In December, researchers spotted a new family of industrial control malware that had been used in an attack on a Middle Eastern energy plant. Known as Triton, or Trisis, the suite of hacking tools is one of only a handful of known cyberweapons developed specifically to undermine or destroy industrial equipment. Now, new research from security firm FireEye suggests that at least one element of the Triton campaign originated from Russia. And the tipoff ultimately came from some pretty boneheaded mistakes.
Russian hackers are in the news for all sorts of activitylately, but FireEye's conclusions about Triton are somewhat surprising. Indications that the 2017 Triton attack targeted a Middle Eastern petrochemical plant fueled the perception that Iran was the aggressor—especially following reports that the victim was specifically a Saudi Arabian target. But FireEye's analysis reveals a very different geopolitical context.
FireEye specifically traced the Triton intrusion malware to Russia's Central Scientific Research Institute of Chemistry and Mechanics, located in the Nagatino-Sadvoniki district of Moscow.
"When we first looked at the Triton incident we had no idea who was responsible for it and that’s actually fairly rare, usually there’s some glaring clue," says John Hultquist, director of research at FireEye. "We had to keep chipping away and let the evidence speak for itself. Now that we’ve associated this capability with Russia we can start thinking about it in the context of Russia’s interests."
Read the full article and more in Wired.