Researchers: Russia is the initiator of ICS Attack Framework “TRITON” and Trisis

US security companies FireEyeDragos, and Symantec reported that the cyber attack at the Saudi petrochemical plant was related to a Russian research institute. The malicious program designed by the attacker shuts down the production process or keeps the SIS-controlled machine in an unsafe state. The security company named the malicious program Triton or Trisis.

The attack on Saudi Arabia occurred in August last year and was previously thought to have been done by Iran. The attacker invaded Triconex, an industrial controller that safely operated Schneider’s equipment, which is used by 18,000 plants worldwide, including nuclear processing facilities. The attack almost caused the factory to explode. FireEye believes that the Russian government’s research institute, the Central Academy of Chemistry and Mechanics (CNIIHM), participated in the attack. The malicious program deployed by the attacker contains information that points to the research institution.   

Multiple factors suggest that this activity is Russian in origin and associated with CNIIHM.

  • A PDB path contained in a tested file contained a string that appears to be a unique handle or user name. This moniker is linked to a Russia-based person active in Russian information security communities since at least 2011.
    • The handle has been credited with vulnerability research contributions to the Russian version of Hacker Magazine (хакер).
    • According to a now-defunct social media profile, the same individual was a professor at CNIIHM, which is located near Nagatinskaya Street in the Nagatino-Sadovniki district of Moscow.
    • Another profile using the handle on a Russian social network currently shows multiple photos of the user in proximity to Moscow for the entire history of the profile.
  • Suspected TEMP.Veles incidents include malicious activity originating from 87.245.143.140, which is registered to CNIIHM.
    • This IP address has been used to monitor open-source coverage of TRITON, heightening the probability of an interest by unknown subjects, originating from this network, in TEMP.Veles-related activities.
    • It also has engaged in network reconnaissance against targets of interest to TEMP.Veles.
    • The IP address has been tied to additional malicious activity in support of the TRITON intrusion.
  • Multiple files have Cyrillic names and artifacts.

Via: FireEye