{
	"id": "7efac6c4-1a34-4ba0-ba87-4a1d08ded91c",
	"created_at": "2026-04-06T00:13:02.075609Z",
	"updated_at": "2026-04-10T13:11:48.430625Z",
	"deleted_at": null,
	"sha1_hash": "8c13671830767aa6915d23d636cbb6611c80ed05",
	"title": "Treasury Sanctions Russian Government Research Institution Connected to the Triton Malware",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 36490,
	"plain_text": "Treasury Sanctions Russian Government Research Institution\r\nConnected to the Triton Malware\r\nPublished: 2026-02-13 · Archived: 2026-04-05 21:54:33 UTC\r\nPress Releases\r\nOctober 23, 2020\r\nWashington – Today, the Department of the Treasury’s Office of Foreign Assets Control (OFAC) designated,\r\npursuant to Section 224 of the Countering America’s Adversaries Through Sanctions Act (CAATSA), a Russian\r\ngovernment research institution that is connected to the destructive Triton malware. The Triton malware — known\r\nalso as TRISIS and HatMan in open source reporting — was designed specifically to target and manipulate\r\nindustrial safety systems. Such systems provide for the safe emergency shutdown of industrial processes at critical\r\ninfrastructure facilities in order to protect human life. The cyber actors behind the Triton malware have been\r\nreferred to by the private cybersecurity industry as “the most dangerous threat activity publicly known.”\r\n“The Russian Government continues to engage in dangerous cyber activities aimed at the United States and our\r\nallies,” said Secretary Steven T. Mnuchin. “This Administration will continue to aggressively defend the critical\r\ninfrastructure of the United States from anyone attempting to disrupt it.”\r\nIn recent years, the Triton malware has been deployed against U.S. partners in the Middle East, and the hackers\r\nbehind the malware have been reportedly scanning and probing U.S. facilities. The development and deployment\r\nof the Triton malware against our partners is particularly troubling given the Russian government’s involvement in\r\nmalicious and dangerous cyber-enabled activities. Previous examples of Russia’s reckless activities in cyberspace\r\ninclude, but are not limited to: the NotPetya cyber-attack, the most destructive and costly cyber-attack in history;\r\ncyber intrusions against the U.S. energy grid to potentially enable future offensive operations; the targeting of\r\ninternational organizations such as the Organization for the Prohibition of Chemical Weapons and the World Anti-Doping Agency; and the 2019 disruptive cyber-attack against the country of Georgia.\r\nTriton Malware\r\nIn August 2017, a petrochemical facility in the Middle East was the target of a cyber-attack involving the Triton\r\nmalware. This cyber-attack was supported by the State Research Center of the Russian Federation FGUP\r\nCentral Scientific Research Institute of Chemistry and Mechanics (TsNIIKhM), a Russian government-controlled research institution that is responsible for building customized tools that enabled the attack.\r\nThe Triton malware was designed to target a specific industrial control system (ICS) controller used in some\r\ncritical infrastructure facilities to initiate immediate shutdown procedures in the event of an emergency. The\r\nmalware was initially deployed through phishing that targeted the petrochemical facility. Once the malware gained\r\na foothold, its operators attempted to manipulate the facility’s ICS controllers. During the attack, the facility\r\nautomatically shut down after several of the ICS controllers entered into a failed safe state, preventing the\r\nmalware’s full functionality from being deployed, and prompting an investigation that ultimately led to the\r\nhttps://home.treasury.gov/news/press-releases/sm1162\r\nPage 1 of 2\n\ndiscovery of the malware. Researchers who investigated the cyber-attack and the malware reported that Triton was\r\ndesigned to give the attackers complete control of infected systems and had the capability to cause significant\r\nphysical damage and loss of life. In 2019, the attackers behind the Triton malware were also reported to be\r\nscanning and probing at least 20 electric utilities in the United States for vulnerabilities.\r\nTsNIIKhM is being designated pursuant to Section 224 of CAATSA for knowingly engaging in significant\r\nactivities undermining cybersecurity against any person, including a democratic institution, or government on\r\nbehalf of the Government of the Russian Federation.\r\nAs a result of today’s designation, all property and interests in property of TsNIIKhM that are in or come within\r\nthe possession of U.S. persons are blocked, and U.S. persons are generally prohibited from engaging in\r\ntransactions with them. Additionally, any entities 50 percent or more owned by one or more designated persons\r\nare also blocked. Moreover, non-U.S. persons who engage in certain transactions with TsNIIKhM may themselves\r\nbe exposed to sanctions.\r\nView identifying information on the entity designated today.\r\nUse featured image\r\nOff\r\nSource: https://home.treasury.gov/news/press-releases/sm1162\r\nhttps://home.treasury.gov/news/press-releases/sm1162\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://home.treasury.gov/news/press-releases/sm1162"
	],
	"report_names": [
		"sm1162"
	],
	"threat_actors": [
		{
			"id": "aa73cd6a-868c-4ae4-a5b2-7cb2c5ad1e9d",
			"created_at": "2022-10-25T16:07:24.139848Z",
			"updated_at": "2026-04-10T02:00:04.878798Z",
			"deleted_at": null,
			"main_name": "Safe",
			"aliases": [],
			"source_name": "ETDA:Safe",
			"tools": [
				"DebugView",
				"LZ77",
				"OpenDoc",
				"SafeDisk",
				"TypeConfig",
				"UPXShell",
				"UsbDoc",
				"UsbExe"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434382,
	"ts_updated_at": 1775826708,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/8c13671830767aa6915d23d636cbb6611c80ed05.pdf",
		"text": "https://archive.orkl.eu/8c13671830767aa6915d23d636cbb6611c80ed05.txt",
		"img": "https://archive.orkl.eu/8c13671830767aa6915d23d636cbb6611c80ed05.jpg"
	}
}