Content, EMEA

FireEye: Russian Researchers Tied to Saudi Infrastructure Attack

Credit: Pixabay

Security provider FireEye on Monday blamed a Moscow-based, government run think tank for supporting malware that caused the shuttering of a Saudi petrochemical plant last year.

The cyber attackers deployed the Triton malware, part of a number of publicly identified malicious software families targeted at industrial control systems (ICS), FireEye said in a blog post last December. Now, in a new blog the security specialist said it has “high confidence” that the Russian-backed Central Scientific Research Institute of Chemistry and Mechanics (CNIIHM) supported the hackers Xenotime or TEMP.Veles in launching the attack.

Who developed the Triton tool isn't clear, however. “While we know that TEMP.Veles deployed the TRITON attack framework, we do not have specific evidence to prove that CNIIHM did (or did not) develop the tool,” FireEye wrote. “We infer that CNIIHM likely maintains the institutional expertise needed to develop and prototype TRITON based on the institute’s self-described mission and other public information."

FireEye detailed why it is pointing the finger at the CNIIHM. “We present as much public information as possible to support this assessment, but withheld sensitive information that further contributes to our high confidence assessment.”

  • FireEye uncovered malware development activity that is very likely supporting TEMP.Veles activity. This includes testing multiple versions of malicious software, some of which were used by TEMP.Veles during the TRITON intrusion.
  • Investigation of this testing activity reveals multiple independent ties to Russia, CNIIHM, and a specific person in Moscow. This person’s online activity shows significant links to CNIIHM.
  • An IP address registered to CNIIHM has been employed by TEMP.Veles for multiple purposes, including monitoring open-source coverage of TRITON, network reconnaissance, and malicious activity in support of the TRITON intrusion.
  • Behavior patterns observed in TEMP.Veles activity are consistent with the Moscow time zone, where CNIIHM is located.
  • We judge that CNIIHM likely possesses the necessary institutional knowledge and personnel to assist in the orchestration and development of TRITON and TEMP.Veles operations.
  • While we cannot rule out the possibility that one or more CNIIHM employees could have conducted TEMP.Veles activity without their employer’s approval, the details shared in this post demonstrate that this explanation is less plausible than TEMP.Veles operating with the support of the institute.
  • Two CNIIHM research divisions are experienced in critical infrastructure, enterprise safety, and the development of weapons/military equipment: The Center for Applied Research creates means and methods for protecting critical infrastructure from destructive information and technological impacts; and, the Center for Experimental Mechanical Engineering develops weapons as well as military and special equipment. It also researches methods for enabling enterprise safety in emergency situations.

"While we cannot rule out the possibility that one or more CNIIHM employees could have conducted TEMP.Veles activity without their employer’s approval, the details shared in this post demonstrate that this explanation is less plausible than TEMP.Veles operating with the support of the institute," FireEye wrote.

D. Howard Kass

D. Howard Kass is a contributing editor to MSSP Alert. He brings a career in journalism and market research to the role. He has served as CRN News Editor, Dataquest Channel Analyst, and West Coast Senior Contributing Editor at Channelnomics. As the CEO of The Viewpoint Group, he led groundbreaking market research.