Contact Contact Us

Dangerous Triton Malware linked to Russian Agency

A Moscow-based laboratory, Central Scientific Research Institute of Chemistry and Mechanics (CNIIHM), has been linked to the Triton malware that disrupted production at a Saudi Arabian critical infrastructure facility in December 2017. CNIIHM is a Russian government-owned agency that may be responsible for testing and developing Triton before its deployment. An IP address registered to CNIIHM was used for various Triton-related activities, including monitoring open-source coverage of Triton, network reconnaissance, and malicious activity in support of the eventual intrusion. The threat group is deemed to be active and may target more critical infrastructure worldwide by deploying highly customised malware.

[1] Russian Government-Owned Lab Most Likely Built Custom Intrusion Tools for Triton Attackers
[2] Dragos: Xenotime

Ensign InfoSecurity Singapore
30A Kallang Place
Singapore 339213

Tel: +65 6788 2882
Fax: +65 6788 3883