Despite early speculation to the contrary, security researchers are now claiming the Russian government was likely...
behind an attack on an industrial control system using the Triton malware.
In a new report, FireEye researchers stated with "high confidence" that the Central Scientific Research Institute of Chemistry and Mechanics (CNIIHM), which is based in Moscow and owned by the Russian government, developed and deployed the Triton malware.
FireEye said activity related to the Triton malware was "consistent with the Moscow time zone," and "CNIIHM likely possesses the necessary institutional knowledge and personnel" to develop such tools.
FireEye also said in a blog post that it tested "multiple versions of malicious software" related to the "Triton intrusion" -- as they describe it -- and found "multiple independent ties to Russia, CNIIHM and a specific person in Moscow," as well as an IP address registered to CNIIHM used to monitor "open-source coverage of Triton, network reconnaissance, and malicious activity in support of the Triton intrusion."
The Triton malware framework was first identified in late 2017 after attackers targeted Triconex Safety Instrumented System controllers. At the time, FireEye noted that the Triton malware was unique, because it appeared to be designed to cause "a specific outcome beyond a process shutdown" of industrial control systems (ICS).
The Triton malware was linked to an attack on a petrochemical plant in Saudi Arabia in August 2017 by The New York Times, and that report led to initial speculation that Iran might be behind the attack.
FireEye never identified the victim organization in its research. Dragos Inc., an ICS security firm that also analyzed and investigated the attack, did not identify the victim beyond saying it was located in the Middle East. But Robert Lee, CEO of Dragos, based in Hanover, Md., told us in a Q&A that the threat group behind the Triton malware in Saudi Arabia "was intending to kill people."
Lee said via Twitter that FireEye's analysis was "thorough and very professional," though he declined to confirm or contest the research, saying that Dragos typically avoids getting into attack attribution.
However, Joe Slowik, adversary hunter at Dragos, said he wasn't convinced by the evidence provided by FireEye regarding the Triton malware attribution. Slowik said he didn't think FireEye was "wrong on individual items discovered," but said he wouldn't put the conclusion at "high confidence."
"The entity responsible for Triton uses compromised infrastructure, and only one IP address for the attributed institution is observed, so that might be compromised infrastructure used by the attacker," Slowik said in an email. "The Python library linked with the researcher could simply be reuse of available code with no real link to that researcher's work. While circumstantially these data points -- and the timing heatmap -- all seem to be pretty conclusive, they just cannot be used as the sole sources behind such a strongly-worded claim."
"It is hard because there are so many ways to obfuscate or otherwise muddle items to make analysis and attribution difficult. Intelligence agencies can get around such problems and have access to far more interesting data sets reflecting what the attacker sees, making attribution easier and more accurate, [but] private security companies are seldom in this position," Slowik continued. "Thus, while attribution can rarely be completely certain, it is even less likely in the case of a single private company."