US blacklists Russian research institute over dangerous Triton malware

The malware was used to target a petrochemical facility in the Saudi Arabia in 2017

The US Treasury said on Friday that it was imposing sanctions against a Russian research centre for its role in creating customised tools that enable Russian cyber actors to target and manipulate safety systems at industrial plants.

In a statement on its website, the US Treasury said that its Office of Foreign Assets Control (OFAC) has blacklisted Russia's Central Scientific Research Institute of Chemistry and Mechanics (TsNIIKhM) which it says was behind the destructive Triton malware.

According to US officials, Triton malware was used to attack a petrochemical facility based in Saudi Arabia in 2017. An investigation into the attack later revealed that the primary intent of the hackers was to cause physical damage to the facility by disabling its safety system. The purpose of deploying such systems at industrial plants is to ensure safe shutdown of industrial processes to protect human life during emergency situations.

In 2018, a report published by FireEye researchers identified TsNIIKhM as the possible author of Triton's malicious code.

Triton, also known as HatMan or Trisis, is a malicious program that has been created to specifically target a certain type of industrial control system equipment, namely, Schneider Electric Safety Instrumented System (SIS) controllers.

According to researchers, cyber actors behind Triton use phishing campaigns to distribute the malware. After compromising a workstation, the malware starts to look for SIS controllers on the network, and then attempts to change the controller's settings.

Russia criticised the US government for imposing sanctions against its research institute.

In a statement, Anatoly Antonov, Russia's ambassador to the US, urged the Washington "to abandon the vicious practice of unfounded accusations".

He described the accusations as baseless and said that Russia "does not conduct offensive operations in cyber domain".

The move from the US Treasury has come within a week after the US Department of Justice (DoJ) charged six intelligence officers at Russia's Main Centre for Special Technologies over a series of cyber attack against the US entities.

In the indictment, the DoJ said that these individuals were part of the hacking group that also launched multiple attacks to target the Spring 2017 French election, the 2018 Winter Olympic Games in South Korea, and other significant events in different countries.

Also, last week, the European Union (EU) imposed sanctions on two Russian military intelligence officers over their involvement in cyber attacks that targeted Germany's parliament in 2015.

Sanctions were also levied against Russia's 85th Main Centre for Special Services (Military Unit 26165) for conducting cyber campaigns "with a significant effect constituting an external threat to the Union or its member states".