The Most Advanced Industrial Malware Ever Seen

In August last year, a petrochemical company with a plant in Saudi Arabia was hit by a new kind of cyber-assault. The attack was not designed to simply destroy data or shut down the plant, investigators believe. It was meant to sabotage the firm’s operations and trigger an explosion.

The attack was a dangerous escalation in international hacking, as faceless enemies demonstrated both the drive and the ability to inflict serious physical damage.

Russian government-backed hackers are said to be behind this particular attack on this petrochemical company Industrial Control Systems according to a cybersecurity firm.

FireEye security researchers have linked the sophisticated “Triton” malware used to infiltrate industrial control systems to a Russian government-owned research institute, following an investigation.

Triton targets the industrial control systems made by Schneider Electric which are used in 18,000 different plants around the world. The August 2017 attack on the Saudi Arabian plant was designed to sabotage its operations and trigger an explosion. It came after several other attacks on petrochemical plants in Saudi Arabia. In January 2017, computers at the National Industrialization Company were targeted and wiped with the aim of sending a political message.

FireEye said in a blog: “FireEye Intelligence assesses with high confidence that intrusion activity that led to deployment of TRITON was supported by the Central Scientific Research Institute of Chemistry and Mechanics (CNIIHM; a.k.a. ЦНИИХМ), a Russian government-owned technical research institution located in Moscow.”

The firm’s investigation found multiple independent ties to Russia, CNIIHM, and “a specific person in Moscow”. It did concede that it was possible CNIIHM employees conducted activity without their employer’s approval, but this explanation is “less plausible”.

The blog said: “In this scenario, one or more persons – likely including at least one CNIIHM employee – would have had to conduct extensive, high-risk malware development and intrusion activity from CNIIHM’s address space without CNIIHM’s knowledge and approval over multiple years.

The attack was a dangerous escalation in international hacking, as faceless enemies demonstrated both the drive and the ability to inflict serious physical damage. And United States government officials, their allies and cybersecurity researchers worry that the culprits could replicate it in other countries, since thousands of industrial plants all over the world rely on the same American-engineered computer systems that were compromised.

Triton comes after a deluge of malware targeting industrial control systems. The Stuxnet malware emerged in 2010 after it was found to have ravaged an Iranian nuclear facility. Then, in December 2016, Industroyer was used in a cyber-attack on Ukraine’s national grid.

It is not the first time the finger has been pointed at Russia after hacking attempts on critical national infrastructure. In April, the UK and US made an unprecedented joint statement blaming Russia for cyber-attacks on businesses and consumers.

The announcement saw the National Cyber Security Centre (NCSC), US Department of Homeland Security and the FBI warn businesses and citizens that Russia is exploiting network infrastructure devices such as routers around the world. The aim: To lay the groundwork for future attacks on critical infrastructure such as power stations and energy grids.

The US has blamed Russia for a recent strike on its electrical grid, while the NCSC held the Kremlin responsible for several attempts to disrupt UK infrastructure.

It’s a major concern, but FireEye was careful in its final conclusions: “While we know that TEMP.Veles deployed the TRITON attack framework, we do not have specific evidence to prove that CNIIHM did (or did not) develop the tool,” its blog post said. “We infer that CNIIHM likely maintains the institutional expertise needed to develop and prototype TRITON based on the institute’s self-described mission and other public information.”