US Treasury Sanctions Russian Entity Over Triton MalwareOfficials Have Also Slapped Sanctions on Iran Over Disinformation
The U.S. Treasury Department on Friday issued sanctions against a Russian research institute that U.S. officials and some security researchers believe helped deploy Triton, a destructive malware variant designed to damage industrial control systems.
The sanctions target the State Research Center of the Russian Federation FGUP Central Scientific Research Institute of Chemistry and Mechanics, a research facility located in Moscow and owned by the government. The Treasury Department says the institute helped deploy Triton against a petrochemical facility in the Middle East in 2017 (see: How Triton Malware Targets Industrial Control Systems).
The Treasury sanctions mean that American entities and citizens are now prohibited from engaging with the research institute, and U.S. officials can seize any of its assets based in the U.S.
In 2018, security firm FireEye published a lengthy report that found the institute had a hand in testing and helping to deploy the Triton malware against the unnamed petrochemical plant.
The sanctions issued Friday by the Treasury Department support the claims that Russian threat actors had a hand in deploying Triton.
"The Russian government continues to engage in dangerous cyber activities aimed at the United States and our allies," said Treasury Secretary Steven Mnuchin. "This administration will continue to aggressively defend the critical infrastructure of the United States from anyone attempting to disrupt it."
The Treasury Department sanctions announced Friday follow other economic penalties issued by U.S. officials on Thursday against five Iranian entities that the Trump administration accuses of trying to interfere in the 2020 elections by spreading disinformation.
Triton, which is also known as Trisis and HatMan, was first uncovered in 2017 after the malware targeted a petrochemical facility in Saudi Arabia, according to previous reports.
Once deployed, Triton targeted the facility's Triconex Safety Instrumented System controllers, which were developed by Schneider Electric, according to research reports from FireEye and Dragos. The attack likely started with a phishing email that helped the threat actors gain a foothold in the plant's network, according to the Treasury Department.
The Safety Instrumented System controllers are designed as a safety control for the critical machinery within industrial facilities. Interference with these controllers could cause massive damage to a plant or trigger a complete shutdown. The 2017 incident in Saudi Arabia failed, however, after the attackers made a series of mistakes, according to FireEye and other security analysts.
"During the attack, the facility automatically shut down after several of the ICS controllers entered into a failed safe state, preventing the malware’s full functionality from being deployed, and prompting an investigation that ultimately led to the discovery of the malware," according to the Treasury Department.
Which group or nation-state created Triton remains uncertain. In 2018, however, FireEye published a lengthy analysis that found the Central Scientific Research Institute of Chemistry and Mechanics in Moscow, which is also referred to as CNIIHM or TsNIIKhM, played a role in testing and deploying the malware. This included linking certain IP addresses used during the deployment to the institute.
After the Treasury Department announced the sanctions Friday, Nathan Brubaker, senior manager of analysis at FireEye Mandiant Threat Intelligence, noted that Triton remains a dangerous tool because it can shut down an entire facility, which could cause widespread damage and possible harm to people.
"Mandiant was able to track the intrusion to the Russian lab that is being sanctioned and publicly expose their involvement," Brubaker noted. "This was a dangerous tool that may have been used to do real physical harm. We’re fortunate that it was found in the manner it was, giving us a chance to dig into the actors behind the scenes."
For more in-depth reading, check out our blog breaking this attribution: https://t.co/Ezl0FS0ntb— Nathan Brubaker (@NathanBrubaker) October 23, 2020
The Treasury Department also notes that, in 2019, the attackers allegedly behind Triton, an APT group that some security researchers refer to as Xenotime, were also reported to be scanning and probing at least 20 U.S. electric utilities in an effort to uncover vulnerabilities (see: Hackers Increasingly Probe North American Power Grid).
Earlier this week, the U.S. Justice Department indicted six Russian military officers who allegedly helped carry out a number of destructive cyberattacks, including the NotPetya malware attacks (see: 6 Russians Indicted for Destructive NotPeyta Attacks).
The Treasury Department also recently announced separate sanctions against five Iranian entities for attempting to influence election outcomes through online disinformation operations aimed at misleading U.S. voters.
The sanctioned entities include the Islamic Revolutionary Guard Corps, the IRGC-Qods Force, Bayan Rasaneh Gostar Institute, Iranian Islamic Radio and Television Union and the International Union of Virtual Media, according to the Treasury Department. The report did not specifically note if any one of these groups were behind threatening emails sent to American voters earlier, designed to sow confusion.
"The Iranian regime’s disinformation efforts have targeted a global audience through a variety of covert media organizations," the Treasury Department says.
Can Sanctions Work?
Tom Kellermann, the head of cybersecurity strategy at VMware, notes that while sanctions are good at deterring some malicious activity, he would like to see the U.S. government go further.
"The sanctions would be more impactful if applied to the virtual currencies these groups and individuals use," Kellermann, who served as a cybersecurity adviser to former President Barack Obama, tells Information Security Media Group.
Austin Merritt, a cyberthreat intelligence analyst at security firm Digital Shadows, also notes that sanctions against Russia and Iran are good at ensuring that these entities can't access resources at U.S. financial institutions, but he says more needs to be done.
"Sanctions could possibly act as a deterrent, but not likely considering the recurrent cyberattacks originating from countries like Russia and Iran," Merritt tells ISMG. "These most recent sanctions occurred after previous sanctions have been placed on entities and individuals in those countries."
Managing Editor Scott Ferguson contributed to this report.