The US Treasury Department announced sanctions on Friday against a Russian government research institute that it says is connected to the destructive Triton (aka HatMan or Trisis) malware designed to target industrial safety systems.
The sanctions were imposed against the State Research Center of the Russian Federation FGUP Central Scientific Research Institute of Chemistry and Mechanics (also known as CNIIHM or TsNIIKhM), which the US Treasury said was behind the 2017 cyber-attack involving the Triton malware on a petrochemical facility in the Middle East.
In the attack the malicious actor attempted to tamper with the facility’s ICS controllers using the Triton malware, which was delivered via a phishing attack. However, during the attack, the facility automatically shut down after several of the ICS controllers entered into a failed safe state, preventing the malware’s full functionality from being deployed.
“Researchers who investigated the cyber-attack and the malware reported that Triton was designed to give the attackers complete control of infected systems and had the capability to cause significant physical damage and loss of life,” the US Treasury said in a press release.
Last year, the attackers behind the Triton malware were also observed conducting scans and probing at least 20 electric utilities in the US for vulnerabilities.
The sanctions prohibit US entities from engaging with CNIIHM and also seize any of the research institute's US-based assets.
“As a result of today’s designation, all property and interests in property of TsNIIKhM that are in or come within the possession of U.S. persons are blocked, and U.S. persons are generally prohibited from engaging in transactions with them. Additionally, any entities 50 percent or more owned by one or more designated persons are also blocked. Moreover, non-U.S. persons who engage in certain transactions with TsNIIKhM may themselves be exposed to sanctions,” the US Treasury said.