Infrastructure protectionU.S. Puts Sanctions on Russian Research Institution Tied to Malware That Targets Industrial Systems

Published 26 October 2020

The United States has placed sanctions on a Russian government research institute connected to the development of computer malware capable of targeting industrial safety systems and causing catastrophic damage.

The United States has placed sanctions on a Russian government research institute connected to the development of computer malware capable of targeting industrial safety systems and causing catastrophic damage.

The U.S. Treasury Department announced on October 23 that the Central Scientific Research Institute of Chemistry and Mechanics ( TsNIIKhM) had been added to the sanctions list.

It said the institute was “connected to the destructive Triton malware” designed to target and manipulate industrial safety systems that provide for the safe emergency shutdown of industrial processes at critical infrastructure facilities in order to protect human life.

The cyber-actors behind the Triton malware have been referred to by the private cybersecurity industry as “the most dangerous threat activity publicly known,” the Treasury Department said in a news release.

The Russian Government continues to engage in dangerous cyberactivities aimed at the United States and our allies,” Treasury Secretary Steven Mnuchin said. “This administration will continue to aggressively defend the critical infrastructure of the United States from anyone attempting to disrupt it.”

Responding to the U.S. accusations, the Russian Embassy in Washington said Moscow did not conduct offensive cyberoperations.

We call on the United States to abandon the vicious practice of unfounded accusations,” Ambassador Anatoly Antonov said on Facebook.

The Treasury Department said the malware was deployed using phishing techniques against a U.S. partner in the Middle East in August 2017 in an attack against an unidentified petrochemical facility. TsNIIKhM was “responsible for building customized tools that enabled the attack,” the department said.

The attack raised concern among the cybersecurity community when it was made public because, unlike typical intrusions aimed at stealing data or holding data for ransom, it appeared aimed at causing physical damage to the facility by disabling its safety system.

Researchers who investigated the cyberattack and the malware reported that Triton was designed to give the attackers complete control of infected systems and had the capability to cause significant physical damage and loss of life,” the Treasury Department said.

It added that in 2019 the attackers behind the Triton malware were reported to be probing at least 20 electric utilities in the United States for vulnerabilities.

The sanctions ban Americans or U.S.-based organizations from doing business with the designated institution and freeze any assets it might have in U.S. jurisdiction.

This article is reprinted with permission of Radio Free Europe/Radio Liberty (RFE/RL).