“Potentially life-threatening Triton malware made on behalf of the Russian government.

Get a free Techzine subscription!

Security researchers report that a research institute affiliated with Russia is behind malware that could have major consequences. The malware in question was found in a Saudi Arabian power plant in the course of 2017 and appeared to be specifically targeted at critical infrastructure.

That’s what FireEye investigators say. They consider it very likely that a Russian company has developed, tested and then distributed the malware. Reference is made to the Central Scientific Research Institute of Chemistry and Mechanics (CSRICM). The institute is based in Moscow and is engaged in the development of military applications.

Potentially life-threatening

The malware, called Triton, was specifically designed to work with Schneider Electric system controllers. The Safety Instrumented System (SIS) controllers are specifically designed to prevent things from going wrong with these kinds of important facilities. However, Triton was designed to stop a production process, or to operate SIS equipment in an unsafe condition.

The group behind the malware almost succeeded last year in causing an explosion at a petrochemical plant in Saudi Arabia. The origin of the malware was a mystery when it was discovered in 2017, until now. The researchers could not link the Triton malware directly to the Russian research institute.

Secondary malware

However, the secondary malware used by Triton was able to do so. The secondary malware was needed for Triton’s payload, and could be linked to a source. The researchers state that they quickly found out that this was malware with unique indicators that are used by the CSRICM.

For example, there were certain files that matched the name of an employee of the research institute. In addition, IP addresses were found to be registered with the CSRICM and some file names were Russian. Strikingly, the times when the malware was created were linked to Russian office hours.

FireEye states that it is also possible that one or more employees of the CSRICM have linked the files without the knowledge of their employer. However, this scenario is highly unlikely. As the research institute has the resources to develop this type of malware, and has the necessary links with Russian intelligence services, the investigators consider it likely that Triton was deliberately developed by CSRICM.

This news article was automatically translated from Dutch to give Techzine.eu a head start. All news articles after September 1, 2019 are written in native English and NOT translated. All our background stories are written in native English as well. For more information read our launch article.