The U.S. Treasury Department’s Office of Foreign Assets Control has sanctioned a Russian government-tied think tank for backing malware tailored to disassemble critical industrial safety systems.
What makes the Triton malware, also referred to elsewhere as TRISIS and HatMan, so dangerous is its specificity not only to manipulate machinery but also its potential to harm people. It’s designed to target a specific industrial control system (ICS) controller used in some critical infrastructure facilities to initiate immediate shutdown procedures in the event of an emergency. The malware can be deployed through phishing attacks and once it gains a foothold the attackers are able to choreograph the facility’s ICS controllers to their advantage.
Such is the magnitude of Triton’s potential destruction that cybersecurity professionals have called it the “most dangerous threat activity publicly known.” Triton, which has been tagged as limited edition malware, is part of a number of publicly identified malicious software families targeted at ICS controllers.
U.S. officials believe that the sanctioned entity, a Russian government-controlled research institution called the State Research Center of the Russian Federation FGUP Central Scientific Research Institute of Chemistry and Mechanics (TsNIIKhM), is responsible for building customized tools that have enabled attacks on Saudi petrochemical facilities and Schneider Electric in 2017. TsNIIKhM has been sanctioned for "knowingly engaging in significant activities undermining cybersecurity against any person, including a democratic institution, or government on behalf of the Government of the Russian Federation." As per the Treasury Department's action, all property and interests in property of TsNIIKhM that are in or come within the possession of U.S. persons are blocked, and U.S. persons are generally prohibited from engaging in transactions with them. Additionally, any entities 50 percent or more owned by one or more designated persons are also blocked. Moreover, non-U.S. persons who engage in certain transactions with TsNIIKhM may themselves be exposed to sanctions.
It’s still unclear who developed the Triton malware, officials said, although TsNIIKhm is thought to be the key player. “The Russian government continues to engage in dangerous cyber activities aimed at the United States and our allies,” said U.S. Secretary of the Treasury, Steven Mnuchin. “This Administration will continue to aggressively defend the critical infrastructure of the United States from anyone attempting to disrupt it,” he said.
The Triton malware was designed to target a specific industrial control system (ICS) controller used in some critical infrastructure facilities to initiate immediate shutdown procedures in the event of an emergency. In the petrochemical attack, the malware was initially deployed through a phishing campaign. Once the malicious code gained a foothold, its operators attempted to manipulate the facility’s ICS controllers. During the attack, the facility automatically shut down after several of the ICS controllers entered into a failed safe state, preventing the malware’s full functionality from being deployed, and prompting an investigation that ultimately led to the discovery of the malware.
As for the Treasury Department’s sanctioning, U.S. law enforcement has not systematically engaged in punishing cyber crooks in a similar manner, for example, to what the EU has recently done, preferring instead to issue indictments. Two months ago, the European Union’s legislative council barred six individual hackers and three corrupt organizations from traveling to or entering any of the EU’s 28-member states and froze their assets under its first-ever cyber-related sanctions. The perpetrators, which include two Chinese citizens and four Russian nationals, were involved in the high profile WannaCry, NotPetya and Cloud Hopper cyber attacks.