The cybersecurity firm FireEye has attributed the source of the TRITON critical infrastructure intrusion to a Russian government-owned research institute.
FireEye was able to backtrack the malware, now identified as TEMP.Veles, to Russia by testing other types of malicious software that were used in the TRITON attack and tying them to the Central Scientific Research Institute of Chemistry and Mechanics (CNIIHM), a Russian government-owned technical research institution located in Moscow and to a specific person in Moscow.
“We now track this activity set as TEMP.Veles. We provide additional information linking TEMP.Veles and their activity surrounding the TRITON intrusion to a Russian government-owned research institute,” FireEye Intelligence wrote.
The initial TRITON attack in late 2017 on a critical infrastructure organization contained malware designed to allow the industrial control system that handles emergency shutdown procedures to be remotely manipulated.
Specifically, an IP address registered to CNIIHM was used by TEMP.veles to handle several tasks, including network recon, monitoring open-source coverage of TRITON and other malicious activity.
“We judge that CNIIHM likely possesses the necessary institutional knowledge and personnel to assist in the orchestration and development of TRITON and TEMP.Veles operations,” the report said.
FireEye was also able to distinguish during its investigation several unique tools found in the victim’s systems that could be identified by hash that was used in a malware testing environment that was used by the attacker to refine TEMP.Veles.
“Four files tested in 2014 are based on the open-source project, cryptcat. Analysis of these cryptcat binaries indicates that the actor continually modified them to decrease AV detection rates. One of these files was deployed in a TEMP.Veles target’s network. The compiled version with the least detections was later re-tested in 2017 and deployed less than a week later during TEMP.Veles activities in the target environment,” the report said.
Other clues tying the code’s creation to Moscow were time stamps found with a UTC+3 time zone, Russian language artifacts and there are indications some language was changed from Russian to English, perhaps as an attempt by the malicious actors to camouflage their actions.