Triton malware was created by a Kremlin-backed research lab, security experts discover

• Triton was discovered in 2017 and was designed to specifically target industrial control systems.
• Triton nearly caused an explosion at a Saudi petrochemical plant last year.

Security researchers have discovered links between the powerful Triton malware and the Russian government. Triton was discovered in 2017 and was designed to specifically target Schneider Electric's Triconex Safety Instrumented System (SIS) controllers.

Triton, also known as TEMP.Veles., was leveraged by cybercriminals against a Saudi petrochemical plant last year, which was forced to temporarily shut down after the malware nearly caused an explosion. The malware is capable of manipulating systems’ processes and even completely shutting down controllers.

According to security experts at FireEye, a Moscow-based research lab called Central Scientific Research Institute of Chemistry and Mechanics (CNIIHM) is believed to have been responsible for the deployment of Triton. The research facility is owned by the Russian government, which indicates that Russia may have been involved in launching the Triton malware attacks in 2017.

“An IP address registered to CNIIHM has been employed by TEMP.Veles for multiple purposes, including monitoring open-source coverage of TRITON, network reconnaissance, and malicious activity in support of the TRITON intrusion. Behavior patterns observed in TEMP.Veles activity are consistent with the Moscow time zone, where CNIIHM is located,” FireEye researchers wrote in a report.

FireEye researchers also discovered that the cybercriminals operating Triton weaponized legitimate, open-source software in their attacks. According to the researchers CNIIHM is also linked to one specific individual, who has likely been active in the malware testing environment since 2013 and previously tested versions of Cobalt Strike, Metasploit, PowerSploit and more.

According to the researchers, CNIIHM has at least two research labs that are proficient in critical infrastructure enterprise safety and weapons development.

“TRITON is a highly specialized framework whose development would be within the capability of a low percentage of intrusion operators,” FireEye researchers added. “Some possibility remains that one or more CNIIHM employees could have conducted the activity linking TEMP.Veles to CNIIHM without their employer’s approval. However, this scenario is highly unlikely."