OFAC Announced Sanctions Against a Russian Government Institute Connected to Triton Malware


The Office of Foreign Assets Management (OFAC) of the United States Department of the Treasury has declared sanctions against a Russian government institution related to Triton ‘s disruptive malware.

Triton is notorious for attacking Schneider Electric’s Triconex Safety Instrumented System (SIS) controllers, initially recognised in 2017 on the systems of a Saudi Arabian oil and gas corporation and often referred to as Trisis and HatMan.

The threat actor behind the malware, referred to by some as Xenotime, is thought to have been involved since at least 2014, and has extended operations to Australia, Europe, and the US at one stage and added electric utilities to its goal list.

In 2018, FireEye connected Triton to the Central Scientific Research Institute of Chemistry and Mechanics (CNIIHM) of Russia’s technical research organisations.

At the 2019 ICS Cyber Security Conference in Singapore, FireEye reported that facts linking Triton with CNIIHM began to vanish after their 2018 report was released, including images, internal structure data, and related IP address information.

OFAC, which states that Triton was called” the most dangerous activity publicly identified, “declared on Friday sanctions against CNIIHM or TsNIIKhM (the FGUP Central Scientific Research Institute of Chemistry and Mechanics of the Russian Federation ‘s State Research Center), effectively barring Americans from interacting with the agency.

According to the Treasury Department, this Russian government-controlled research agency is responsible for designing specialised instruments that made the 2017 attack against the Saudi Arabian petrochemical facility possible.

“In compliance with section 224 of the Countering America’s Adversaries By Sanctions Act (CAATSA), on behalf of the Government of the Russian Federation, the Treasury Department designated TTsNIIKhM” for intentionally engaging in significant activities that undermine cybersecurity against any person, including a democratic agency, or government.

The Triton malware, OFAC claims, was deliberately created to attack industrial control systems ( ICS) that are used to ensure automatic shutdown in the case of an emergency inside sensitive infrastructure facilities.

The malware, deployed via phishing emails, was programmed to exploit these security controllers, allowing attackers total control of the infected devices. “The malware, said the US government, can cause” serious physical harm and loss of life.

Robert M. Lee, CEO and co-founder of industrial cybersecurity company Dragos, said in an emailed statement, “A U.S. OFAC sanction” Treasury is relevant and compelling; not only will this research institution in Russia have an impact, but anyone working with them will be seriously impaired in their attempt to compete on the international stage.

However, the most important part of this development is the formal attribution to Russia of the TRISIS attack by the USG and the clear implementation of restrictions on industrial control systems. This is a paradigm setting moment, and an ICS cyber-attack has never been sanctioned for the first time. As this cyber-attack was the first ever directly directed at human beings, this is perfectly fitting. “We are lucky that no one has died and I am grateful that policymakers are taking a firm line to reject such attacks,” he said.

Nathan Brubaker, senior analytical manager at Mandiant Threat Intelligence, commented, “TRITON malware was developed to disrupt security systems that form one of the last safety lines in industrial systems. Hackers might theoretically allow an unsafe state to occur with control of these security systems or worse, use their access to other control systems to trigger an unsafe state, then al.”

“Fortunately, when safety devices recognised an abnormality during an intrusion and shut down activities at a factory, TRITON was identified. In the ensuing months, Mandiant was able to trace and openly reveal their role in the intrusion to the Russian laboratory that is being sanctioned. This was a risky weapon that may have been used to do serious physical damage. We’re grateful that it was discovered the way it was, giving us an excuse to look into the actors behind the scenes.”

Mark Funk
Mark Funk is an experienced information security specialist who works with enterprises to mature and improve their enterprise security programs. Previously, he worked as a security news reporter.