The U.S. government recently issued sanctions related to the milestone TRITON malware attack of 2017. That attack on a Saudi Arabian oil refinery went beyond other industrial cyberattacks by directly interacting with a Safety Instrumented System (SIS). SIS are the last line of automated safety defense for industrial facilities, designed to prevent equipment failure and catastrophic incidents such as explosions or fire.
The new sanctions against Russia’s Central Scientific Research Institute of Chemistry and Mechanics are notable in several ways. They are the first government action naming Russia as the threat actor behind TRITON and they specifically name an academic institute on par with a U.S. national lab. They also send a strong signal that cyberattacks to critical infrastructure can have severe consequences.
The sanctions follow action earlier in the month charging six Russian GRU officers with “worldwide deployment of destructive malware and other disruptive attacks in cyberspace.”1
Now is the time for you to be particularly vigilant in monitoring the cybersecurity of your facilities. With the U.S. election close and a potential period of uncertainty following it, it’s important for the private sector to join with government and public sector organizations to ensure public safety and avoid a breakdown in the systems that keep societies functioning.
Critical Infrastructure Threats Require Community Action
When Nozomi Networks analyzed the TRITON malware in 2018, our findings led us to believe that while TRITON failed, the attacker(s) could have just as easily succeeded in injecting the final payload. This realization, combined with the knowledge that a growing number of nation-state adversaries and other hackers have critical infrastructure in their sights, calls for vigorous defense of national critical infrastructure.
No single entity can solve this global issue. It requires end users, third-party suppliers, integrators, standards bodies, industry groups and government agencies to work together to help the global energy, transportation, health care, election and other critical systems withstand cyberattacks.
“The sanctions against Russia for the TRITON malware are an important step in signaling how seriously we take any malicious cyber activity that poses a threat to human life or safety.
And sanctions against a scientific research institute may impact the individuals who developed these tools more than sanctions against the Russian government might. Since scientists thrive on their reputation, accusing them of threatening peoples’ lives, and impacting their ability to collaborate internationally, may impose significant negative consequences.
More broadly, when combined with other recent U.S. government activity calling out Russian cyber activity, including recent indictments and alerts, Russia should be on notice that they cannot act with impunity – or at least not without attribution.
The timing may be intended to warn against hacking into election infrastructure, or it may be designed to look tough on Russia for the American electorate, or both.”
– Suzanne Spaulding, Former DHS Undersecretary and Nozomi Networks Advisor
Be On High Alert for Malware and Nation-State Attacks
In 2019 it was publicly disclosed that the same hackers behind TRITON were scanning the networks of U.S. power grids, looking for access. At the time, the U.S. government took the then unusual step of warning energy and critical infrastructure operators of the threat and urging them to be vigilant.2
Now, as the U.S. election approaches, it’s once again time to be on high alert. With increased cyber threats and political uncertainty, we urge you to attentively monitor your IT, OT and IoT networks. Make sure your threat intelligence information is up-to-date and that your incident response plans are practiced. Finally, we urge you to proactively coordinate with appropriate government, industry and public organizations regarding unusual suspicious activity.