A cybersecurity firm on Tuesday said a Russian-linked research institute likely helped develop malicious software that was used by a sophisticated hacking group to wage a cyberattack against a Saudi petrochemical plant, forcing its operations shut down last year.
The firm, FireEye, said with “high confidence” that the Moscow-based lab known as Central Scientific Research Institute of Chemistry and Mechanics (CNIIHM) helped build tools used by the hacking group Xenotime or TEMP.Veles.
The security firm’s attributions are one of the most direct linking Kremlin-backed hackers to a cyberattack against another country’s critical infrastructure.
{mosads}Xenotime is known for its malware attacks.
This hacking group employs Triton, or Trisis, software, which has the capability of disrupting industrial control system software which leads to industrial plants shutting down, albeit safely.
According to its blog post, FireEye says its research and searches on social media indicate that a professor at CNIIHM is linked to testing of the Triton malware that Xenotime used in its attack against the plant.
“Investigation of this testing activity reveals multiple independent ties to Russia, CNIIHM, and a specific person in Moscow. This person’s online activity shows significant links to CNIIHM,” FireEye wrote in a blog post.
The firm also observed activity that indicated the institute was going back and forth with the hacking group to test the malware.
The firm noted a series of other clues, like patterns observed by the hacking group — including being active during Moscow’s time zone, where CNIIHM is located. FireEye also noted that the Russian research institute likely had the “institutional knowledge and personnel” needed to help develop Triton and assist Xenotime.
“An IP address registered to CNIIHM has been employed by TEMP.Veles for multiple purposes, including monitoring open-source coverage of TRITON, network reconnaissance, and malicious activity in support of the TRITON intrusion,” the post continued.
FireEye, however, said it did not have sufficient evidence in order to prove that CNIIHM developed the cyber tools that have targeted critical infrastructure.
While FireEye did not identify the victim of the Triton attack, other news outlets reported that the victim of the attack was a petrochemical plant in Saudi Arabia.
The attack on the Saudi plant also raised red flags for security officials who voiced concern that such attacks could potentially evolve into more grave attacks — ones that cause physical damage.
CyberScoop reported earlier this year that this hacking group was expanding its list of targets and carrying attacks against U.S. companies.
FireEye’s report of CNIIHM comes amid already heightened concerns about Russian cyber operations targeting the U.S. and other targets.
Russia has denied any involvement in such cyberattacks.