FireEye links Triton Malware to Russian Research Institute

Security Researchers at FireEye have tracked the development of Triton to a research institute owned by the Russian government. In a report published on Tuesday 23 October, researchers claim that they have uncovered a strong link between the Triton malware and the Central Scientific Research Institute of Chemistry and Mechanics (CNIIHM), a technical research organization located in Moscow and owned by the Russian government. Triton, which has also been called Trisis and Hatman, was used in a campaign targeting Industrial Control Systems (ICS) in the Middle East. Industrial Control Systems are extensively used in industries such as chemical processing, paper manufacture, power generation, oil and gas processing, and telecommunications.

A Brief History of Triton

Discovered in December 2017, the malware targeted Schneider Electric’s Triconex Safety Instrumented System (SIS) controllers via a zero-day vulnerability. Experts discovered the malware after it caused a process shutdown in a facility. At the time CyberX claimed that the malware was deployed and developed by Iran. Phil Neray, VP of Industrial Cybersecurity for CyberX said,

“It's widely believed that Iran was responsible for destructive attacks on Saudi Arabian IT networks in 2012 and more recently in 2017 with Shamoon, which destroyed ordinary PCs. This would definitely be an escalation of that threat because now we're talking about critical infrastructure but it's also a logical next step for the adversary…Stuxnet and more recently Industroyer showed that modern industrial malware can be used to reprogram and manipulate critical devices such as industrial controllers, and Triton appears to be simply an evolution of those approaches,”

The malware was deployed by Iran in targeting critical infrastructure in Saudi Arabia. At the time FireEye would not confirm the allegations made by CyberX, it did however note that the methods used were consistent with attacks previously attributed to Russian, Iranian, U.S., North Korean and Israeli nation-state actors. Based on the initial analysis of the malware done by several security firms it was concluded that Triton was designed to target Schneider Electric’s Triconex Safety Instrumented System (SIS) controllers specifically. SIS controller is used in monitoring the state of a process and restore it to a safe state or safely shut it down if parameters indicate a potentially dangerous situation.

fireeye links triton malware to russian research institute

The malware uses a specially developed TriStation protocol to communicate with SIS controllers, and it is capable of adding new ladder logic that allows the attackers to manipulate devices. While the devices could be manipulated experts believed the shutdown was caused by an accident rather than intent. Experts believed the attackers were conducting reconnaissance as part of an operation whose ultimate goal was to cause physical damage.

New Evidence linking to Russian Research Institute

As previously stated it was initially believed that Iranian state actors were solely responsible for the development and deployment of Triton. In the new report published by FireEye presented several pieces of evidence that show a connection between Triton and the CNIIHM, and the company claims to be in possession of even more information that reinforces the link, but which has been withheld due to its sensitive nature. While still apparently sitting on sensitive information, FireEye insists that the entire Triton framework is not the sole work of the research institute. In the report, FireEye claims there are several aspects that have led to FireEye assessing with “high confidence” that Triton is linked to Russia, the CNIIHM, and an individual located in Moscow. One of the most important clues is related to the testing of some TEMP.Veles tools in a malware testing environment. FireEye did not name the tool used but VirusTotal is the most widely used.

What may prove to be the smoking gun relates to the TEMP.Vele tools. Researchers discovered that a user who has been active in the aforementioned testing environment since 2013 has on several occasions tested various tools, including many customized versions of widely available applications such as Metasploit, Cobalt Strike, PowerSploit, the PowerShell-based WMImplant, and cryptcat. It would appear that the goal was to ensure that the customized tools would evade detection. Researchers were quick to point out that many of the tools were used in TEMP.Veles attacks just days after being analyzed in the malware testing environment. Further researchers were able to link the tested files to a Moscow-based individual who had been involved in vulnerability research. The individual had apparently been a professor at CNIIHM and the link was made based on the online moniker used by the individual.

Furthermore, it was also discovered that one IP address registered to the Russian institute had been linked to Triton. This includes monitoring open source coverage of the attack, conducting reconnaissance against TEMP.Veles targets, and various other types of malicious activity in support of the Triton intrusion. Many of the files used had Cyrillic names along with behavior patterns fitting Moscow’s time zone.

FireEye’s Conclusions

Researchers concluded that that CNIIHM’s knowledge and personnel would make it highly capable of developing the Triton malware. It has research departments that specialize in the protection of critical infrastructure and the development of weapons and military equipment. It further collaborates with a wide range of other organizations, including ones involved in computer science, electrical engineering, defense systems, and information technologies. Although unlikely FireEye also concluded that some employees of CNIIHM conducted these activities without the knowledge or approval of the organization. This was deemed unlikely as the activity spans several years and that the institute’s capabilities are consistent with what one would expect of the entity behind the Triton campaign.

The theory that Russian institutions and Iranian state actors are further bolstered by knowledge of the relationship between the two countries. Since President Trump came to power in the US, Russia and Iran have looked to strengthen ties between them. With the US becoming increasingly aggressive on policies such as Iran’s nuclear development program, Moscow has become a vital partner to Tehran, with the relationship been defined as strategic rather than tactical.

▼ Show Discussion

About the author:

Karolis Liucveikis

Karolis Liucveikis - experienced software engineer, passionate about behavioral analysis of malicious apps.

Author and general operator of PCrisk's "Removal Guides" section. Co-researcher working alongside Tomas to discover the latest threats and global trends in the cyber security world. Karolis has experience of over five years working in this branch. He attended KTU University and graduated with a degree in Software Development in 2017. Extremely passionate about technical aspects and behavior of various malicious applications. Contact Karolis Liucveikis.

PCrisk security portal is brought by a company RCS LT. Joined forces of security researchers help educate computer users about the latest online security threats. More information about the company RCS LT.

Our malware removal guides are free. However, if you want to support us you can send us a donation.

About PCrisk

PCrisk logo

PCrisk is a cyber security portal, informing Internet users about the latest digital threats. Our content is provided by security experts and professional malware researchers. Read more about us.

Malware activity

Global malware activity level today:

Medium threat activity

Increased attack rate of infections detected within the last 24 hours.

Virus and malware removal

This page provides information on how to avoid infections by malware or viruses and is useful if your system suffers from common spyware and malware attacks.

Learn about malware removal