Eletiofe The US Sanctions Russians for Potentially ‘Fatal’ Malware

The US Sanctions Russians for Potentially ‘Fatal’ Malware


- Advertisment -

When mysterious hackers triggered the shutdown of a Saudi Arabian oil refinery in August of 2017, the subsequent investigation found that the malware used in that attack had unprecedented, uniquely lethal potential: It was intended to disable safety systems in the plant designed to prevent dangerous conditions that could lead to leaks or explosions. Now, three years later, at least one Russian organization responsible for that callous cyberattack is being held to account.

Today the US Treasury imposed sanctions on Russia’s Central Scientific Research Institute of Chemistry and Mechanics, the organization that exactly two years ago was revealed to have played a role in the hacking operation that used that malware known as Triton or Trisis, intended to sabotage the Petro Rabigh refinery’s safety devices. Triton was designed specifically to exploit a vulnerability in the Triconex-branded “safety-instrumented systems” sold by Schneider Electric. Instead, it triggered a failsafe mechanism that shut down the Rabigh plant altogether.

The sanctions effectively cut off the institution from doing business in or with the US. They also represent the first government statement holding Russia—or any other country—responsible for that potentially destructive attack, only the third-known malware ever to have appeared in the wild that directly interacted with industrial control systems. And although Triton malware is only publicly known to have been deployed against that Saudi Arabian target, Treasury secretary Steve Mnuchin’s statement announcing the new sanctions made clear that the message is meant to deter any similar attack against US infrastructure. “The Russian government continues to engage in dangerous cyber activities aimed at the United States and our allies,” said Mnuchin. “This administration will continue to aggressively defend the critical infrastructure of the United States from anyone attempting to disrupt it.”

Triton has been linked to the Moscow-based institute, known by the Russian acronym TsNIIKhM, since 2018, when security firm FireEye found evidence that tools used in the Triton case had been tested with an unnamed malware-testing platform by someone at the institute. One file even contained a hacker handle associated with a specific individual who, according to a social media profile, had been a professor at TsNIIKhM.

But the new sanctions provide official confirmation of that theory, and new accountability for the institute for its role in the cyberattack. “It means the government recognizes this lab as a serious threat to global security,” says John Hultquist, director of intelligence at FireEye. “They’re clearly developing a tool that could have fatal consequences.”

The hackers who deployed Triton, given the name Xenotime by the industrial cybersecurity firm Dragos, have also probed US power grid targets, according to Dragos and the Electric Information Sharing and Analysis Center, scanning for points of entry into the networks of American utilities. FireEye found the group inside of another victim’s network outside of Saudi Arabia, although it declined to reveal more details about that target. After the Petro Rabigh intrusion, the hackers haven’t been spotted deploying Triton again.

The new sanctions come amidst a sudden wave of US government agencies naming, shaming, and punishing Russian state-sponsored hackers for cyberattacks and intrusions stretching back years. On Monday, the Justice Department indicted six hackers working in the service of Russia’s military intelligence agency, the GRU. The hackers, known as Sandworm, are accused a five-year spree of disruptive attacks that ranged from blackouts in Ukraine to most destructive malware ever created, NotPetya, to an attempted sabotage of the 2018 Winter Olympics. Then, yesterday, DHS’s Cybersecurity and Infrastructure Agency posted an advisory about another Russian hacker group known as Berserk Bear, or Dragonfly, carrying out broad intrusions of US state and local government organizations as well as US aviation companies.

But naming and sanctioning a supposed research institute among those Russian rogue hackers represents a more unusual step, says Joe Slowik, a cybersecurity researcher at Dragos who has closely tracked Xenotime. Slowik points out that TsNIIKhM is almost equivalent to a US national lab like those at Los Alamos or Lawrence Livermore, with staff who present on a wide variety of research at reputable conferences. “This essentially puts them at the same level as ISIS or the Iranian Revolutionary Guard Corps as being untouchable by the US financial sector,” Slowik says. “It’s really quite astounding to see against an overall academic institution. It shows a degree of consequence that hasn’t existed previously.”

Even so, Slowik argues the sanctions are warranted and welcome—even three years after the fact—given the danger Triton has posed. “Really this is taking the possibilities of a cyberphysical event beyond process disruption or destruction, to the possibility of using a cyber capability to kill someone,” he says. “Even if it’s taken several years, it sends a strong signal that from the US government perspective, cyberactivity that contains the potential—if not the outright intention of—harming or putting at risk human life is unacceptable.”

More Great WIRED Stories

Latest news

Our 42 Favorite Black Friday Smart Home and Kitchen Deals

Months into the Covid-19 pandemic, many of us are spending more time at home than ever. Before, maybe...

The Best Black Friday Deals If You Work From Home

Working from home might be here to stay for many of us, so it's important to make sure...

BREAKING: We’ll Never Allow Any Type Of #EndSARS Protest Again – IGP Declares

The inspector-general of police (IGP), Mohammed Adamu, has declared that the Nigeria Police Force will never allow another type...

How Policemen Beat Me Till I Peed On Myself – Woman Tells Lagos Panel

Felicia Okpara, an #EndSARS protester, has told her police brutality story.The woman testified against the police, saying she was...
- Advertisement -

Nigeria Demands Apology From UK Government Over MP’s Allegation Against Gowon

The government of Nigeria is seeking an apology and retraction from the British government after a UK parliamentarian accused...

Serious Drama Looms As Nigerian Singer Cynthia Morgan Sues Former Label Boss, Jude Okoye

Nigerian singer, Cynthia Morgan has dragged her former record label boss, Jude Okoye to court.This tells us that the...

Must read

Our 42 Favorite Black Friday Smart Home and Kitchen Deals

Months into the Covid-19 pandemic, many of us...

The Best Black Friday Deals If You Work From Home

Working from home might be here to stay...
- Advertisement -

You might also likeRELATED
Recommended to you