Treasury sanctions Russian group accused of targeting US critical facilities with destructive malware

The Treasury Department’s Office of Foreign Assets Control on Friday sanctioned a Russian government research institution for alleged use of a dangerous malware virus to target critical infrastructure facilities in the U.S. and in the Middle East. 

The sanctions were levied against the State Research Center of the Russian Federation FGUP Central Scientific Research Institute of Chemistry and Mechanics, or TsNIIKhM, which, according to the Treasury Department, used a malware virus known as “Triton” to target and manipulate control systems used to shut down critical infrastructure facilities in the event of an emergency in order to save lives. 

The Triton malware was used by hackers in 2017 to target a petrochemical plant in the Middle East, successfully disrupting operations, and again last year to scan and probe at least 20 U.S. electric facilities for cyber vulnerabilities. 

“The Russian Government continues to engage in dangerous cyber activities aimed at the United States and our allies,” Treasury Secretary Steven Mnuchin said in a statement Friday. “This Administration will continue to aggressively defend the critical infrastructure of the United States from anyone attempting to disrupt it.”

Secretary of State Mike Pompeo said in a separate statement that “the United States remains steadfast in countering malign cyber activities by Russian actors on behalf of the Government of the Russian Federation.”

Pompeo noted the Triton malware was “designed to specifically target and manipulate industrial safety systems,” and that TsNIIKhM had built tools to help enable Triton attacks. 

“While the Russian government claims to be a responsible actor in cyberspace, it continues to engage in dangerous and malicious activities that threaten the security of the United States and our allies,” he said. “We will not relent in our efforts to respond to these activities using all the tools at our disposal, including sanctions.”

Cybersecurity group FireEye identified the Triton malware in 2017 while responding to an attack on critical infrastructure. Nathan Brubaker, senior manager of Analysis at FireEye’s Mandiant Threat Intelligence, told The Hill in an emailed statement that FireEye was able to track the malware in the months following the attack to the Russian group sanctioned by the Treasury Department on Friday. 

“This was a dangerous tool that may have been used to do real physical harm,” Brubaker said. “We’re fortunate that it was found in the manner it was, giving us a chance to dig into the actors behind the scenes.”

Dragos was another security firm to discover the malware, which the company labeled “TRISIS,” after the malware was targeted at the Middle East facility in 2017. 

Dragos CEO and co-founder Robert Lee told The Hill in an emailed statement that the new sanctions were “significant and compelling,” and marked a turning point in the federal response to attacks on industrial control systems (ICS). 

“This is a norm setting moment and the first time an ICS cyber attack has ever been sanctioned,” Lee said. “This is entirely appropriate as this cyber attack was the first ever targeted explicitly towards human life. We are fortunate no one died and I’m glad to see governments take a strong stance condemning such attacks.”

The sanctions were announced after a flurry of activities by federal authorities this week to push back against malicious Russian cyber activity, along with activity originating from other nation states. 

Director of National Intelligence John Ratcliffe, alongside several other officials, announced Wednesday night that both Russia and Iran had accessed U.S. voter registration data, and that Iran has used this data to target voters in at least three states with threatening emails posing as messages from far-right group the Proud Boys. 

In the wake of the announcement, the Treasury Department announced sanctions Thursday against five Iranian entities, including the Iranian Revolutionary Guards Corp, for interfering in U.S. elections, along with separately sanctioning Iraj Masjedi, the Iranian ambassador to Iraq. 

The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) and the FBI subsequently issued an alert Thursday that Iranian advanced persistent threat (APT) groups were likely to “sow discord among voters and undermine public confidence in the U.S. electoral process,” including through creating “fictitious” and “spoofed” media sites.

CISA and FBI separately released an alert Thursday warning that a Russian state-sponsored APT group was targeting U.S. state and local networks along with aviation sector companies, with the hacking group successfully accessing at least two servers.

Russia is among the most sophisticated nation states in regards to cyberattacks, alongside China, Iran and North Korea. 

The Justice Department announced indictments earlier this week against six Russian hackers in connection to attacks on the 2018 Winter Olympics, the 2017 French presidential election and the 2017 NotPetya malware attack, one of the most widespread and debilitating international cyberattacks in history.

-Updated at 5:55 p.m.