{ "id": "c006723f-c9a3-4437-b38f-6b2fc428c623", "created_at": "2026-04-06T00:08:40.240334Z", "updated_at": "2026-04-10T03:34:42.440434Z", "deleted_at": null, "sha1_hash": "4f9ea104937bd8a2b0d1d82ee770973ad959bf74", "title": "TRITON Attribution: Russian Government-Owned Lab Most Likely Built Custom Intrusion Tools for TRITON Attackers | Mandiant", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 4296257, "plain_text": "TRITON Attribution: Russian Government-Owned Lab Most\r\nLikely Built Custom Intrusion Tools for TRITON Attackers |\r\nMandiant\r\nBy Mandiant\r\nPublished: 2018-10-23 · Archived: 2026-04-05 12:42:38 UTC\r\nWritten by: FireEye Intelligence\r\nOverview\r\nIn a previous blog post we detailed the TRITON intrusion that impacted industrial control systems (ICS) at a\r\ncritical infrastructure facility. We now track this activity set as TEMP.Veles. In this blog post we provide\r\nadditional information linking TEMP.Veles and their activity surrounding the TRITON intrusion to a Russian\r\ngovernment-owned research institute.\r\nTRITON Intrusion Demonstrates Russian Links; Likely Backed by Russian Research Institute\r\nFireEye Intelligence assesses with high confidence that intrusion activity that led to deployment of TRITON was\r\nsupported by the Central Scientific Research Institute of Chemistry and Mechanics (CNIIHM; a.k.a. ЦНИИХМ),\r\na Russian government-owned technical research institution located in Moscow. The following factors supporting\r\nthis assessment are further detailed in this post. We present as much public information as possible to support this\r\nassessment, but withheld sensitive information that further contributes to our high confidence assessment.\r\n1. FireEye uncovered malware development activity that is very likely supporting TEMP.Veles activity. This\r\nincludes testing multiple versions of malicious software, some of which were used by TEMP.Veles during\r\nthe TRITON intrusion.\r\n2. Investigation of this testing activity reveals multiple independent ties to Russia, CNIIHM, and a specific\r\nperson in Moscow. This person’s online activity shows significant links to CNIIHM.\r\n3. An IP address registered to CNIIHM has been employed by TEMP.Veles for multiple purposes, including\r\nmonitoring open-source coverage of TRITON, network reconnaissance, and malicious activity in support\r\nof the TRITON intrusion.\r\n4. Behavior patterns observed in TEMP.Veles activity are consistent with the Moscow time zone, where\r\nCNIIHM is located.\r\n5. We judge that CNIIHM likely possesses the necessary institutional knowledge and personnel to assist in\r\nthe orchestration and development of TRITON and TEMP.Veles operations.\r\nWhile we cannot rule out the possibility that one or more CNIIHM employees could have conducted TEMP.Veles\r\nactivity without their employer’s approval, the details shared in this post demonstrate that this explanation is less\r\nplausible than TEMP.Veles operating with the support of the institute.\r\nhttps://www.fireeye.com/blog/threat-research/2018/10/triton-attribution-russian-government-owned-lab-most-likely-built-tools.html\r\nPage 1 of 6\n\nDetail\r\nMalware Testing Activity Suggests Links between TEMP.Veles and CNIIHM\r\nDuring our investigation of TEMP.Veles activity, we found multiple unique tools that the group deployed in the\r\ntarget environment. Some of these same tools, identified by hash, were evaluated in a malware testing\r\nenvironment by a single user.\r\nMalware Testing Environment Tied to TEMP.Veles\r\nWe identified a malware testing environment that we assess with high confidence was used to refine some\r\nTEMP.Veles tools.\r\nAt times, the use of this malware testing environment correlates to in-network activities of TEMP.Veles,\r\ndemonstrating direct operational support for intrusion activity.\r\nFour files tested in 2014 are based on the open-source project, cryptcat. Analysis of these cryptcat\r\nbinaries indicates that the actor continually modified them to decrease AV detection rates. One of\r\nthese files was deployed in a TEMP.Veles target’s network. The compiled version with the least\r\ndetections was later re-tested in 2017 and deployed less than a week later during TEMP.Veles\r\nactivities in the target environment.\r\nTEMP.Veles’ lateral movement activities used a publicly-available PowerShell-based tool,\r\nWMImplant. On multiple dates in 2017, TEMP.Veles struggled to execute this utility on multiple\r\nvictim systems, potentially due to AV detection. Soon after, the customized utility was again\r\nevaluated in the malware testing environment. The following day, TEMP.Veles again tried the utility\r\non a compromised system.\r\nThe user has been active in the malware testing environment since at least 2013, testing customized\r\nversions of multiple open-source frameworks, including Metasploit, Cobalt Strike, PowerSploit, and other\r\nprojects. The user’s development patterns appear to pay particular attention to AV evasion and alternative\r\ncode execution techniques.\r\nCustom payloads utilized by TEMP.Veles in investigations conducted by Mandiant are typically\r\nweaponized versions of legitimate open-source software, retrofitted with code used for command and\r\ncontrol.\r\nTesting, Malware Artifacts, and Malicious Activity Suggests Tie to CNIIHM\r\nMultiple factors suggest that this activity is Russian in origin and associated with CNIIHM.\r\nA PDB path contained in a tested file contained a string that appears to be a unique handle or user name.\r\nThis moniker is linked to a Russia-based person active in Russian information security communities since\r\nat least 2011.\r\nThe handle has been credited with vulnerability research contributions to the Russian version of\r\nHacker Magazine (хакер).\r\nAccording to a now-defunct social media profile, the same individual was a professor at CNIIHM,\r\nwhich is located near Nagatinskaya Street in the Nagatino-Sadovniki district of Moscow.\r\nhttps://www.fireeye.com/blog/threat-research/2018/10/triton-attribution-russian-government-owned-lab-most-likely-built-tools.html\r\nPage 2 of 6\n\nAnother profile using the handle on a Russian social network currently shows multiple photos of the\r\nuser in proximity to Moscow for the entire history of the profile.\r\nSuspected TEMP.Veles incidents include malicious activity originating from 87.245.143.140, which is\r\nregistered to CNIIHM.\r\nThis IP address has been used to monitor open-source coverage of TRITON, heightening the\r\nprobability of an interest by unknown subjects, originating from this network, in TEMP.Veles-related activities.\r\nIt also has engaged in network reconnaissance against targets of interest to TEMP.Veles.\r\nThe IP address has been tied to additional malicious activity in support of the TRITON intrusion.\r\nMultiple files have Cyrillic names and artifacts.\r\nFigure 1: Heatmap of TRITON attacker operating hours, represented in UTC time\r\nBehavior Patterns Consistent with Moscow Time Zone\r\nAdversary behavioral artifacts further suggest the TEMP.Veles operators are based in Moscow, lending some\r\nfurther support to the scenario that CNIIHM, a Russian research organization in Moscow, has been involved in\r\nTEMP.Veles activity.\r\nWe identified file creation times for numerous files that TEMP.Veles created during lateral movement on a\r\ntarget’s network. These file creation times conform to a work schedule typical of an actor operating within\r\na UTC+3 time zone (Figure 1) supporting a proximity to Moscow.\r\nhttps://www.fireeye.com/blog/threat-research/2018/10/triton-attribution-russian-government-owned-lab-most-likely-built-tools.html\r\nPage 3 of 6\n\nFigure 2: Modified service config\r\nAdditional language artifacts recovered from TEMP.Veles toolsets are also consistent with such a regional\r\nnexus.\r\nA ZIP archive recovered during our investigations, schtasks.zip, contained an installer and\r\nuninstaller of CATRUNNER that includes two versions of an XML scheduled task definitions for a\r\nmasquerading service ‘ProgramDataUpdater.’\r\nThe malicious installation version has a task name and description in English, and the clean\r\nuninstall version has a task name and description in Cyrillic. The timeline of modification dates\r\nwithin the ZIP also suggest the actor changed the Russian version to English in sequential order,\r\nheightening the possibility of a deliberate effort to mask its origins (Figure 2).\r\nhttps://www.fireeye.com/blog/threat-research/2018/10/triton-attribution-russian-government-owned-lab-most-likely-built-tools.html\r\nPage 4 of 6\n\nFigure 3: Central Research Institute of Chemistry and Mechanics (CNIIHM) (Google Maps)\r\nCNIIHM Likely Possesses Necessary Institutional Knowledge and Personnel to Create TRITON and Support TEMP.Veles\r\nOperations\r\nWhile we know that TEMP.Veles deployed the TRITON attack framework, we do not have specific evidence to\r\nprove that CNIIHM did (or did not) develop the tool. We infer that CNIIHM likely maintains the institutional\r\nexpertise needed to develop and prototype TRITON based on the institute’s self-described mission and other\r\npublic information.\r\nCNIIHM has at least two research divisions that are experienced in critical infrastructure, enterprise safety,\r\nand the development of weapons/military equipment:\r\nThe Center for Applied Research creates means and methods for protecting critical infrastructure\r\nfrom destructive information and technological impacts.\r\nThe Center for Experimental Mechanical Engineering develops weapons as well as military and\r\nspecial equipment. It also researches methods for enabling enterprise safety in emergency situations.\r\nCNIIHM officially collaborates with other national technology and development organizations, including:\r\nThe Moscow Institute of Physics and Technology (PsyTech), which specializes in applied physics,\r\ncomputing science, chemistry, and biology.\r\nThe Association of State Scientific Centers “Nauka,” which coordinates 43 Scientific Centers of the\r\nRussian Federation (SSC RF). Some of its main areas of interest include nuclear physics, computer\r\nscience and instrumentation, robotics and engineering, and electrical engineering, among others.\r\nThe Federal Service for Technical and Export Control (FTEC) which is responsible for export\r\ncontrol, intellectual property, and protecting confidential information.\r\nThe Russian Academy of Missile and Artillery Sciences (PAPAH) which specializes in research and\r\ndevelopment for strengthening Russia’s defense industrial complex.\r\nhttps://www.fireeye.com/blog/threat-research/2018/10/triton-attribution-russian-government-owned-lab-most-likely-built-tools.html\r\nPage 5 of 6\n\nInformation from a Russian recruitment website, linked to CNIIHM’s official domain, indicates that\r\nCNIIHM is also dedicated to the development of intelligent systems for computer-aided design and control,\r\nand the creation of new information technologies (Figure 4).\r\nFigure 4: CNIIHM website homepage\r\nPrimary Alternative Explanation Unlikely\r\nSome possibility remains that one or more CNIIHM employees could have conducted the activity linking\r\nTEMP.Veles to CNIIHM without their employer’s approval. However, this scenario is highly unlikely.\r\nIn this scenario, one or more persons – likely including at least one CNIIHM employee, based on the\r\nmoniker discussed above – would have had to conduct extensive, high-risk malware development and\r\nintrusion activity from CNIIHM’s address space without CNIIHM’s knowledge and approval over multiple\r\nyears.\r\nCNIIHM’s characteristics are consistent with what we might expect of an organization responsible for\r\nTEMP.Veles activity. TRITON is a highly specialized framework whose development would be within the\r\ncapability of a low percentage of intrusion operators.\r\nPosted in\r\nThreat Intelligence\r\nSecurity \u0026 Identity\r\nSource: https://www.fireeye.com/blog/threat-research/2018/10/triton-attribution-russian-government-owned-lab-most-likely-built-tools.html\r\nhttps://www.fireeye.com/blog/threat-research/2018/10/triton-attribution-russian-government-owned-lab-most-likely-built-tools.html\r\nPage 6 of 6", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE", "ETDA", "Malpedia" ], "references": [ "https://www.fireeye.com/blog/threat-research/2018/10/triton-attribution-russian-government-owned-lab-most-likely-built-tools.html" ], "report_names": [ "triton-attribution-russian-government-owned-lab-most-likely-built-tools.html" ], "threat_actors": [ { "id": "5fb9f77b-1273-4658-884e-49f5f511dcd7", "created_at": "2022-10-25T15:50:23.591795Z", "updated_at": "2026-04-10T02:00:05.383475Z", "deleted_at": null, "main_name": "TEMP.Veles", "aliases": [ "TEMP.Veles", "XENOTIME" ], "source_name": "MITRE:TEMP.Veles", "tools": [ "Mimikatz", "PsExec" ], "source_id": "MITRE", "reports": null }, { "id": "0f09b73e-caa9-40e6-bd0b-c13503e4e94c", "created_at": "2023-01-06T13:46:39.001286Z", "updated_at": "2026-04-10T02:00:03.1772Z", "deleted_at": null, "main_name": "TEMP.Veles", "aliases": [ "Xenotime", "G0088", "ATK91" ], "source_name": "MISPGALAXY:TEMP.Veles", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "20012494-3f05-48ce-8c0f-92455e46a4f9", "created_at": "2022-10-25T16:07:24.319939Z", "updated_at": "2026-04-10T02:00:04.934107Z", "deleted_at": null, "main_name": "TEMP.Veles", "aliases": [ "ATK 91", "G0088", "Xenotime" ], "source_name": "ETDA:TEMP.Veles", "tools": [ "Cryptcat", "HatMan", "Mimikatz", "NetExec", "PsExec", "SecHack", "TRISIS", "TRITON", "Trisis", "Triton", "Wii" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434120, "ts_updated_at": 1775792082, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/4f9ea104937bd8a2b0d1d82ee770973ad959bf74.pdf", "text": "https://archive.orkl.eu/4f9ea104937bd8a2b0d1d82ee770973ad959bf74.txt", "img": "https://archive.orkl.eu/4f9ea104937bd8a2b0d1d82ee770973ad959bf74.jpg" } }