Russian state nationals accused of wielding life-threatening malware specifically designed to tamper with critical safety mechanisms at a petrochemical plant are now under sanction by the US Treasury Department.
The attack drew considerable concern because it’s the first known time hackers have used malware designed to cause death or injury, a prospect that may have actually happened had it not been for a lucky series of events. The hackers—who have been linked to a Moscow-based research lab owned by the Russian government—have also targeted a second facility and been caught scanning US power grids.
Now the Treasury Department is sanctioning the group, which is known as the State Research Center of the Russian Federation FGUP Central Scientific Research Institute of Chemistry and Mechanics or its Russian abbreviation TsNIIKhM. Under a provision in the Countering America’s Adversaries Through Sanctions Act, or CAATSA, the US is designating the center for “knowingly engaging in significant activities undermining cybersecurity against any person, including a democratic institution, or government on behalf of the Government of the Russian Federation.”
Dangerous cyber activities
“The Russian Government continues to engage in dangerous cyber activities aimed at the United States and our allies,” said Treasury Secretary Steven T. Mnuchin, in a release published on Friday. “This Administration will continue to aggressively defend the critical infrastructure of the United States from anyone attempting to disrupt it.”
Under the sanctions, all property of TsNIIKhM that is or has come within the possession of a US person is blocked, and US persons are generally prohibited from engaging in transactions with anyone in the group. What’s more, any legal entity that’s 50-percent or more owned by one of the center members is also blocked. Some non-US persons who engage in transactions with TsNIIKhM may be subject to sanctions.
The malware used in the petrochemical-manufacturer attack generated so much concern because it zeroed in on processes known as the safety instrumented systems. An SIS is a combination of hardware and software that critical infrastructure sites use to prevent unsafe conditions from arising. When gas fuel pressures or reactor temperatures rise to potentially unsafe thresholds, for instance, an SIS will automatically close valves or initiate cooling processes to prevent health- or life-threatening accidents. The malware is generally known as either Triton or Trisis because it targeted the Triconex product line made by Schneider Electric.
Triton came to be installed through a phishing message that targeted someone working at the petrochemical-maker. Once the attackers burrowed further and installed their malware in the operation-technology part of the facility, they attempted to manipulate the industrial controllers. An error caused facility equipment to automatically shut down, an event that prevented Triton from executing fully.
Had it not been for the accident, Triton could have caused loss of life, injuries, and mass property damage. The failure not only prevented those outcomes; it also allowed researchers to recover the malware and, ultimately, the research lab that designed and operated it.
Security firm FireEye Mandiant was the first to disclose the malware and its origins at TsNIIKhM. John Hultquist, senior director of intelligence analysis at Mandiant, applauded Friday’s sanctions.
“The government confirming the attribution is absolutely important,” he said in an interview. “Given the danger of the tools these guys are using, tying their hands is an excellent outcome, even if it’s somewhat limited.”