On October 23, 2020, the Department of the Treasury’s Office of Foreign Assets Control (OFAC) sanctioned a Russian government research laboratory that created the Triton malware. The lab in question is the Central Scientific Research Institute of Chemistry and Mechanics in Moscow. It is supported by the State Research Center of the Russian Federation FGUP Central Scientific Research Institute of Chemistry and Mechanics (TsNIIKhM), a state-controlled research institution responsible for building customized tools that enabled the attack. The Triton malware is a dangerous and malicious malware designed specifically to target and manipulate industrial safety systems. The cyber activity surrounding the Triton malware has been described by those in the cybersecurity industry as “the most dangerous threat activity publicly known.”
Treasury Secretary Steven T. Mnuchin said, “The Russian Government continues to engage in dangerous cyber activities aimed at the United States and our allies. This Administration will continue to aggressively defend the critical infrastructure of the United States from anyone attempting to disrupt it.”
The first record of Triton malware’s use dates back to August 2017, when a petrochemical facility in Saudi Arabia, Petro Rabigh, was targeted by the malware. Tens of millions of dollars were lost as a result of the cyberattack. John Hultquist, senior director of intelligence analysis at the cybersecurity company Mandiant, claimed that the malware was found almost by accident. Mandiant was among the firms called in to investigate the incident. Experts remain uncertain of why Russia targetted this Saudi plant.
When the attack occurred at Petro Rabigh, the hackers triggered a safety system, causing the plant to shut down while experts conducted a cyber investigation. The Triton malware was intended to disable safety systems in the plant that are designed to prevent conditions that could lead to a potentially fatal leak or explosion. There was a coding error in the malware that prevented dozens of people from being killed, experts said.
Triton malware has reportedly been detected scanning and probing U.S. facilities. Russia has a long history of cyberattacks in foreign countries, including the NotPetya attack in 2017 that affected Ukraine, Denmark, and several others.
According to an article by the U.S. Secretary of the Treasury, TsNIIKhM is being designated pursuant to Section 224 of CAATSA for knowingly engaging in significant activities undermining cybersecurity of any person, democratic institution, or government on behalf of the Government of the Russian Federation.
The new sanctions designate that all property and interests in TcNIIKhM that come into contact with any U.S. persons are blocked. Additionally, any non-U.S. person that engages in transactions with the institution may incur sanctions.
Robert M. Lee, CEO and co-founder of industrial cybersecurity firm Dragos, said in an email statement, “An OFAC sanction by the U.S. Treasury is significant and compelling; not only will it impact this research institution in Russia, but anyone working with them will have their ability to be successful on the international stage severely hampered.” Dragos was another company that, like Mandiant, identified the malware in the Saudi plant in 2017.
While OFAC’s sanctions may be a step in the right direction, Triton malware’s existence still poses a tremendous threat to cybersecurity in the U.S. and elsewhere.