US sanctions Russian institute over malware used in 2017 attack
Triton is malicious software designed to attack industrial control systems
WASHINGTON (AFP) - The US Treasury announced sanctions Friday against a Russian research institute which it said was tied to the powerful malware Triton used to damage a Saudi petrochemical plant in 2017.
The Treasury said the Russian government’s Central Scientific Research Institute of Chemistry and Mechanics was "connected to" Triton and was responsible for "building customized tools" that enabled the 2017 attack.
But it did not blame Triton itself or the attack on the Russian institute.
"The Russian government continues to engage in dangerous cyber activities aimed at the United States and our allies," Treasury Secretary Steven Mnuchin said in a statement.
"This administration will continue to aggressively defend the critical infrastructure of the United States from anyone attempting to disrupt it."
Triton is malicious software designed to attack industrial control systems for power and industrial plants, targeting widely-used controllers made by Schneider Electric.
According to cybersecurity firms, it can be designed to shut down the systems or make the systems work in unsafe or destructive modes.
The Treasury said the Triton malware was initially deployed at the petrochemical plant via phishing techniques.
In 2019, attackers using the malware scanned and probed at least 20 US electric utilities for vulnerabilities, according to the Treasury.
The sanctions ban Americans or US-based organizations from business with the designated institution, and freeze any assets it might have in US jurisdiction.
The sanctions were announced two years to the day after cybersecurity group Fireeye tied Triton to the Moscow-based research institute and a specific, unnamed person with close ties to the institute.
It noted that the institute has two research divisions that are experienced in critical infrastructure, enterprise safety, and the development of weapons/military equipment.
