U.S. Levies Sanctions Against Russian Research Institution Linked to Triton Malware

The latest in a flurry of actions this week, tied to foreign threats against U.S. computer systems, includes sanctions by the Department of the Treasury.

The Trump administration sanctioned a Russia government research institution on Friday claiming it was behind a series of cyberattacks using the highly destructive Triton malware.

The Department of the Treasury’s Office of Foreign Assets Control (OFAC) said the Triton malware had been used in various attacks against U.S. partners in the Middle East and spotted probing U.S. facilities.

Triton (aka TRISIS or HatMan) is most notoriously known for a series of 2017 attacks on a Saudi Arabian petrochemical facility, where it targeted safety systems with the intent of causing loss of life or physical damage, according to researchers at the time.
“This cyber-attack was supported by the State Research Center of the Russian Federation FGUP Central Scientific Research Institute of Chemistry and Mechanics (TsNIIKhM), a Russian government-controlled research institution that is responsible for building customized tools that enabled the attack,” according to a Treasury Department statement issued Friday.

“This Administration will continue to aggressively defend the critical infrastructure of the United States from anyone attempting to disrupt it,” said secretary of the Treasury Steven Mnuchin in a statement.

Over the years, the advanced persistent threat (APT) group identified as XENOTIME was believed to be behind the Triton malware attacks. About a year ago the APT expanded beyond its initial focus of Saudi Arabian petrochemical firms.

According to a 2019 analysis by Dragos, the group had begun to target dozens of electric power utilities in North American and Asia-Pacific regions. Dragos said, at the time, it expected Triton to be used to attack industrial controls systems that managed water plants and manufacturing industries.

On Friday, the Department of Treasury accused the TsNIIKhM of “knowingly engaging in significant activities undermining cybersecurity against any person, including a democratic institution, or government on behalf of the Government of the Russian Federation”, pursuant to Section 224 of the Countering America’s Adversaries Through Sanctions Act.

Friday’s sanctions against Russia cap a busy week for U.S. cyber defenses. On Wednesday, federal officials claim that Iranian threat actors are behind two separate email campaigns that assailed Democratic voters this week with threats to “vote for Trump or else.” The campaigns claimed to be from violent extremist group Proud Boys.

On Thursday, the Trump administration claimed Iran and Russia hacked local governments local governments and obtained voter registration and other personal data, first reported by NBC News. On Tuesday, the National Security Agency released an advisory (PDF) warning Chinese state-sponsored actors were exploiting 25 publicly known vulnerabilities. On Monday, the Department of Justice announced charges against six Russian nationals who are allegedly tied to the Sandworm APT.

Suggested articles

It’s Not the Trump Sex Tape, It’s a RAT

Criminals are using the end of the Trump presidency to deliver a new remote-access trojan (RAT) variant disguised as a sex video of the outgoing POTUS, researchers report.