In December, researchers spotted a new family of industrial control malware that had been used in an attack on a Middle Eastern energy plant. Known as Triton, or Trisis, the suite of hacking tools is one of only a handful of known cyberweapons developed specifically to undermine or destroy industrial equipment. Now, new research from security firm FireEye suggests that at least one element of the Triton campaign originated from Russia. And the tipoff ultimately came from some pretty boneheaded mistakes.

Russian hackers are in the news for all sorts of activity lately, but FireEye's conclusions about Triton are somewhat surprising. Indications that the 2017 Triton attack targeted a Middle Eastern petrochemical plant fueled the perception that Iran was the aggressor—especially following reports that the victim was specifically a Saudi Arabian target. But FireEye's analysis reveals a very different geopolitical context.

FireEye specifically traced the Triton intrusion malware to Russia's Central Scientific Research Institute of Chemistry and Mechanics, located in the Nagatino-Sadvoniki district of Moscow.

"When we first looked at the Triton incident we had no idea who was responsible for it and that’s actually fairly rare, usually there’s some glaring clue," says John Hultquist, director of research at FireEye. "We had to keep chipping away and let the evidence speak for itself. Now that we’ve associated this capability with Russia we can start thinking about it in the context of Russia’s interests."

King Triton

Triton comprises both malware that infects targets, and a framework for manipulating industrial control systems to gain deeper and deeper control in an environment. Triton attacks seem to set the stage for a final phase in which attackers send remote commands that deliver an end payload. The goal is to destabilize or disable an industrial control system's safety monitors and protection mechanisms so attackers can wreak havoc unchecked. Security researchers discovered the 2017 Triton attack after it failed to successfully skirt those failsafes, leading to a shutdown.

"They made dumb operational security mistakes." John Hultquist, FireEye

But while the attackers, dubbed TEMP.Veles by FireEye, left few clues about their origins once within those target networks, they were sloppier about concealing themselves while testing the Triton intrusion malware. As FireEye researchers analyzed the incident at the Middle Eastern energy plant and worked backward toward the attackers, they eventually stumbled on a testing environment used by TEMP.Veles that linked the group to the intrusion. The attackers tested and refined malware components beginning at least in 2014 to make them harder for antivirus scanners to detect. FireEye found one of the files from the test environment in the target network.

"They made dumb operational security mistakes, for instance the malware testing," Hultquist says. "They assumed that it wouldn’t be connected to them, because it wasn’t directly tied to the incident—they cleaned up their act for the targeted networks. That’s the lesson we see again and again, these actors make mistakes when they think no one can see them."

Evaluating the testing environment gave FireEye a window into a whole host of TEMP.Veles activities, and they could track how test projects fit in with and mirrored TEMP.Veles's known activity in real victim networks. The group seems to have first been active in the test environment in 2013, and has worked on numerous development projects over the years, particularly customizing open-source hacking tools to tailor them to industrial control settings and make them more inconspicuous.

"Russian government hackers are generally better than leaving a testing environment exposed on the internet." Jeff Bardin, Treadstone 71

In analyzing the TEMP.Veles malware files, FireEye found one that contained a username that is connected to a Russia-based information security researcher. The moniker appears to represent an individual who was a professor at CNIIHM, the institution connected to the malware. FireEye also found that an IP address associated with malicious TEMP.Veles Triton activity, monitoring, and reconnaissance is registered to CNIIHM. The infrastructure and files FireEye analyzed also contain Cyrillic names and notes, and the group seems to work on a schedule consistent with Moscow's time zone. It's worth noting, however, that numerous cities outside Russia—including Tehran—are in similar timezones.