When mysterious hackers triggered the shutdown of a Saudi Arabian oil refinery in August of 2017, the subsequent investigation found that the malware used in that attack had unprecedented, uniquely lethal potential: It was intended to disable safety systems in the plant designed to prevent dangerous conditions that could lead to leaks or explosions. Now, three years later, at least one Russian organization responsible for that callous cyberattack is being held to account.
Today the US Treasury imposed sanctions on Russia’s Central Scientific Research Institute of Chemistry and Mechanics, the organization that exactly two years ago was revealed to have played a role in the hacking operation that used that malware known as Triton or Trisis, intended to sabotage the Petro Rabigh refinery’s safety devices. Triton was designed specifically to exploit a vulnerability in the Triconex-branded “safety-instrumented systems” sold by Schneider Electric. Instead, it triggered a failsafe mechanism that shut down the Rabigh plant altogether.
The sanctions effectively cut off the institution from doing business in or with the US. They also represent the first government statement holding Russia—or any other country—responsible for that potentially destructive attack, only the third-known malware ever to have appeared in the wild that directly interacted with industrial control systems. And although Triton malware is only publicly known to have been deployed against that Saudi Arabian target, Treasury secretary Steve Mnuchin’s statement announcing the new sanctions made clear that the message is meant to deter any similar attack against US infrastructure. “The Russian government continues to engage in dangerous cyber activities aimed at the United States and our allies,” said Mnuchin. “This administration will continue to aggressively defend the critical infrastructure of the United States from anyone attempting to disrupt it.”
Triton has been linked to the Moscow-based institute, known by the Russian acronym TsNIIKhM, since 2018, when security firm FireEye found evidence that tools used in the Triton case had been tested with an unnamed malware-testing platform by someone at the institute. One file even contained a hacker handle associated with a specific individual who, according to a social media profile, had been a professor at TsNIIKhM.
But the new sanctions provide official confirmation of that theory, and new accountability for the institute for its role in the cyberattack. “It means the government recognizes this lab as a serious threat to global security,” says John Hultquist, director of intelligence at FireEye. “They’re clearly developing a tool that could have fatal consequences.”
The hackers who deployed Triton, given the name Xenotime by the industrial cybersecurity firm Dragos, have also probed US power grid targets, according to Dragos and the Electric Information Sharing and Analysis Center, scanning for points of entry into the networks of American utilities. FireEye found the group inside of another victim’s network outside of Saudi Arabia, although it declined to reveal more details about that target. After the Petro Rabigh intrusion, the hackers haven’t been spotted deploying Triton again.
The new sanctions come amidst a sudden wave of US government agencies naming, shaming, and punishing Russian state-sponsored hackers for cyberattacks and intrusions stretching back years. On Monday, the Justice Department indicted six hackers working in the service of Russia’s military intelligence agency, the GRU. The hackers, known as Sandworm, are accused a five-year spree of disruptive attacks that ranged from blackouts in Ukraine to most destructive malware ever created, NotPetya, to an attempted sabotage of the 2018 Winter Olympics. Then, yesterday, DHS’s Cybersecurity and Infrastructure Agency posted an advisory about another Russian hacker group known as Berserk Bear, or Dragonfly, carrying out broad intrusions of US state and local government organizations as well as US aviation companies.