Attackers | FireEye Inc
https://www.fireeye.com/blog/threat-research/2018/10/triton-attribution-russian-government-owned-lab-most-likely-built-tools.html

FireEye: Russian Research Lab Aided the Development of TRITON Industrial Malware
https://thehackernews.com/2018/10/russia-triton-ics-malware.html

The existence of malware "TRITON" aiming at industrial control system (ICS) became a topic in 2017. FireEye dealing information security products announced at Saudi Arabian petrochemical factories and others "Detected malware that illegally manipulates a safety device that activates emergency stop function", and announced about the development of malware " that thought it " showed the view .

And on 23rd October 2018, FireEye announced the newly found "evidence that research institutes belonging to the Russian government are involved in the development of TRITON."

TRITON, also called Trisis, is designed to target Schneider Electric 's Triconex safety instrumented system. This system is often used in oil and gas facilities, and monitors monitoring of the system and immediately takes an action such as an emergency stop automatically as soon as it detects a dangerous condition. Because the design of malware that targets such a system can not be done without the knowledge of ICS, researchers can use the Moscow-based Chemistry and Engineering Central Scientific Research Institute of Chemistry and Mechanics / CNIIHM) are thinking "with considerable confidence" that they assisted an attacker called "TEMP.Veles."

by Denys Nevozhai

FireEye announced in a new announcement "IP addresses registered as those of CNIIHM are used for multiple purposes by TEMP.Veles" "When we investigated TRITON's testing activities, we found that Russian government, CNIIHM, or Moscow's specific "The behavior pattern of TEMP.Veles is consistent with the time zone of Moscow." "CNIIHM understands ICS knowledge, TRITON development orchestration , and TEMP.Veles operation I have personnel who can help me. "

Both the Russian government and CNIIHM did not announce the comment at the time of writing the article against the announcement of FireEye.