Posted on October 25, 2018 at 6:37 AM
In a recent twist, a cybersecurity company, FireEye, announced that a malware used in an attempted sabotage of Saudi petrol plant was created by the Russian government.
Russian Institute of chemistry and mechanics is responsible, says FireEye
In their new blog post, FireEye claims that the malware known as Triton (Trisis) was used for sabotaging a petrochemical plant located in Saudi Arabia. The malware was supposedly used either with a goal of damaging the facility or causing it to explode. However, the real discovery lies in the fact that it was supposedly created by the Russian government.
The attack occurred back in 2017, and the malware that was used was not seen prior to the incident. According to researchers, it was engineered to affect Schneider Electric’s Triconex Safety Instrumented System controllers. The attack almost worked, and it nearly caused an explosion at the Tasnee-owned plant.
However, at the time, it was unknown where the malware came from. Now, FireEye claims that it can assess with high confidence that the incident was caused by CNIIHM (Central Scientific Research Institute of Chemistry and Mechanics), which is located in Moscow. However, it is important to note that Triton was not directly connected to the institute. Instead, researchers discovered a connection due to secondary malware strains that were used by TEMPVeles.
These secondary malware strains are used for helping Triton release its payloads, which is why they were deployed during the attack. However, they still contain enough information to point out their source, researchers claim. Furthermore, researchers also allow the possibility of a few rogue employees at CNIIHM being responsible. According to them, it is possible that they conducted the attack without their employer’s knowledge or approval, although it is unlikely that this is the case.
Instead, the most likely scenario is the one including one CNIIHM professor, which supposedly worked on the malware. FireEye’s statement claims that there were enough clues in the malware to make such an observation. Despite this, the company remained careful in its attribution.
No firm evidence yet
One thing remains certain, and that is the fact that the CHIIHM certainly does have the tools and knowledge necessary to create malware such as Triton. Not only that, but they also had a reason to do this, due to their ties to the Russian military. The reasons behind the attack remain unknown. Even if these allegations are correct, researchers offered no idea regarding why Rusia would want to sabotage a petrol plant in Saudi Arabia.
Another thing of note is that the original suspicions of experts included Iran’s cyber-intelligence as the party most likely responsible for the incident. Although, these allegations were made prior to this report, and with no condemning evidence.
So far, researchers lack evidence that would confirm any of these theories. However, their findings continue pointing to Russian Institute as the most probable source of the attack.