Data Security

Russia launched Triton malware to sabotage Saudi petrochemical plant

A few days ago it was reported that a new malware called GreyEnergy has been targeting high-profile industrial and energy sector with espionage and fingers were pointed at Russian hackers. Now, it has been revealed that Petrochemical plants in Saudi Arabia have been on the radar of cybercriminals lately and it turns out that nation-states are also backing hackers in their attempts to sabotage them.


Reportedly, the hackers responsible for sabotaging a Saudi petrochemical plant in 2017 by infecting it with malware were actually backed by the Russian government. It must be noted that last year, the industrial control system installed at Saudi Arabia oil and gas facility was targeted with malware.

Cybersecurity firm FireEye had been investigating the attack on Saudi Arabia’s National Industrialization Company since December’ 17. In its latest report, FireEye revealed that the malware, dubbed as Trisis or Triton, was comparatively advanced and could have exploded the plant.

It is also reported that the malware attack was part of a research operation conducted by Russia’s technical research facility Central Scientific Research Institute of Chemistry and Mechanics (CNIIHM) in Moscow. The operation was titled TEMP.Veles and the Triton attack was launched against the Saudi oil and gas facility under this program.

For your information, Triton malware has been developed to sabotage industrial control systems made by Schneider Electric. These systems are usually installed at oil and gas facilities. Investigation reveals that the hackers behind TEMP managed to infiltrate the systems of the Saudi organization and infected them with malware, which eventually got distributed to the entire network. Afterward, they could install and execute the Triton malware to cause considerable physical damage to the systems by shutting off the plant’s safety controls.

FireEye also shared the evidence that hinted at the involvement of Russia in the attack. It was reported that the IP address used by the attacker(s) was registered to the CNIIHM while logs also showed that major TEMP.Veles operation was carried out during Russia’s standard business hours.

CNIIHM website homepage (image credit: FireEye)

Moreover, most of the early development and testing, FireEye noticed, was linked to an unidentified individual who was employed at CNIIHM at the time. Researchers also noted that:

“Multiple unique tools [were] deployed in the target environment. Some of these same tools, identified by a hash, were evaluated in a malware testing environment by a single user.”

“While we know that TEMP.Veles deployed the TRITON attack framework, we do not have specific evidence to prove that CNIIHM did (or did not) develop the tool. We infer that CNIIHM likely maintains the institutional expertise needed to develop and prototype TRITON based on the institute’s self-described mission and other public information.”

Hence, FireEye rules out the involvement of a rogue employee or some lone wolf in this particular attack and claims that the scope and extensiveness of the operation is such that it couldn’t have been successful without the involvement of an institution.

However, Russia is unlikely to bear the brunt of its actions, as has been the case in the previous incidents where Moscow has been identified as the key perpetrator behind wide-scale hacking feats. Globally, Russia hasn’t faced any major backlash despite being accused more than once for launching malware attacks against its rivals.

To Top

Pin It on Pinterest

Share This