October 25, 2020

OFAC designates Russian institution responsible for Triton malware cyberattacks

On October 23, 2020, The Department of the Treasury’s Office of Foreign Assets Control designated the State Research Center of the Russian Federation FGUP Central Scientific Research Institute of Chemistry and Mechanics (TsNIIKhM), a Russian government-controlled research institution, pursuant to Section 224 of the Counter American Adversaries Through Sanctions Act (CAATSA), for knowingly undermining an institution’s cybersecurity on behalf of the Government of the Russian Federation.  TsNIIKhM is responsible for the customized tools that were used to build the destructive malware Triton, also known as TRISIS and HatMan, that specifically targets industrial control systems at critical infrastructure facilities, to prevent safeguards such as immediate shutdown procedures from functioning in the event of an emergency at an electrical or petrochemical plant or other energy-generating operation. 

Triton has been recently deployed against US companies in the Middle East, and in 2019 was reportedly probing at least twenty US electric utilities for vulnerabilities.  In 2017, Triton partially infiltrated a petrochemical facility in the Middle East, allowing researchers to determine that the malware was designed to allow hackers to have complete control over infected systems, with the potential to cause significant property damage and loss of life.

As a result of this designation, all US property related to this entity is blocked, and all transactions are generally prohibited. In addition, any entity in the US that is owned fifty percent or more by a sanctioned entity is also blocked, and anyone who engages in transactions with these designated entities risks exposure to secondary sanctions. 

Department of Treasury Press Release | CAATSA Designation