Government

Dangerous Triton Malware linked to Russian Agency

23 - 30 October 2018

A Moscow-based laboratory, Central Scientific Research Institute of Chemistry and Mechanics (CNIIHM), has been linked to the Triton malware that disrupted production at a Saudi Arabian critical infrastructure facility in December 2017.
A Moscow-based laboratory, Central Scientific Research Institute of Chemistry and Mechanics (CNIIHM), has been linked to the Triton malware that disrupted production at a Saudi Arabian critical infrastructure facility in December 2017. CNIIHM is a Russian government-owned agency that may be responsible for testing and developing Triton before its deployment. An IP address registered to CNIIHM was used for various Triton-related activities, including monitoring open-source coverage of Triton, network reconnaissance, and malicious activity in support of the eventual intrusion. The threat group is deemed to be active and may target more critical infrastructure worldwide by deploying highly customised malware.

References:
[1] Russian Government-Owned Lab Most Likely Built Custom Intrusion Tools for Triton Attackers
[2] Dragos: Xenotime
 

More Weekly Cyber Newsanalysis and insights

Ensign Consulting

Enhancing your security posture, developing your cyber strategy, and designing your incident response plans.​

Ensign Systems Integration

Architecting and implementing cybersecurity solutions that bolster defences

Ensign Managed Security Services

Managing your security operations for advanced threat detection, continuous monitoring, and triage services

Ensign Labs

Performing deep research to analyse vulnerabilities, deploy advanced threat hunting and provide cyber threat intelligence