Russia Linked to Disruptive Industrial Control Malware

Like so many other internet misdeeds, the notorious Triton malware appears to have originated in Moscow.
Image may contain Building Urban City Town High Rise Architecture Office Building and Downtown
Sergey Alimov/Getty Images

In December, researchers spotted a new family of industrial control malware that had been used in an attack on a Middle Eastern energy plant. Known as Triton, or Trisis, the suite of hacking tools is one of only a handful of known cyberweapons developed specifically to undermine or destroy industrial equipment. Now, new research from security firm FireEye suggests that at least one element of the Triton campaign originated from Russia. And the tipoff ultimately came from some pretty boneheaded mistakes.

Russian hackers are in the news for all sorts of activity lately, but FireEye's conclusions about Triton are somewhat surprising. Indications that the 2017 Triton attack targeted a Middle Eastern petrochemical plant fueled the perception that Iran was the aggressor—especially following reports that the victim was specifically a Saudi Arabian target. But FireEye's analysis reveals a very different geopolitical context.

FireEye specifically traced the Triton intrusion malware to Russia's Central Scientific Research Institute of Chemistry and Mechanics, located in the Nagatino-Sadvoniki district of Moscow.

"When we first looked at the Triton incident we had no idea who was responsible for it and that’s actually fairly rare, usually there’s some glaring clue," says John Hultquist, director of research at FireEye. "We had to keep chipping away and let the evidence speak for itself. Now that we’ve associated this capability with Russia we can start thinking about it in the context of Russia’s interests."

King Triton

Triton comprises both malware that infects targets, and a framework for manipulating industrial control systems to gain deeper and deeper control in an environment. Triton attacks seem to set the stage for a final phase in which attackers send remote commands that deliver an end payload. The goal is to destabilize or disable an industrial control system's safety monitors and protection mechanisms so attackers can wreak havoc unchecked. Security researchers discovered the 2017 Triton attack after it failed to successfully skirt those failsafes, leading to a shutdown.

But while the attackers, dubbed TEMP.Veles by FireEye, left few clues about their origins once within those target networks, they were sloppier about concealing themselves while testing the Triton intrusion malware. As FireEye researchers analyzed the incident at the Middle Eastern energy plant and worked backward toward the attackers, they eventually stumbled on a testing environment used by TEMP.Veles that linked the group to the intrusion. The attackers tested and refined malware components beginning at least in 2014 to make them harder for antivirus scanners to detect. FireEye found one of the files from the test environment in the target network.

"They made dumb operational security mistakes, for instance the malware testing," Hultquist says. "They assumed that it wouldn’t be connected to them, because it wasn’t directly tied to the incident—they cleaned up their act for the targeted networks. That’s the lesson we see again and again, these actors make mistakes when they think no one can see them."

Evaluating the testing environment gave FireEye a window into a whole host of TEMP.Veles activities, and they could track how test projects fit in with and mirrored TEMP.Veles's known activity in real victim networks. The group seems to have first been active in the test environment in 2013, and has worked on numerous development projects over the years, particularly customizing open-source hacking tools to tailor them to industrial control settings and make them more inconspicuous.

In analyzing the TEMP.Veles malware files, FireEye found one that contained a username that is connected to a Russia-based information security researcher. The moniker appears to represent an individual who was a professor at CNIIHM, the institution connected to the malware. FireEye also found that an IP address associated with malicious TEMP.Veles Triton activity, monitoring, and reconnaissance is registered to CNIIHM. The infrastructure and files FireEye analyzed also contain Cyrillic names and notes, and the group seems to work on a schedule consistent with Moscow's time zone. It's worth noting, however, that numerous cities outside Russia—including Tehran—are in similar timezones.

CNIIHM is a well-resourced Russian government research institution, with expertise in information security and industrial control-focused work. The organization also collaborates extensively with other Russian science, technology, and defense research institutions, all of which makes them a plausible creator of the Triton intrusion malware. FireEye notes that it's possible that rogue CNIIHM employees developed it there secretly, but the firm sees this as very unlikely. FireEye also linked to TEMP.Veles to the Triton intrusion malware specifically, rather than the entire industrial control framework. But Hultquist says the findings strongly indicate that even if a different organization developed each part of Triton, they're connected in some way.

New Paradigm

The FireEye conclusion represents a fundamental rethinking of the 2017 Triton attack, but questions still remain about what the attribution implies. Russia has little incentive to antagonize Saudi Arabia, says Andrea Kendall-Taylor, a former senior intelligence officer currently at the Center for a New American Security think tank. "Moscow's targeting of Saudi Arabia is inconsistent with my understanding of Russia's geopolitical goals," Kendall-Taylor says. "Moreover, Putin probably would like to maintain a good relationship with Saudi to avoid the appearance of entirely siding with Iran."

And while outside researchers say that FireEye's research looks solid, some argue that the execution seems out of step with what one expects from the Kremlin.

"The attackers were very sloppy, that's my only pause. Russian government hackers are generally better than leaving a testing environment exposed on the internet," says Jeff Bardin, the chief intelligence officer of the threat tracking firm Treadstone 71. "Maybe there is an element of denial and deception in the evidence. But maybe the attackers were proving their models and testing things out with new capabilities."

Regardless of the motive and means, though, it appears that Russian hackers have added yet another ambitious attack to their roster. What's less clear, though, is if and when they might try to use it next.


More Great WIRED Stories