Russia Behind Triton Malware? A Cybersecurity Consulting Firm Confirms

FireEye, a mainstream cybersecurity company, revealed that Russia is allegedly behind international cyber attacks, one of which against a Saudi Arabian’s petrochemical plant with the use of Triton/Trisis virus. The malware is a specially crafted software to create artificially accelerated wear and tear against Schneider Electric’s Triconex Safety Instrumented System (SIS) controllers.

The unnamed members of a Russian hacker group branded as “TEMP. Veles” is said to behind the release of the Triton malware. “FireEye Intelligence assesses with high confidence that intrusion activity that led to the deployment of TRITON was supported by the Central Scientific Research Institute of Chemistry and Mechanics (CNIIHM; a.k.a. ЦНИИХМ), a Russian government-owned technical research institution located in Moscow. The following factors supporting this assessment are further detailed in this post. Some possibility remains that one or more CNIIHM employees could have conducted the activity linking TEMP. Veles to CNIIHM without their employer’s approval” explained FireEye in their official blog.

By reverse engineering Triton, FireEye has exposed its links with TEMP. Veles, as signature traits it contains were observed to be related to the hacker group. “Adversary behavioral artifacts further suggest the TEMP. Veles operators are based in Moscow, lending some further support to the scenario that CNIIHM, a Russian research organization in Moscow, has been involved in TEMP. Veles activity,” FireEye added.

Portions of the malware’s description are written in Cyrillic language, evidence also suggests that it was translated to English using automated means thereafter. “The malicious installation version has a task name and description in English, and the clean uninstall version has a task name and description in Cyrillic. The timeline of modification dates within the ZIP also suggests the actor changed the Russian version to English in sequential order, heightening the possibility of a deliberate effort to mask its origins. While we know that TEMP. Veles deployed the TRITON attack framework, we do not have specific evidence to prove that CNIIHM did (or did not) develop the tool. We infer that CNIIHM likely maintains the institutional expertise needed to develop and prototype TRITON based on the institute’s self-described mission and other public information,” concluded FireEye.