The U.S. Treasury Department on Oct. 23 announced sanctions against a Russian government research institution that has been accused of using the “destructive” Triton malware to target critical facilities in the United States.
The malware, also known as TRISIS, or HatMan, was designed to target industrial control systems. The majority of such systems monitor and enable safe emergency shutdown of industrial processes and critical infrastructure facilities to save human life. Such facilities deliver energy, water, transport, banking and finance, and other essential services.
The Treasury Department noted that the Triton malware has been referred to by the private cybersecurity industry as “the most dangerous threat activity publicly known.” The malware was used against U.S. partners in the Middle East, the department stated.
The Treasury also stated in 2019 that the attackers behind the malware were reported to be scanning and probing at least 20 electric utilities in the United States for vulnerabilities.
The entity subject to the sanctions is the Moscow-based institute called the “State Research Center of the Russian Federation FGUP Central Scientific Research Institute of Chemistry and Mechanics,” known by the acronym “TsNIIKhM.” It had supported a cyberattack involving the Triton malware on a petrochemical facility in the Middle East in August 2017 by building customized tools that enabled the attack.
TsNIIKhM is being designated under Section 224 of the Countering America’s Adversaries Through Sanctions Act (CAATSA). The sanctions effectively block TsNIIKhM from doing business with the United States.
“As a result of today’s designation, all property and interests in property of TsNIIKhM that are in or come within the possession of U.S. persons are blocked, and U.S. persons are generally prohibited from engaging in transactions with them,” the Treasury Department announced. “Additionally, any entities 50 percent or more owned by one or more designated persons are also blocked. Moreover, non-U.S. persons who engage in certain transactions with TsNIIKhM may themselves be exposed to sanctions.”
“We will not relent in our efforts to respond to these activities using all the tools at our disposal, including sanctions,” he said.
Nathan Brubaker, an analyst with cybersecurity company FireEye—which first discovered the Triton malware—said the apparent intent made it uniquely dangerous because disabling safety systems at a plant could lead to serious consequences, such as a fire or an explosion.
“The acute nature of the threat is what makes it scary,” Brubaker said, according to Reuters. “Blowing things up and killing people—that’s terrifying.”
Anatoly Antonov, Russia’s ambassador to the United States, stated on social media: “We emphasize once again the illegitimacy of any one-sided restrictions. Russia, unlike the United States, does not conduct offensive operations in cyber domain.
“We call on the United States to abandon the vicious practice of unfounded accusations.”
The sanctions come after a number of other U.S. actions and recent announcements against Russian state-sponsored hackers.