Russian Lab Linked to Malware That Attacks Industrial Plants

A Russian research lab is getting blamed for developing malware that nearly blew up a Saudi free energy plant last year.

In a Tuesday written report, security firm FireEye connects the Triton malware to a Moscow-based laboratory chosen the Central Scientific Research Institute of Chemistry and Mechanics (CNIIHM), which is owned by the Russian government.

Triton grabbed headlines last year for attacking a petrochemical plant in Saudi arabia in an apparent attempt at industrial demolition. The malware was specifically designed to infect a Windows reckoner and and so tamper with the constitute'south rubber control system built by Schneider Electric to ignore chancy conditions.

FireEye was brought in to investigate the set on, and said it found show that Triton's development was the work of a professor employed by a Russian government lab. The security house made the connection by identifying where Triton's creators were testing the malware to vanquish antivirus detection. A file uploaded to the malware testing repository independent a line of code that appeared to be a unique cyberspace handle.

Central Scientific Research Institute of Chemistry and Mechanics (CNIIHM)

FireEye searched the internet and discovered the same handle belongs to an private who's both submitted security research to a Russian hacking magazine and worked as a professor at the Russian research lab. "Another profile using the handle on a Russian social network currently shows multiple photos of the user in proximity to Moscow for the unabridged history of the contour," it said.

FireEye refrained from naming the Russian professor or the cyberspace handle he used.

In add-on, attacks connected to the Triton malware were also sourced back to an IP address registered to the Russian research lab, FireEye said. "This IP address has been used to monitor open-source coverage of TRITON... information technology also has engaged in network reconnaissance against targets of involvement," the security business firm added.

FireEye's confidence in the links between the research lab and Triton merely extend to certain components of the malware. However, the security firm claims the Russian research lab has the capabilities to develop the entire assault framework. According to CNIIHM'south own website, the lab has a partition focused on protecting critical infrastructure facilities from technology-based threats.

A separate security firm called Dragos has also been researching the Triton malware and warns the group backside the malicious lawmaking has been expanding operations outside the Eye East. Although Dragos refrains from making attributions, company CEO Robert Lee said he plant FireEye's analysis "to be thorough and very professional person."

It isn't the first fourth dimension the Russian government has been blamed for launching malware that can sabotage industrial systems. Security researchers too suspect the Kremlin was behind cyber attacks that were designed to disrupt Ukraine'south ability grid. While industrial-based malware remains rare, security experts fear such attacks could proliferate and cause real-world impairment.

So far, the Russian research lab hasn't commented on the allegations in FireEye's report. Previously, some security researchers suspected Iran may take been backside the Triton malware.