Researchers have attributed with “high confidence” industrial control system (ICS) intrusion activity known as TRITON to a Russian state-owned research institute.
FireEye claimed in a blog post on Tuesday that the activity, now known as TEMP.Veles was supported by the Moscow-based Central Scientific Research Institute of Chemistry and Mechanics (CNIIHM).
Aside from spotting behavior patterns consistent with the Moscow time zone, the vendor claimed that “CNIIHM likely possesses the necessary institutional knowledge and personnel to assist in the orchestration and development of TRITON and TEMP.Veles operations.”
FireEye claimed to have found a unique username contained in the code of a tested file which it linked to an individual “active in Russian information security communities since at least 2011.”
That same person was apparently a professor at CNIIHM, according to an old social media profile. FireEye dismissed the possibility of the individual acting alone as “highly unlikely.”
The vendor also said that malicious TEMP.Veles activity originated from an IP address registered to the institute. That same address had been used to monitor open source coverage of TRITON and engaged in network reconnaissance against targets of interest to the campaign.
Cyrillic names and artifacts are also widespread, the researchers said.
The CNIIHM’s two research divisions also highlight a link to TRITON.
“The Center for Applied Research creates means and methods for protecting critical infrastructure from destructive information and technological impacts,” explained FireEye. “The Center for Experimental Mechanical Engineering develops weapons as well as military and special equipment. It also researches methods for enabling enterprise safety in emergency situations.”
TRITON was first spotted in 2017 attacking critical infrastructure in the Middle East, with emergency shutdown capabilities. In fact, it nearly caused an explosion at a Saudi petrochemical plant.