U.S. Treasury Department announced imposing sanctions on the Federal State Unitary Enterprise Central Research Institute of Chemistry and Mechanics (TsNIIHM), as the Russian research institute is suspected in connection with the development of the Triton malware designed to attack industrial equipment.
Let me remind you that in 2018 FireEye experts published a detailed report telling about Triton (aka Trisis or HatMan), which attacked critical infrastructure facilities, including a Saudi petrochemical enterprise owned by Tasnee (according to media reports).
Triton was first discovered at the end of 2017. At the time, it was reported that the malware was used to attack Triconex (Triconex Safety Instrumented System, SIS) controllers manufactured by Schneider Electric. These solutions are needed to monitor various processes in factories, enterprises, and so on, and safely recover or shutdown equipment in the event of any failures and potentially dangerous situations.
Analysts at FireEye, Dragos and Symantec wrote that Triton was being used for actual attacks, but did not disclose the names of the affected organizations and countries where they are based. At the same time, analysts at FireEye were firmly convinced that well-funded "government hackers" who had all the necessary resources to carry out such attacks were behind the creation of Triton. And in 2018, FireEye came to the conclusion that the Moscow-based TsNIIHM had something to do with these attacks.
A statement from the Treasury Department says that since then, malware has been used against other companies more than once. In addition, the hack group behind the malware (known as TEMP.Veles or Xenotime) was allegedly seen “scanning and examining at least 20 utilities in the United States for vulnerabilities.”
The sanctions now imposed prohibit American companies from cooperating in any way with TsNIIHM, and are also aimed at confiscating any assets of the institute located in the United States.
The European Union, in turn, introduced new sanctions against Russia in connection with the hacking of the systems of the German parliament (Bundestag) that occurred in 2015.
Let me remind you that in the spring of this year, the German prosecutor's office issued an arrest warrant for the 29-year-old Russian, Dmitry Sergeevich Badin, who was accused of this attack. German law enforcement officials believe that Badin is an officer of the GRU, as well as a member of the "government" hack group ATP28 (aka Fancy Bear, Sofacy, Strontium, Grizzly Steppe, and so on), where he was engaged in cyber espionage.
Then the local media wrote that in the period from April to May 2015, APT28 penetrated the internal network of the Bundestag. To compromise, the hackers used phishing emails, allegedly directed at UN officials, in order to trick parliament staff into opening a malicious file, allegedly telling that Russia's participation in the Ukrainian conflict plunged the country's economy into chaos. The document infected the computers of the Bundestag employees with malware, which allowed attackers to penetrate the parliament's network of more than 5,600 machines, including administrative systems.
Citing unnamed sources, the German newspaper Sueddeutsche Zeitung reported that the German authorities were able to link the tools and malware used in this attack personally with Dmitry Badin, then a member of APT28.
Interestingly, the US authorities have previously linked Badin and 11 other alleged GRU officers with the 2016-2018 attacks on the US Democratic National Committee, the US Democratic Congress Committee, individual members of the Hillary Clinton campaign headquarters, WADA, and so on. Because of this, Badin is included in the list most wanted by the FBI cybercriminals.
Now the EU authorities imposed sanctions not only on Dmitry Badin, but also on Igor Kostyukov, the current head of the Main Directorate of the General Staff. EU officials said that Kostyukov is in charge of the 85th Main Center for Special Services of the GRU, as well as the well-known unit 26165, which, in fact, is the hack group APT28.
“This cyberattack targeted the parliament's information system and affected its operation for several days. A significant amount of data was stolen, the mailboxes of several politicians, as well as Chancellor Angela Merkel were affected, ”the EU said.
The persons involved in the sanctions list were banned from entering the territory of the European Union and Great Britain, and their assets in these countries were frozen.