Malware that caused a dangerous operational failure inside a Middle Eastern critical infrastructure facility was most likely developed by a Russian government-backed research institute, researchers from US security firm FireEye said Tuesday.
The malware, alternately dubbed Triton and Trisis, was most likely designed to cause physical damage inside critical infrastructure sites, such as gas refineries and chemical plants, FireEye researchers said in a report published in December. The attack worked by tampering with a safety instrumented system, which the targeted facility and many other critical infrastructure sites use to prevent unsafe conditions from arising. FireEye’s December report said a nation-state was most likely behind the attack but stopped short of identifying the country.
In a report published Tuesday, FireEye said its researchers now assess with high confidence that the malware used in the attack was developed with the help of the Central Scientific Research Institute of Chemistry and Mechanics in Moscow. The assessment was based on a variety of evidence that not only implicated the institute, which in Russian is abbreviated as CNIIHM, but also a specific professor who works there. Evidence linking the CNIIHM to the attack—which FireEye now calls TEMP.Veles—included malware that was tested inside the institute, artifacts left inside the malware used in the attack, an IP address belonging to CNIIHM, and the malware developer’s operating hours, which showed them observing a normal work schedule in Moscow.
FireEye never identified the Middle Eastern critical infrastructure facility that was attacked, but CyberScoop in January reported it was a petrochemical plant located in Saudi Arabia.
According to Tuesday’s report:
During our investigation of TEMP.Veles activity, we found multiple unique tools that the group deployed in the target environment. Some of these same tools, identified by hash, were evaluated in a malware testing environment by a single user.
Malware Testing Environment Tied to TEMP.Veles
We identified a malware testing environment that we assess with high confidence was used to refine some TEMP.Veles tools.
- At times, the use of this malware testing environment correlates to in-network activities of TEMP.Veles, demonstrating direct operational support for intrusion activity.
- Four files tested in 2014 are based on the open source project, cryptcat. Analysis of these cryptcat binaries indicates that the actor continually modified them to decrease AV detection rates. One of these files was deployed in a TEMP.Veles target’s network. The compiled version with the least detections was later re-tested in 2017 and deployed less than a week later during TEMP.Veles activities in the target environment.
- TEMP.Veles’ lateral movement activities used a publicly available PowerShell-based tool, WMImplant. On multiple dates in 2017, TEMP.Veles struggled to execute this utility on multiple victim systems, potentially due to AV detection. Soon after, the customized utility was again evaluated in the malware testing environment. The following day, TEMP.Veles again tried the utility on a compromised system.
- The user has been active in the malware testing environment since at least 2013, testing customized versions of multiple open source frameworks, including Metasploit, Cobalt Strike, PowerSploit, and other projects. The user’s development patterns appear to pay particular attention to AV evasion and alternative code execution techniques.
- Custom payloads utilized by TEMP.Veles in investigations conducted by Mandiant are typically weaponized versions of legitimate open source software, retrofitted with code used for command and control.
Testing, Malware Artifacts, and Malicious Activity Suggests Tie to CNIIHM
Multiple factors suggest that this activity is Russian in origin and associated with CNIIHM.
- A PDB path contained in a tested file contained a string that appears to be a unique handle or user name. This moniker is linked to a Russia-based person active in Russian information security communities since at least 2011.
- The handle has been credited with vulnerability research contributions to the Russian version of Hacker Magazine (хакер).
- According to a now-defunct social media profile, the same individual was a professor at CNIIHM, which is located near Nagatinskaya Street in the Nagatino-Sadovniki district of Moscow.
- Another profile using the handle on a Russian social network currently shows multiple photos of the user in proximity to Moscow for the entire history of the profile.
- Suspected TEMP.Veles incidents include malicious activity originating from 220.127.116.11, which is registered to CNIIHM.
- This IP address has been used to monitor open source coverage of TRITON, heightening the probability of an interest by unknown subjects, originating from this network, in TEMP.Veles-related activities.
- It also has engaged in network reconnaissance against targets of interest to TEMP.Veles.
- The IP address has been tied to additional malicious activity in support of the TRITON intrusion.
- Multiple files have Cyrillic names and artifacts.
When the December report was disclosed, it already underscored an unsettling escalation in hacks on industrial control systems used in power plants, gas refineries, and other types of critical infrastructure. Now that FireEye is saying it was carried out with invaluable support from a Russian-owned institute, the stakes could be higher still. Russia has already been blamed for attacks in December 2015 and December 2016 on Ukrainian power facilities that caused power outages during one of the coldest months in Eastern Europe.
On Twitter, Robert M. Lee, an expert on critical infrastructure attacks at Dragos Security, praised the FireEye research even as he cautioned against relying on it too much.
Their analysts obviously put a lot of work into it and used their language very carefully. I am not trying to give confirmation to or detract from it – only want to give a kudos to what was well done research
— Robert M. Lee (@RobertMLee) October 23, 2018
“The @DragosInc team avoids attribution as it’s an inherently political topic and our view is it doesn’t help our customers,” he wrote. “But I’ve been asked about @FireEye’s analysis released on TRITON attribution today. I found their analysis to be thorough and very professional. Good job.”