A Russian research lab is getting blamed for developing malware that nearly blew up a Saudi energy plant last year.
In a Tuesday report, security firm FireEye connects the Triton malware to a Moscow-based laboratory called the Central Scientific Research Institute of Chemistry and Mechanics (CNIIHM), which is owned by the Russian government.
Triton grabbed headlines last year for attacking a petrochemical plant in Saudi Arabia in an apparent attempt at industrial sabotage. The malware was specifically designed to infect a Windows computer and then tamper with the plant’s safety control system built by Schneider Electric to ignore hazardous conditions.
FireEye was brought in to investigate the attack, and said it found evidence that Triton’s development was the work of a professor employed by a Russian government lab. The security firm made the connection by identifying where Triton’s creators were testing the malware to beat antivirus detection. A file uploaded to the malware testing repository contained a line of code that appeared to be a unique internet handle.
FireEye searched the internet and discovered the same handle belongs to an individual who’s both submitted security research to a Russian hacking magazine and worked as a professor at the Russian research lab. “Another profile using the handle on a Russian social network currently shows multiple photos of the user in proximity to Moscow for the entire history of the profile,” it said.
FireEye refrained from naming the Russian professor or the internet handle he used.
In addition, attacks connected to the Triton malware were also sourced back to an IP address registered to the Russian research lab, FireEye said. “This IP address has been used to monitor open-source coverage of TRITON… it also has engaged in network reconnaissance against targets of interest,” the security firm added.
FireEye’s confidence in the links between the research lab and Triton only extend to certain components of the malware. Nevertheless, the security firm claims the Russian research lab has the capabilities to develop the entire attack framework. According to CNIIHM’s own website, the lab has a division focused on protecting critical infrastructure facilities from technology-based threats.
A separate security firm called Dragos has also been researching the Triton malware and warns the group behind the malicious code has been expanding operations outside the Middle East. Although Dragos refrains from making attributions, company CEO Robert Lee said he found FireEye’s analysis “to be thorough and very professional.”
It isn’t the first time the Russian government has been blamed for launching malware that can sabotage industrial systems. Security researchers also suspect the Kremlin was behind cyber attacks that were designed to disrupt Ukraine’s power grid. While industrial-based malware remains rare, security experts fear such attacks could proliferate and cause real-world damage.
So far, the Russian research lab hasn’t commented on the allegations in FireEye’s report. Previously, some security researchers suspected Iran may have been behind the Triton malware.