- The Treasury Department issued sanctions against a Russia-based state research center in connection with the Triton malware, the Office of Foreign Assets Control (OFAC) announced Friday. The agency credited the Russian Federation FGUP Central Scientific Research Institute of Chemistry and Mechanics (TsNIIKhM) with building customized malware tools.
- The Triton attack was launched against a Saudi Arabia-based oil refinery in 2017 and has been leveraged against "U.S. partners in the Middle East," according to the Treasury. As Triton threatens physical damage, the Treasury's sanctions block and prohibit any transactional engagements with TsNIIKhM. Non-U.S. persons in communication with the entity may also be subject to sanctions.
- Triton "was designed specifically to target and manipulate industrial safety systems," that could shut down processes within the critical infrastructure, according to the Treasury. Researchers found the Triton malware was "designed to give the attackers complete control of infected systems," lending itself the ability to "cause significant physical damage and loss of life." Triton's operators were also "scanning and probing" at least 20 electric utilities in the U.S. in 2019.
Historically, attackers had to be on-premise, inside a facility to wreak the physical operational disruption malware like Triton was designed to create. But cyberattacks are maturing, circumventing information technology to target operational technology.
But there's a misunderstanding between IT and OT practices.
"There's a big disconnect from senior leadership, what the policies of an organization might be, and operational reality," said Chris Hallenbeck, CISO for the Americas at Tanium. At some point, OT operators have to enter the IT environment to facilitate the business. "It's almost laughable to think that someone's only going to do this manually walking between those two environments," said Hallenbeck. Whether intentional or not, personnel will violate policies as it comes to best practices in IT and OT environments.
During the 2017 attack, the Triton malware was deployed through a phishing scheme targeting the Saudi Arabia-based petrochemical facility. While the oil refinery was able to default into a failsafe shutdown, the company was unaware of the malware until an investigation took place.
When cyberthreats cross the threshold of IT into OT, they can "explore the OT networks [and] find potentially vulnerable systems," said Brian Kime, senior analyst at Forrester, while speaking during a virtual Forrester event last month. Upon exploration, the threats can test and "iterate their capability over and over again, because every [programmable logic controller] and [human-machine interface] is customized for that particular industrial process."
Though sanctions are one of the tools the U.S. can deploy to alleviate cyber aggression, they are not fully preventative. Cyberattacks are a cheap form of warfare, and "despite numerous criminal indictments, economic sanctions, and the development of robust cyber and non-cyber military capabilities, the attacks against the United States have continued," according to the Cyberspace Solarium Commission's report.
When the U.S. announced sanctions against Iran in January, Rep. Mike Gallagher, R-Wisconsin, said sanctions are "tougher than saying something mean, but it's not as tough or unpredictable as shooting a missile at somebody," while speaking at a January event in Washington.
CORRECTION: A previous version of this article used the incorrect acronym for human-machine interface.