US Treasury Sanctions Russian Government Group Linked to ‘Destructive’ Malware

October 24, 2020 Updated: October 25, 2020

The U.S. Treasury Department on Oct. 23 announced sanctions against a Russian government research institution that has been accused of using the “destructive” Triton malware to target critical facilities in the United States.

The malware, also known as TRISIS, or HatMan, was designed to target industrial control systems. The majority of such systems monitor and enable safe emergency shutdown of industrial processes and critical infrastructure facilities to save human life. Such facilities deliver energy, water, transport, banking and finance, and other essential services.

The Treasury Department noted that the Triton malware has been referred to by the private cybersecurity industry as “the most dangerous threat activity publicly known.” The malware was used against U.S. partners in the Middle East, the department stated.

The Treasury also stated in 2019 that the attackers behind the malware were reported to be scanning and probing at least 20 electric utilities in the United States for vulnerabilities.

The entity subject to the sanctions is the Moscow-based institute called the “State Research Center of the Russian Federation FGUP Central Scientific Research Institute of Chemistry and Mechanics,” known by the acronym “TsNIIKhM.” It had supported a cyberattack involving the Triton malware on a petrochemical facility in the Middle East in August 2017 by building customized tools that enabled the attack.

TsNIIKhM is being designated under Section 224 of the Countering America’s Adversaries Through Sanctions Act (CAATSA). The sanctions effectively block TsNIIKhM from doing business with the United States.

“As a result of today’s designation, all property and interests in property of TsNIIKhM that are in or come within the possession of U.S. persons are blocked, and U.S. persons are generally prohibited from engaging in transactions with them,” the Treasury Department announced. “Additionally, any entities 50 percent or more owned by one or more designated persons are also blocked. Moreover, non-U.S. persons who engage in certain transactions with TsNIIKhM may themselves be exposed to sanctions.”

Treasury Secretary Steven Mnuchin said in a statement that the Russian government has been involved in “dangerous cyber activities aimed at the United States and our allies,” and the administration “will continue to aggressively defend the critical infrastructure of the United States from anyone attempting to disrupt it.”

Secretary of State Mike Pompeo said in a statement that the Russian government “continues to engage in dangerous and malicious activities that threaten the security of the United States and our allies” despite claiming it would be responsible in cyberspace.

“We will not relent in our efforts to respond to these activities using all the tools at our disposal, including sanctions,” he said.

National flags of Russia and U.S. fly at Vnukovo International Airport in Moscow
National flags of Russia and the United States fly at Vnukovo International Airport in Moscow on April 11, 2017. (Maxim Shemetov/Reuters)

Nathan Brubaker, an analyst with cybersecurity company FireEye—which first discovered the Triton malware—said the apparent intent made it uniquely dangerous because disabling safety systems at a plant could lead to serious consequences, such as a fire or an explosion.

“The acute nature of the threat is what makes it scary,” Brubaker said, according to Reuters. “Blowing things up and killing people—that’s terrifying.”

Anatoly Antonov, Russia’s ambassador to the United States, stated on social media: “We emphasize once again the illegitimacy of any one-sided restrictions. Russia, unlike the United States, does not conduct offensive operations in cyber domain.

“We call on the United States to abandon the vicious practice of unfounded accusations.”

The sanctions come after a number of other U.S. actions and recent announcements against Russian state-sponsored hackers.

On Oct. 19, the Justice Department charged six agents of a Russian military intelligence agency known as GRU for a series of cyberattacks against other countries’ infrastructure.

On Oct. 21, Director of National Intelligence John Ratcliffe and other officials announced that Iran and Russia have gained access and obtained U.S. voting registration information “to influence public opinion relation to our elections.”

On Oct. 23, the FBI and the Department of Homeland Security warned of the activity by a Russian state-sponsored hacking group sometimes referred to by researchers by multiple names including Berserk Bear and Dragonfly. The hacker group has targeted dozens of state, local, tribal, and territorial U.S. governments, as well as U.S. aviation networks, the two agencies stated in a joint alert.

Reuters contributed to this report.

Follow Mimi on Twitter: @MimiNguyenLy