US authorities imposed sanctions on a Russian institution associated with Triton malware

The US Treasury Department announced the imposition of sanctions on the Central Research Institute of Chemistry and Mechanics (CRICM), as the Russian research institute is suspected of developing a Triton malware designed to attack industrial equipment.

Triton was first discovered at the end of 2017. Then it was reported that the malware was used to attack Triconex (Triconex Safety Instrumented System, SIS) controllers manufactured by Schneider Electric. These solutions are needed to monitor various processes in factories, enterprises, and so on, and safely recover or shutdown equipment in case of any failures and potentially dangerous situations.

Analysts at FireEye, Dragos and Symantec wrote that Triton was being used for actual attacks, but did not disclose the names of the affected organizations and countries where they are based. At the same time, analysts at FireEye were firmly convinced that well-funded “government hackers” who had all the necessary resources to carry out such attacks stood behind the creation of Triton. And in 2018, FireEye came to the conclusion that Moscow-based CRICM had something to do with these attacks.

“Since then, malware has been used against other companies more than once. In addition, the hack group behind the malware (known as TEMP.Veles or Xenotime) was allegedly seen “scanning and examining for vulnerabilities at least 20 utilities in the United States”, – says the Ministry of Finance statement.

Currently imposed sanctions prohibit American companies from cooperating in any way with CRICM, and are also aimed at confiscating any assets of the institute located in the United States.

The European Union, in turn, introduced new sanctions against Russia after hacking of the systems of the German parliament (Bundestag) that occurred in 2015.

Let me remind you that in the spring of this year, the German prosecutor’s office issued an arrest warrant for the 29-year-old Russian Dmitry Sergeevich Badin, who was accused of this attack. German law enforcement officials believe that Badin is a Main Intelligence Directorate (G.U.) officer, as well as a member of the “government” hack group ATP28 (aka Fancy Bear, Sofacy, Strontium, Grizzly Steppe, and so on). As a member of hack group, he was engaged in cyber espionage.

Then the local media wrote that in the period from April to May 2015, APT28 penetrated the internal network of the Bundestag.

Citing unnamed sources, the German newspaper Sueddeutsche Zeitung reported that the German authorities were able to prove the linkage between the tools and malware used in this attack and Dmitry Badin, at that time a member of APT28.

Interestingly, the US authorities have previously linked Badin and 11 other alleged GU officers to the 2016-2018 attacks on the US Democratic National Committee, the US Democratic Congressional Committee, individual members of the Hillary Clinton campaign headquarters, WADA, and so on. Because of this, Badin was included in FBI’s most wanted list of cybercriminals.

Now the EU authorities have imposed sanctions not only on Dmitry Badin, but also on Igor Kostyukov, the current head of the General Staff. EU officials said that Kostyukov is in charge for the 85th Main Center for Special Services of the GU, as well as for the well-known unit 26165, which, in fact, is the hack group APT28.

“This cyberattack targeted the parliament’s information system and affected its operation for several days. A significant amount of data was stolen, the mailboxes of several politicians were affected, including Angela Merkel’s box”, — said in the EU.

The persons involved in the sanctions list were banned from entering the territory of the European Union and Great Britain, and their assets in these countries were frozen.

As a reminder, US authorities accused six Russians of NotPetya, KillDisk and OlympicDestroyer attacks last week, while the UK says Russian hackers were preparing cyberattacks on Tokyo Olympics.