Aerial view oil and gas industrial showing US sanctions on group behind Triton malware targeting critical infrastructure

US Sanctions Placed on Russian Research Institute; Triton Malware Considered the Most Dangerous Current Threat To Critical Infrastructure

A Russian government-funded research institute has had strong sanctions placed on it by the Department of the Treasury’s Office of Foreign Assets Control (OFAC) due to its connection with an unusually dangerous strain of malware created to specifically target the control systems of critical infrastructure. The State Research Center of the Russian Federation FGUP Central Scientific Research Institute of Chemistry and Mechanics (TsNIIKhM) has been connected with developing and deploying the Triton malware, first seen in a 2017 attack on a petrochemical facility. The new US sanctions are a result of the 2017 Countering America’s Adversaries Through Sanctions Act, a bill that was in part designed to address Russian cyber attacks.

US sanctions a direct response to use of Triton malware

Also called TRISIS and HatMan, the Triton malware is designed specifically to identify and take control of the safety systems used in industrial settings. The general purpose of it is to disable these safety measures with the intent of causing an accident. It was first discovered at a Saudi Arabian petrochemical plant in 2017, where it had compromised the physical controllers that serve as the last line of defense. The only thing that prevented a potential catastrophe was that a flaw in the dormant Triton malware code triggered a mechanical glitch that repeated several times and was eventually scrutinized by IT security specialists.

The Triton malware has yet to actually be attributed to a dangerous event, but the group responsible for it (Xenotime) has been caught sniffing around industrial operations throughout the world. The malware could potentially be used to cause leaks or explosions at chemical plants, taint water supplies at water treatment plants, take over traffic signalling systems, or even compromise the safety systems of a nuclear reactor. For this reason OFAC has labeled it as “the most dangerous threat activity publicly known,” and Secretary Steven Mnuchin issued the following statement about it: “The Russian Government continues to engage in dangerous cyber activities aimed at the United States and our allies … This Administration will continue to aggressively defend the critical infrastructure of the United States from anyone attempting to disrupt it.”

OFAC revealed that the hackers behind the Triton malware have been observed scanning and probing US critical infrastructure for opportunities to deploy it, including at least 20 electricity agencies. The agency cited this and Russia’s history of other types of cyber attacks associated with state-sponsored groups (such as repeated intrusions into the energy grid and the 2017 NotPetya ransomware campaign) as justifying US sanctions on the research institute. Last month, the US charged six GRU officers with worldwide distribution of malware in what appears to be a related case.

The sanctions prohibit all US residents from engaging in business with TsNIIKhM and accepting or possessing the institute’s property. Any entities that are at least 50% owned by TsNIIKhM are similarly subject to US sanctions.

A unique threat to critical infrastructure

The Triton malware represents a new level of cyber threat, and one that is almost entirely unprecedented; the internet-based attack that can translate into serious damage to critical infrastructure, and potentially even into physical harm and death. Possible consequences of use of the Triton malware to disable a Safety Instrumented System (SIS) could include the venting of poisonous gases, the leak of chemicals into a facility or into a water supply, explosions, traffic snarls and accidents, and the most extreme possible scenario of the meltdown of a nuclear reactor. Attackers could also potentially disable critical utilities for long stretches, something that could cause mass panic and civil unrest.

Analysis by security researchers found that the Triton malware present in the Saudi Arabian petrochemical facility was likely planted as a result of a network compromise that first occurred in 2014, and that the final security-disabling payload could have been successfully delivered had the attackers chosen to do so. The case demonstrates the lengths that nation-state backed hackers will go to, laying quietly in wait in a target network for years before introducing novel tools that can cause physical damage to the facility and its personnel.

A considerable amount of cyber attacks are tolerated by most of the nations of the world, with something of an expectation that everyone will attack everyone else and that a “hot war” action is never an acceptable response. To date that has mostly been limited to espionage, however, with a sprinkling of ransomware and theft from some of the more financially strapped of the world’s threat actors. Physical damage on par with a terrorist attack is another matter entirely, and the Triton malware seems to have been designed for specifically that purpose.

The US sanctions may not accomplish much given that TsNIIKhM is a national research laboratory funded by the Russian government, roughly on par with American facilities such as Los Alamos National Lab. It is unlikely that the facility does much business with organizations in the US, but sanctions of this nature are also rare and unusual. It may well serve as a symbolic warning of potential escalation to new cyber engagement terms should critical infrastructure be damaged. Suzanne Spaulding, Nozomi Networks Advisor and former DHS Undersecretary, expanded on what the US sanctions might mean: “The sanctions are an important step in signaling how seriously we take any malicious cyber activity that poses a threat to human life or safety. And sanctions against a scientific research institute may impact the individuals who developed these tools more than sanctions against the Russian government might. Scientists thrive on their reputation. Accusing them of threatening peoples’ lives, and impacting their ability to collaborate internationally, may actually impose significant cost … More broadly, when combined with other recent USG activity calling out Russian cyber activity, including recent indictments and alerts, Russia should be on notice that they cannot act with impunity–or at least not without attribution. The timing may be intended to warn against hacking into election infrastructure, or it may be designed to look tough on Russia for the American electorate, or both.”

While the US sanctions may be fully appropriate given the potential to cripple critical infrastructure and cause harm, it is fair to point out that the Triton malware also has yet to be activated anywhere. The lone physical attack of this nature, the infamous Stuxnet incident that crippled Iranian centrifuges a decade ago, is widely believed to originate from the US.

Mr. Andrea Carcano, co-founder of Nozomi Networks, left industrial operations with these words of advice in regards to shoring up their defenses: “No single entity can solve this global issue; rather, end users, third-party suppliers, integrators, standards bodies, industry groups and government agencies must work together to help the global manufacturing industry withstand cyberattacks and protect the world’s most critical operations and the people and communities we all serve. The perfect storm of increasing cyber threats, digital transformation and IT/OT convergence means organizations must move swiftly to shore up their defenses with solid cybersecurity programs that deliver deep visibility and effective security that spans OT and IoT networks and devices.”