Finger of blame pointed at Russia for malware infection at Saudi petrochemical complex

FireEye claims Russian government lab was behind custom-built intrusion tools used to compromise major Saudi plant

Security firm FireEye has pointed the finger of blame at Russia over the 2017 compromise of a Saudi Arabian petrochemical complex.

The attack in August 2017, which was outed in March this year, was intended to cause sabotage and, potentially, could have caused an explosion. It was the culmination of a string of cyber attacks on economic targets in Saudi Arabia that occurred throughout 2017.

Targeting the Triconex safety controllers, made by Schneider Electric, the attack rang alarm bells around the world because the parts are also used at some 18,000 different plants around the world, including nuclear power stations, water treatment works, chemical plants and oil refineries.

The controllers were believed to be only configurable with physical access, but investigators found a file that looked like it was a legitimate part of the Schneider controllers, which they believe enabled the attackers to access them remotely.

"The only thing that prevented significant damage was a bug in the attackers' computer code that inadvertently shut down the plant's production systems," reported the New York Times. The investigation was led by FireEye-owned Mandiant.

Now, FireEye has revealed more details about the attack on the petrochemical plant, which was perpetrated using malware dubbed ‘Triton'. FireEye has dubbed the year-long operation against Saudi Arabia Temp.Veles.

"FireEye Intelligence assesses with high confidence that intrusion activity that led to deployment of Triton was supported by the Central Scientific Research Institute of Chemistry and Mechanics (CNIIHM), a Russian government-owned technical research institution located in Moscow," its latest report claims.

It has put forward a range of factors to back up its conclusion, based on its examination of the malware and monitoring of some of its activity. This revealed "multiple independent ties to Russia", including an IP address registered to the Institute involved in network reconnaissance and malicious activity in support of the Triton attack. Activity patterns are also consistent with Moscow office hours.

FireEye also identified a malware testing environment linked to Triton and Temp.Veles, including four files filched from the open-source Cyrptcat project.

"Analysis of these cryptcat binaries indicates that the actor continually modified them to decrease anti-virus detection rates. One of these files was deployed in a Temp.Veles target's network. The compiled version with the least detections was later re-tested in 2017 and deployed less than a week later during TEMP.Veles activities in the target environment," claimed FireEye.

It continued: "Temp.Veles' lateral movement activities used a publicly-available PowerShell-based tool, WMImplant. On multiple dates in 2017, Temp.Veles struggled to execute this utility on multiple victim systems, potentially due to anti-virus detection. Soon after, the customised utility was again evaluated in the malware testing environment."

However, FireEye admitted that it did not "have specific evidence to prove that CNIIHM did (or did not) develop the tool", but suggested that it is probably the only organisation in Russia with the combination of skills required to compromise sophisticated industrial control equipment.

"Some possibility remains that one or more CNIIHM employees could have conducted the activity linking Temp.Veles to CNIIHM without their employer's approval. However, this scenario is highly unlikely," concluded FireEye.