Malware that caused a dangerous operational failure inside a Middle Eastern critical infrastructure facility was most likely developed by a Russian government-backed research institute, researchers from US security firm FireEye said Tuesday.
The malware, alternately dubbed Triton and Trisis, was most likely designed to cause physical damage inside critical infrastructure sites, such as gas refineries and chemical plants, FireEye researchers said in a report published in December. The attack worked by tampering with a safety instrumented system, which the targeted facility and many other critical infrastructure sites use to prevent unsafe conditions from arising. FireEye’s December report said a nation state was most likely behind the attack, but stopped short of identifying the country.
In a report published Tuesday, FireEye said its researchers now assess with high confidence that the malware used in the attack was developed with the help of the Central Scientific Research Institute of Chemistry and Mechanics in Moscow. The assessment was based on a variety of evidence that not only implicated the institute, which in Russian is abbreviated as CNIIHM, but also a specific professor who works there. Evidence linking the CNIIHM to the attack—which FireEye now calls TEMP.Veles—included malware that was tested inside the institute, artifacts left inside the malware used in the attack, an IP address belonging to CNIIHM, and the malware developer’s operating hours, which showed them observing the work a normal work schedule in Moscow.