Sanctions for suspects behind destructive malware
- October 27, 2020
- Posted by: Kerry Tomlinson, Archer News
- Categories: Archer News, Cyberattack, Cyberattack, Hacking, Industrial Control System Security, Posts with image, Power Grid
Some call it the “world’s most murderous malware.”
The U.S. announced it is imposing sanctions on the organization responsible for using this destructive malware in a cyberattack at a Saudi Arabian petrochemical plant in 2017.
The organization is a Russian government research institute in Moscow, according to the U.S. Treasury.
The sanctions are a welcome surprise, said K. Reid Wightman, principal vulnerability analyst with cybersecurity company Dragos.
The attackers show a “willingness to execute attacks against civilian infrastructure which can, potentially, result in a loss of life,” he added.
Attack on Safety
The Saudi Arabian petrochemical plant suddenly — mysteriously — shut down in August 2017.
Researchers found the cause. Attackers had launched malware known as Triton, Trisis or Hatman, using it to control the plant’s safety systems that tell the machines to shut off if something is going terribly awry, like temperature or pressure too high.
It’s crucial part of the industrial system. Without it, dangerous conditions could escalate to the point of damage or death.
In this case, the attackers appear to have made a mistake that triggered a shutdown lead to their discovery.
“Safety system is the last line of defense,” said industrial cybersecurity researcher Marina Krotofil in an interview five months after the attack. “And for me personally, it’s worrisome. People working in the plant, people live around the plant.”
The attack was Russian government hackers at work, part of the Central Scientific Research Institute of Chemistry and Mechanics in Moscow, said the Treasury Department in its sanctions announcement.
The sanctions mean U.S. companies and people are blocked from engaging with the institute and the U.S. can seize institute assets in America.
The attack started with phishing and progressed to the point where attackers had “complete control of infected systems and had the capability to cause significant physical damage and loss of life,” the announcement said.
“It is great to see some attempt at slowing or stopping the kind of bad behavior that we saw with the activity group behind TRISIS/TRITON/HatMan,” Wightman said. “I do hope it slows them down or causes them to stop this kind of targeting entirely.”
More Cyber Intrusions
The hackers behind the Triton/Trisis malware were also reportedly scanning and exploring at least 20 electric utilities in the United States, the Treasury Department said.
The U.S. just charged Russian military hackers for another big attack.
The U.S. Justice Department said named Russian military officers as responsible for the cyber blackouts in Ukraine in 2015 and 2016, as well as the global NotPetya malware attack in 2017 that caused millions of dollars in damage.
Russian government spokesperson Dmity Peskov said the charges are “rampant Russophobia which, of course, have nothing to do with reality.”
“I would like to see more international laws which regulate usage of cyber warfare in general, especially those which have impact on the well-being of the civilian population,” said Krotofil.
“Without strict regulations, we may end up with [an] uncontrolled cause of human suffering at the time of political and military crisis, which is unacceptable,” she added.
Main image: Example of a petrochemical plant in Saudi Arabia. Image: Rangsarit Chaiyakun/iStock