Russian sabotage in Saudi petrochemicals

Russian hackers would have launched the Triton malware campaign against various facilities in Saudi Arabia

A few days ago experts in digital forensics reported the existence of a new malwarecalled GreyEnergy, used to attack high-profile organizations in the industrial and energy sectors, allegedly operated by Russian hackers. Now, it has been revealed that the petrochemical plants in Saudi Arabia have become the new target of these cybercriminal groups, who are thought to have national states supporting their operations against other countries.

Hackers reportedly responsible for sabotaging a Saudi petrochemical plant in 2017 through a malware infection were supported by the Russian government. It should be noted that last year, the industrial control system installed in the oil and gas facilities of Saudi Arabia was attacked with malware.

A cybersecurity and digital forensics firm had been investigating the attack on Saudi Arabia’s National Industrialization Company since December 17. In its latest report, the firm revealed that this malware, known as Trisis or Triton, was a very advanced tool and could have generated a critical security situation at the plant.

It was also reported that the malware attack was part of a research operation conducted by the Russian technical research centre, the Central Scientific Research Institute of Chemistry and Mechanics (CNIIHM) in Moscow. The operation was carried out under the code name TEMP.Veles and the attack with the malware Triton was launched against the oil and gas facilities of Saudi Arabia in the framework of this program.

It should be noted that the Triton malware was developed to sabotage the industrial control systems manufactured by Schneider Electric. These systems are generally implemented in oil and gas installations. The investigation reveals that the hackers behind TEMP operation managed to infiltrate the systems of the Saudi organization, injecting them with malware that was finally distributed throughout the network. Subsequently, they were able to install and run the Triton malware to cause considerable physical damage to the systems by shutting down the plant’s security controls.

The firm that conducted the investigation also shared evidence suggesting the involvement of the Russian government in the attack. It was reported that the IP address used by malicious actors was linked to the CNIIHM, while records also showed that the main TEMP.Veles operations were held during Russia’s standard business hours.

In addition, most of the initial development and testing of malware is linked to an unidentified person working in CNIIHM at the time of Triton development. According to the researchers, “multiple unique tools were deployed in the target environment. Some of the same tools were evaluated in a single-user malware testing environment”.

“While we know that TEMP.Veles implemented Triton’s attack framework, we have no specific evidence to prove that CNIIHM developed or not this malware”.

The experts dismiss the participation of an internal agent of the company in this particular attack, stating that the scope and extent of the operation is such that it could not have been successful without the participation of an institution.

However, it is unlikely that Russia will award the authorship of these attacks; as considered by experts in digital forensics from the International Institute of Cyber Security. Globally, Russia has not faced any major reactions despite being indicted more than once for launching malware attacks on public and private organizations in many countries.