When mysterious hackers triggered the shutdown of a Saudi Arabian oil refinery in August of 2017, the subsequent investigation found that the malware used in that attack had unprecedented, uniquely lethal potential: It was intended to disable safety systems in the plant designed to prevent dangerous conditions that could lead to leaks or explosions. Now, three years later, at least one Russian organization responsible for that callous cyberattack is being held to account.
Today the US Treasury imposed sanctions on Russia's Central Scientific Research Institute of Chemistry and Mechanics, the organization that exactly two years ago was revealed to have played a role in the hacking operation that used that malware known as Triton or Trisis, intended to sabotage the Petro Rabigh refinery's safety devices. Triton was designed specifically to exploit a vulnerability in the Triconex-branded "safety-instrumented systems" sold by Schneider Electric. Instead, it triggered a failsafe mechanism that shut down the Rabigh plant altogether.
The sanctions effectively cut off the institution from doing business in or with the US. They also represent the first government statement holding Russia—or any other country—responsible for that potentially destructive attack, only the third-known malware ever to have appeared in the wild that directly interacted with industrial control systems. And although Triton malware is only publicly known to have been deployed against that Saudi Arabian target, Treasury secretary Steve Mnuchin's statement announcing the new sanctions made clear that the message is meant to deter any similar attack against US infrastructure. “The Russian government continues to engage in dangerous cyber activities aimed at the United States and our allies,” said Mnuchin. “This administration will continue to aggressively defend the critical infrastructure of the United States from anyone attempting to disrupt it.”
Triton has been linked to the Moscow-based institute, known by the Russian acronym TsNIIKhM, since 2018, when security firm FireEye found evidence that tools used in the Triton case had been tested with an unnamed malware-testing platform by someone at the institute. One file even contained a hacker handle associated with a specific individual who, according to a social media profile, had been a professor at TsNIIKhM.
But the new sanctions provide official confirmation of that theory, and new accountability for the institute for its role in the cyberattack. "It means the government recognizes this lab as a serious threat to global security," says John Hultquist, director of intelligence at FireEye. "They're clearly developing a tool that could have fatal consequences."
The hackers who deployed Triton, given the name Xenotime by the industrial cybersecurity firm Dragos, have also probed US power grid targets, according to Dragos and the Electric Information Sharing and Analysis Center, scanning for points of entry into the networks of American utilities. FireEye found the group inside of another victim's network outside of Saudi Arabia, although it declined to reveal more details about that target. After the Petro Rabigh intrusion, the hackers haven't been spotted deploying Triton again.
The new sanctions come amidst a sudden wave of US government agencies naming, shaming, and punishing Russian state-sponsored hackers for cyberattacks and intrusions stretching back years. On Monday, the Justice Department indicted six hackers working in the service of Russia’s military intelligence agency, the GRU. The hackers, known as Sandworm, are accused of a five-year spree of disruptive attacks that ranged from blackouts in Ukraine to most destructive malware ever created, NotPetya, to an attempted sabotage of the 2018 Winter Olympics. Then, yesterday, DHS’s Cybersecurity and Infrastructure Agency posted an advisory about another Russian hacker group known as Berserk Bear, or Dragonfly, carrying out broad intrusions of US state and local government organizations as well as US aviation companies.
But naming and sanctioning a supposed research institute among those Russian rogue hackers represents a more unusual step, says Joe Slowik, a cybersecurity researcher at Dragos who has closely tracked Xenotime. Slowik points out that TsNIIKhM is almost equivalent to a US national lab like those at Los Alamos or Lawrence Livermore, with staff who present on a wide variety of research at reputable conferences. “This essentially puts them at the same level as ISIS or the Iranian Revolutionary Guard Corps as being untouchable by the US financial sector,” Slowik says. “It’s really quite astounding to see against an overall academic institution. It shows a degree of consequence that hasn’t existed previously.”
Even so, Slowik argues the sanctions are warranted and welcome—even three years after the fact—given the danger Triton has posed. “Really this is taking the possibilities of a cyber-physical event beyond process disruption or destruction, to the possibility of using a cyber capability to kill someone,” he says. “Even if it’s taken several years, it sends a strong signal that from the US government perspective, cyber-activity that contains the potential—if not the outright intention of—harming or putting at risk human life is unacceptable.”