Russian state nationals accused of wielding life-threatening malware specifically designed to tamper with critical safety mechanisms at a petrochemical plant are now under sanction by the US Treasury Department.
The attack drew considerable concern because it’s the first known time hackers have used malware designed to cause death or injury, a prospect that may have actually happened had it not been for a lucky series of events. The hackers—who have been linked to a Moscow-based research lab owned by the Russian government—have also targeted a second facility and been caught scanning US power grids.
Now the Treasury Department is sanctioning the group, which is known as the State Research Center of the Russian Federation FGUP Central Scientific Research Institute of Chemistry and Mechanics or its Russian abbreviation TsNIIKhM. Under a provision in the Countering America’s Adversaries Through Sanctions Act, or CAATSA, the US is designating the center for “knowingly engaging in significant activities undermining cybersecurity against any person, including a democratic institution, or government on behalf of the Government of the Russian Federation.”
Dangerous cyber activities
“The Russian Government continues to engage in dangerous cyber activities aimed at the United States and our allies,” said Treasury Secretary Steven T. Mnuchin, in a release published on Friday. “This Administration will continue to aggressively defend the critical infrastructure of the United States from anyone attempting to disrupt it.”
Under the sanctions, all property of TsNIIKhM that is or has come within the possession of a US person is blocked, and US persons are generally prohibited from engaging in transactions with anyone in the group. What’s more, any legal entity that’s 50-percent or more owned by one of the center members is also blocked. Some non-US persons who engage in transactions with TsNIIKhM may be subject to sanctions.
The malware used in the petrochemical manufacturer attack generated so much concern because it zeroed in on processes known as the safety instrumented systems. An SIS is a combination of hardware and software that critical infrastructure sites use to prevent unsafe conditions from arising. When gas fuel pressures or reactor temperatures rise to potentially unsafe thresholds, for instance, an SIS will automatically close valves or initiate cooling processes to prevent health- or life-threatening accidents. The malware is generally known as either Triton or Trisis because it targeted the Triconex product line made by Schneider Electric.