FireEye Intelligence has assessed with high confidence that hte Critical-Infrastructure intrusion activity which led to deployment of the Triton Attack Framework was supported by the Central Scientific Research Institute of Chemistry and Mechanics (CNIIHM), a Russian government-owned technical research institution located in Moscow.
The Triton Framework Exploits a specific Safety Instrumated Systems (SIS) and Integrated Control Systems (ICS). Triton is based on the Operating Systems of an actual SIS and ICS. The Trojan is used on Schneider Electric’s Triconnex SIS. These systems have unique operating systems and are usually not connected to the Internet. The Malware must be introduced locally through Social Engineering methods. Temp-Veles (TV) refers to the Hacker Group that used Triton to attack the Saudi Arabian Oil Facility.
FireEye has presented as much public information as possible to support their assessment. But, FireEye has withheld some sensitive information that further contributes to their high confidence assessment.
Investigation of this testing activity reveals multiple independent ties to Russia, CNIIHM, and a specific person in Moscow. This person’s online activity shows significant links to CNIIHM.
An IP address registered to CNIIHM has been employed by TV for multiple purposes, including monitoring open-source coverage of the Triton Critical-Infrastructure Intrusion Trojan, network reconnaissance, and malicious activity in support of the Triton intrusion.
Behavior patterns observed that TV activity are consistent with the Moscow time zone, where CNIIHM is located.
FireEye has judged that CNIIHM likely possesses the necessary institutional knowledge and personnel to assist in the orchestration and development of Triton and TV operations.
Malware Testing Activity Suggests Links between Hackers and Russian Government
FireEye says it found multiple unique tools that the group deployed in the target environment. Some of these same tools, identified by hash, were evaluated in a malware testing environment by a single user.
Malware Testing Environment Tied to Hacker Group
FireEye has identified the malware testing environment. They haved assessed with high confidence that they are from Russia.
At times, the use of this malware testing environment correlates to in-network activities of TV, demonstrating direct operational support for intrusion activity.
These files tested in 2014 are based on the open-source project, cryptcat. Analysis of these cryptcat binaries indicates that the actor continually modified them to decrease AV detection rates. One of these files was deployed in a TV target’s network.
FireEye found that custom payloads utilized by TV Critical-Infrastructure Intrusion Trojan in investigations conducted by Mandiant are typically weaponized versions of legitimate open-source software, retrofitted with code used for command and control.
Evidence Points to Russian Hacking Group
Multiple factors suggest that this activity is Russian in origin and associated with CNIIHM.
- Certain Files have unique user names. Unique user names are Russian Social Media Handles.
- User Handles are linked to Russian Hacking Circles.
- Usernames and Handles on Russian social network currently shows multiple photos of the users in proximity to Moscow
- Suspected Incidents include malicious activity originating from Russian IP 126.96.36.199.
- The Triton Trojan was monitored by a Russian IP.
- Multiple files have Cyrillic names and artifacts
See Full Report https://www.fireeye.com/0