{ "id": "fd62058d-d86f-4e3f-ab32-5df695f64738", "created_at": "2026-04-06T00:21:46.04476Z", "updated_at": "2026-04-10T03:34:42.438931Z", "deleted_at": null, "sha1_hash": "ce2ea217819dc0fdc1276bd6523bda0b52e682c1", "title": "US Treasury sanctions Russian research institute behind Triton malware", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1459367, "plain_text": "US Treasury sanctions Russian research institute behind Triton\r\nmalware\r\nBy Catalin Cimpanu\r\nPublished: 2020-10-23 · Archived: 2026-04-05 21:06:52 UTC\r\nCNIIHM, Moscow\r\nImage: Google Maps\r\nThe US Treasury Department announced sanctions today against a Russian research institute for its role in\r\ndeveloping Triton, a malware strain designed to attack industrial equipment.\r\nSanctions were levied today against the State Research Center of the Russian Federation FGUP Central\r\nScientific Research Institute of Chemistry and Mechanics (also known as CNIIHM or TsNIIKhM).\r\nA FireEye report published in October 2018 identified CNIIHM as the possible author of the Triton malware.\r\nThe Triton malware, also known as Trisis or HatMan, is a piece of malware that was designed to specifically\r\ntarget a certain type of industrial control system (ICS) equipment — namely, Schneider Electric Triconex Safety\r\nInstrumented System (SIS) controllers.\r\nAccording to technical reports from FireEye, Dragos, and Symantec, the malware was distributed via phishing\r\ncampaigns. Once it infected a workstation, it would search for SIS controllers on a victim's network, and then\r\nattempt to modify the controller's settings.\r\nhttps://www.zdnet.com/article/us-treasury-sanctions-russian-research-institute-behind-triton-malware/\r\nPage 1 of 3\n\nResearchers said Triton contained instructions that could either shut down a production process or allow SIS-controlled machinery to work in an unsafe state, creating a risk of explosions and risk to human operators and\r\ntheir lives.\r\nTriton almost caused an explosion at a Saudi petrochemical plant\r\nThe malware was first spotted after it was used successfully in 2017 during an intrusion at a Saudi petrochemical\r\nplant owned by Tasnee, a privately owned Saudi company, where it almost cause an explosion.\r\nSince then, the malware has been deployed against other companies. Furthermore, the group behind the malware\r\n(known as TEMP.Veles or Xenotime) has also been seen \"scanning and probing at least 20 electric utilities in the\r\nUnited States for vulnerabilities,\" the US Treasury said today in a press release.\r\nToday's sanctions prohibit US entities from engaging with CNIIHM and also seize any of the research institute's\r\nUS-based assets.\r\n\"The Russian Government continues to engage in dangerous cyber activities aimed at the United States and our\r\nallies,\" said Secretary Steven T. Mnuchin. \"This Administration will continue to aggressively defend the critical\r\ninfrastructure of the United States from anyone attempting to disrupt it.\"\r\nThis style of sanctioning is significant and honestly entirely appropriate against those\r\ninvolved in the first ever cyber attack to intentionally try to kill people in civilian\r\ninfrastructure. #TRISIS #TRITON https://t.co/dVzAn0kusq\r\n— Robert M. Lee (@RobertMLee) October 23, 2020\r\nToday's Treasury sanctions end a week from hell for Russian state-sponsored hacking groups. On Monday, the US\r\nDepartment of Justice filed charges against six hackers part of the Sandworm group, believed to have created the\r\nNotPetya, KillDisk, BlackEnergy, and OlympicDestroyer malware.\r\nOn Thursday, the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of\r\nInvestigation (FBI) exposed a recent hacking campaign of a Russian hacking group known as Energetic Bear.\r\nOn the same day, the EU also imposed sanctions on two Russian intelligence officers for their role in the 2015\r\nGerman Parliament hack.\r\nBut as several security researchers pointed out today on Twitter, shortly after the Treasury announcement, the US\r\nmay not have the moral high-ground, mainly because the US pioneered attacks against industrial systems through\r\nits work and deployment of the Stuxnet malware against Iran's nuclear program in 2010.\r\nThey… uh… the Treasury realizes that we don’t really have the high ground to stand on\r\nhere… right?\r\n*cough* Stuxnet *cough*\r\n— MikeTalonNYC (@MikeTalonNYC) October 23, 2020\r\nhttps://www.zdnet.com/article/us-treasury-sanctions-russian-research-institute-behind-triton-malware/\r\nPage 2 of 3\n\nSource: https://www.zdnet.com/article/us-treasury-sanctions-russian-research-institute-behind-triton-malware/\r\nhttps://www.zdnet.com/article/us-treasury-sanctions-russian-research-institute-behind-triton-malware/\r\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://www.zdnet.com/article/us-treasury-sanctions-russian-research-institute-behind-triton-malware/" ], "report_names": [ "us-treasury-sanctions-russian-research-institute-behind-triton-malware" ], "threat_actors": [ { "id": "5fb9f77b-1273-4658-884e-49f5f511dcd7", "created_at": "2022-10-25T15:50:23.591795Z", "updated_at": "2026-04-10T02:00:05.383475Z", "deleted_at": null, "main_name": "TEMP.Veles", "aliases": [ "TEMP.Veles", "XENOTIME" ], "source_name": "MITRE:TEMP.Veles", "tools": [ "Mimikatz", "PsExec" ], "source_id": "MITRE", "reports": null }, { "id": "649b5b3e-b16e-44db-91bc-ae80b825050e", "created_at": "2022-10-25T15:50:23.290412Z", "updated_at": "2026-04-10T02:00:05.257022Z", "deleted_at": null, "main_name": "Dragonfly", "aliases": [ "TEMP.Isotope", "DYMALLOY", "Berserk Bear", "TG-4192", "Crouching Yeti", "IRON LIBERTY", "Energetic Bear", "Ghost Blizzard" ], "source_name": "MITRE:Dragonfly", "tools": [ "MCMD", "Impacket", "CrackMapExec", "Backdoor.Oldrea", "Mimikatz", "PsExec", "Trojan.Karagany", "netsh" ], "source_id": "MITRE", "reports": null }, { "id": "0f09b73e-caa9-40e6-bd0b-c13503e4e94c", "created_at": "2023-01-06T13:46:39.001286Z", "updated_at": "2026-04-10T02:00:03.1772Z", "deleted_at": null, "main_name": "TEMP.Veles", "aliases": [ "Xenotime", "G0088", "ATK91" ], "source_name": "MISPGALAXY:TEMP.Veles", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "8941e146-3e7f-4b4e-9b66-c2da052ee6df", "created_at": "2023-01-06T13:46:38.402513Z", "updated_at": "2026-04-10T02:00:02.959797Z", "deleted_at": null, "main_name": "Sandworm", "aliases": [ "IRIDIUM", "Blue Echidna", "VOODOO BEAR", "FROZENBARENTS", "UAC-0113", "Seashell Blizzard", "UAC-0082", "APT44", "Quedagh", "TEMP.Noble", "IRON VIKING", "G0034", "ELECTRUM", "TeleBots" ], "source_name": "MISPGALAXY:Sandworm", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "7bd810cb-d674-4763-86eb-2cc182d24ea0", "created_at": "2022-10-25T16:07:24.1537Z", "updated_at": "2026-04-10T02:00:04.883793Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "APT 44", "ATK 14", "BE2", "Blue Echidna", "CTG-7263", "FROZENBARENTS", "G0034", "Grey Tornado", "IRIDIUM", "Iron Viking", "Quedagh", "Razing Ursa", "Sandworm", "Sandworm Team", "Seashell Blizzard", "TEMP.Noble", "UAC-0082", "UAC-0113", "UAC-0125", "UAC-0133", "Voodoo Bear" ], "source_name": "ETDA:Sandworm Team", "tools": [ "AWFULSHRED", "ArguePatch", "BIASBOAT", "Black Energy", "BlackEnergy", "CaddyWiper", "Colibri Loader", "Cyclops Blink", "CyclopsBlink", "DCRat", "DarkCrystal RAT", "Fobushell", "GOSSIPFLOW", "Gcat", "IcyWell", "Industroyer2", "JaguarBlade", "JuicyPotato", "Kapeka", "KillDisk.NCX", "LOADGRIP", "LOLBAS", "LOLBins", "Living off the Land", "ORCSHRED", "P.A.S.", "PassKillDisk", "Pitvotnacci", "PsList", "QUEUESEED", "RansomBoggs", "RottenPotato", "SOLOSHRED", "SwiftSlicer", "VPNFilter", "Warzone", "Warzone RAT", "Weevly" ], "source_id": "ETDA", "reports": null }, { "id": "3a0be4ff-9074-4efd-98e4-47c6a62b14ad", "created_at": "2022-10-25T16:07:23.590051Z", "updated_at": "2026-04-10T02:00:04.679488Z", "deleted_at": null, "main_name": "Energetic Bear", "aliases": [ "ATK 6", "Blue Kraken", "Crouching Yeti", "Dragonfly", "Electrum", "Energetic Bear", "G0035", "Ghost Blizzard", "Group 24", "ITG15", "Iron Liberty", "Koala Team", "TG-4192" ], "source_name": "ETDA:Energetic Bear", "tools": [ "Backdoor.Oldrea", "CRASHOVERRIDE", "Commix", "CrackMapExec", "CrashOverride", "Dirsearch", "Dorshel", "Fertger", "Fuerboos", "Goodor", "Havex", "Havex RAT", "Hello EK", "Heriplor", "Impacket", "Industroyer", "Karagany", "Karagny", "LightsOut 2.0", "LightsOut EK", "Listrix", "Oldrea", "PEACEPIPE", "PHPMailer", "PsExec", "SMBTrap", "Subbrute", "Sublist3r", "Sysmain", "Trojan.Karagany", "WSO", "Webshell by Orb", "Win32/Industroyer", "Wpscan", "nmap", "sqlmap", "xFrost" ], "source_id": "ETDA", "reports": null }, { "id": "5cbf6c32-482d-4cd2-9d11-0d9311acdc28", "created_at": "2023-01-06T13:46:38.39927Z", "updated_at": "2026-04-10T02:00:02.958273Z", "deleted_at": null, "main_name": "ENERGETIC BEAR", "aliases": [ "BERSERK BEAR", "ALLANITE", "Group 24", "Koala Team", "G0035", "ATK6", "ITG15", "DYMALLOY", "TG-4192", "Crouching Yeti", "Havex", "IRON LIBERTY", "Blue Kraken", "Ghost Blizzard" ], "source_name": "MISPGALAXY:ENERGETIC BEAR", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "20012494-3f05-48ce-8c0f-92455e46a4f9", "created_at": "2022-10-25T16:07:24.319939Z", "updated_at": "2026-04-10T02:00:04.934107Z", "deleted_at": null, "main_name": "TEMP.Veles", "aliases": [ "ATK 91", "G0088", "Xenotime" ], "source_name": "ETDA:TEMP.Veles", "tools": [ "Cryptcat", "HatMan", "Mimikatz", "NetExec", "PsExec", "SecHack", "TRISIS", "TRITON", "Trisis", "Triton", "Wii" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434906, "ts_updated_at": 1775792082, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/ce2ea217819dc0fdc1276bd6523bda0b52e682c1.pdf", "text": "https://archive.orkl.eu/ce2ea217819dc0fdc1276bd6523bda0b52e682c1.txt", "img": "https://archive.orkl.eu/ce2ea217819dc0fdc1276bd6523bda0b52e682c1.jpg" } }