{ "id": "9e6b126a-04bf-4b0d-95f1-c863a48b7c20", "created_at": "2026-04-06T00:10:09.708971Z", "updated_at": "2026-04-10T03:37:36.633137Z", "deleted_at": null, "sha1_hash": "f6377275c9fe95563e9aeb8e9a2e08916a3ad1ad", "title": "The inside story of the world’s most dangerous malware", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 484814, "plain_text": "The inside story of the world’s most dangerous malware\r\nBy Blake Sobczak\r\nPublished: 2019-03-07 · Archived: 2026-04-05 21:29:01 UTC\r\nOn Aug. 4, 2017, at 7:43 p.m., two emergency shutdown systems sprang into action as darkness settled over the\r\nsprawling refinery along Saudi Arabia’s Red Sea coast.\r\nThe systems brought part of the Petro Rabigh complex offline in a last-gasp effort to prevent a gas release and\r\ndeadly explosion. But as safety devices took extraordinary steps, control room engineers working the weekend\r\nshift spotted nothing out of the ordinary, either on their computer screens or out on the plant floor.\r\nThe reasons for the sudden shutdown were still buried under zeros and ones, nestled deep within the code of the\r\ncompromised Schneider Electric safety equipment.\r\nInvestigators soon discovered a dangerous hacking tool that would usher in a new chapter in the global cyber arms\r\nrace, much like the Stuxnet worm that damaged Iranian nuclear centrifuges at the start of the decade. The\r\ndiscovery of the Triton malware, named for the Triconex line of safety systems it triggered, echoed from the\r\nancient Saudi city of Rabigh to a research institute in Moscow, and from California to Tokyo.\r\n\"Worst-case scenario here, you’re dealing with a potential release of toxic hydrogen sulfide gases, a potential for\r\nexplosions from high pressure, high temperature,\" said Julian Gutmanis, a cybersecurity contractor who sources\r\nsay led the Saudi Arabian Oil Co.’s investigation of the Triton intrusion.\r\n\"We considered the entire organization to be compromised,\" Gutmanis said at the S4 cybersecurity conference in\r\nMiami earlier this year, where he declined to name the target facility or even identify his employer. \"We had a\r\nvery sophisticated attacker. We knew that the systems, and the integrity of these systems, can no longer be\r\ntrusted.\"\r\nExperts say the same hackers behind the Saudi intrusion are probing U.S. petrochemical plants and refineries,\r\npositioning themselves for dangerous, even deadly, future strikes. Earlier this year, top U.S. intelligence officials\r\nwarned that multiple hacking groups, backed by foreign spy agencies, are poised to disrupt American electricity\r\nand pipeline networks in the event of war with the United States.\r\nThe intrusion in Saudi Arabia stands as the most brazen use of the Triton tool to hijack safety systems and to clear\r\nthe way for what could have been a lethal attack on a vast industrial complex. If taken to its extreme, the prospect\r\nof losing control of a major industrial plant echoes the 2005 BP PLC refinery explosion in Texas City, Texas,\r\nwhich killed 15 people.\r\nAt Petro Rabigh, access to digital safety backstops signaled to investigators that a team of hackers had also\r\nbreached the control system. They could seize the rest of the plant, and the outcome turned on the hackers’\r\nrestraint.\r\nhttps://www.eenews.net/articles/the-inside-story-of-the-worlds-most-dangerous-malware/\r\nPage 1 of 11\n\nToday, the Triton cyber espionage case is still shrouded in secrecy. Some of what’s known is buried in the notes of\r\nprivate cybersecurity firms that swooped in to investigate. And its lethal potential is talked about in U.S. security\r\ncircles and across the energy industry.\r\nThe story is told here in previously unreported detail, based on open-source intelligence, non-public documents\r\nobtained by E\u0026E News and extensive interviews. Many of the sources would speak only on the condition of\r\nanonymity because of the sensitive nature of investigations into an active cyber espionage group.\r\nThe poster child\r\nAerial view of the Petro Rabigh petrochemical and refinery complex. | Sumitomo Chemical Co.,\r\nLtd.\r\nPetro Rabigh is a 3,000-acre maze of steel pipes, hulking distillation towers and catalytic reformers, their\r\ndistinctive, red-and-white caps poking up like toxic candy canes. It is one of the biggest facilities of its kind in the\r\nworld.\r\nThe integrated chemical and refining complex produces more than 5 million tons of petrochemicals a year, from\r\nantifreeze to common plastics like polypropylene. It also churns out millions of barrels of refined products\r\nannually, including kerosene and gasoline. Situated along the Red Sea, Petro Rabigh has emerged as a major\r\nsupplier to African, Asian and European markets. The company was launched as a joint venture between the Saudi\r\nArabian Oil Co., the world’s biggest oil company — known as Saudi Aramco — and Tokyo-based Sumitomo\r\nChemical.\r\nThe facility stands as a poster child for Schneider Electric, one of the world’s top suppliers of industrial control\r\nequipment. The French company won an operations management contract with Petro Rabigh as it expanded in the\r\nlate 2000s.\r\nIn June 2017, on a Saturday during the Islamic holy month of Ramadan, Schneider Electric product specialists\r\nwere called in to assess an apparently malfunctioning Triconex unit. The safety device had tripped part of Petro\r\nRabigh offline, but it wasn’t clear why. Everything seemed to be working normally.\r\nhttps://www.eenews.net/articles/the-inside-story-of-the-worlds-most-dangerous-malware/\r\nPage 2 of 11\n\nTriconex equipment is designed to act, not to warn, like a home circuit breaker that trips automatically when\r\noutlets are dangerously overloaded. Triconex devices come loaded with a digital road map that allows them to\r\nconstantly scan for unsafe conditions. If enough devices agree something’s wrong, they won’t wait for a human\r\ngo-ahead. They’ll simply grind industrial processes to a halt.\r\nSchneider Electric specialists responded quickly to Petro Rabigh’s request to investigate. They ran tests on-site\r\nand pulled the glitchy shutdown controller back to the lab for more analysis.\r\nThey found nothing terribly unusual in June. The plant restarted, and things stayed quiet until August — on the\r\nsurface.\r\nThe Saudis’ ‘brief outage’\r\nAnalysts consider Schneider Electric’s response in June a missed opportunity to identify the hackers before the\r\nAugust outage.\r\nEngineers cast a wider net after the more dramatic August event. They found unusual communications beaconing\r\nout from the plant’s information technology network to its operational workstations, areas normally kept isolated\r\nfrom one another.\r\nPetro Rabigh called in a Saudi Aramco team to investigate, including Gutmanis, a soft-spoken Australian\r\ncybersecurity ace. Though Saudi Aramco wasn’t responsible for the plant’s security, the company’s 37.5 percent\r\nstake in Petro Rabigh, combined with close management ties, cleared the way for a rapid response. By this point,\r\nthe plant had entered a \"state of panic,\" as Gutmanis recounted. No one could rule out the possibility that the\r\nshutdown was the work of a malicious insider.\r\nSoon, Gutmanis and his responders unearthed the bundle of files that would later be called Triton. The plant was\r\nriddled with other malware, too. Nobody knew where it all came from.\r\nA poorly configured firewall gave remote attackers a foothold inside corporate computers, where they were able to\r\npivot to operational technology, the OT networks that housed Schneider Electric’s safety systems.\r\nThe insider threat theory looked less and less likely. Now, new fears emerged: Could the intruders have left digital\r\ntime bombs, armed and ready to go off as soon as the hackers lost their connection? Would they try to battle Petro\r\nRabigh’s digital defenders, as engineers there tried to cure the infected systems and bring the plant online again?\r\nThe plant stayed down for more than a week. While hardly an existential threat to a company that sells more than\r\n$9 billion annually, the blip hit the radar of energy industry observers and journalists in the region. In the tightly\r\ncontrolled Saudi mediascape, the financial news outlet Argaam declared on Aug. 14, 2017, that a \"brief outage\" at\r\nPetro Rabigh had been \"solved.\"\r\n‘High confidence’\r\nhttps://www.eenews.net/articles/the-inside-story-of-the-worlds-most-dangerous-malware/\r\nPage 3 of 11\n\nMoscow-based research institute CNIIHM has been accused of developing the tools needed to carry\r\nout a sophisticated cyber intrusion into a Saudi petrochemical facility in 2017. | Image capture June\r\n2017 ©2019 Google\r\nThe Triton case was far from solved.\r\nGutmanis and his team urged Petro Rabigh to contract a third party to take a deeper look. Aramco’s specialists\r\nweren’t able to tally the multiple infections or boot out the unknown hackers.\r\nSo Petro Rabigh hired U.S. cybersecurity firm FireEye Inc. for the job. The Milpitas, Calif.-based company has\r\ndeep business ties with the kingdom, including an office in Riyadh. Its flagship defensive software is installed in\r\nthe Saudi Ministry of Energy, Industry and Mineral Resources and parts of Aramco.\r\nThe incident response fell to FireEye subsidiary Mandiant, famed for having tied a series of cyber spying\r\noperations back to a Chinese military intelligence agency in 2013. That report cleared the way for U.S. law\r\nenforcement officials to bring cyber espionage charges against five People’s Liberation Army officers in 2014.\r\nBy the time the FireEye investigation began, Triton had already captured the attention of cybersecurity firms\r\ntracking the world’s most dangerous threats. The job of identifying hackers, then deciding who is privy to that\r\ninformation, has become a parlor game among private investigators, including FireEye, that operate outside the\r\npublic eye and with very little oversight. As the revolving door spins out of government intelligence agencies, the\r\npower and influence of well-heeled cybersecurity firms that arrive on the scene after a major hack is now\r\nindistinguishable from the U.S. government’s intelligence and security apparatus.\r\n\"They have global presence and the ability to collect an enormous amount of information,\" said Army Gen. Paul\r\nNakasone, head of the National Security Agency and the Defense Department’s U.S. Cyber Command, in a\r\nmilitary trade publication called Joint Force Quarterly. \"The products they produce often rival what we see being\r\ndone by the intelligence community.\"\r\nOn Oct. 23, 2018, FireEye published a version of its non-public analysis that attributed the 2017 Triton hack to a\r\nresearch institute in Moscow. FireEye went public after a German news outlet obtained a copy of the document.\r\nhttps://www.eenews.net/articles/the-inside-story-of-the-worlds-most-dangerous-malware/\r\nPage 4 of 11\n\nThe document laid out ties between the Triton malware and the Central Scientific Research Institute of Chemistry\r\nand Mechanics, known by its transliterated Cyrillic acronym, CNIIHM. FireEye had been tracking the group\r\nbehind the Triton intrusion long enough to link much of its activity back to an internet protocol address — and\r\neven a specific individual — at CNIIHM.\r\nAnalysts at FireEye assessed that the Russia-owned institute, located along the banks of the Moskva River, \"likely\r\npossesses the necessary institutional knowledge and personnel to assist in the orchestration and development\" of\r\nTriton.\r\nFireEye said a number of clues had fed the firm’s \"high confidence\" claim: for one, an IP address registered to the\r\nuniversity was used to browse open-source reports on Triton, suggesting an uncommon interest in this kind of\r\nmalware, according to FireEye.\r\nFireEye tracks the hacking outfit under the name TEMP.Veles.\r\nAnalysts acknowledged they couldn’t rule out that one or more CNIIHM employees acted without the institute’s\r\nknowledge or approval, but that seemed \"less plausible\" than the alternative. CNIIHM houses departments with\r\nexperience in military technology and critical infrastructure.\r\nOne of the CNIIHM researchers contributed to Russia’s version of Hacker magazine and made regular\r\nappearances on the international cybersecurity conference circuit, FireEye claimed. Several of the Russian\r\nresearchers have specialized IT skills, including digital forensics, reverse engineering and knowledge of how to\r\nexploit a computer’s memory. (Some of the Triton malware’s injects embedded themselves in the Schneider\r\nElectric device’s memory.)\r\nFireEye stopped short of naming a suspected Triton hacker. But it pointed to a unique handle buried deep in a\r\nTEMP.Veles tool that had been shared on a Russian social media site, as close to a smoking gun as the analysts\r\nwere likely to find.\r\nIn a separate analysis sent to customers, FireEye noted that entire teams within CNIIHM \"were possibly involved\"\r\nin the Triton hack. \"In the case of an intrusion with the mission of executing an attack on ICS processes, it would\r\nmake sense for multiple teams to be leveraged,\" FireEye concluded.\r\nFireEye issued caveats in both its customer and public reports: \"We do not have specific evidence to prove that\r\nCNIIHM did (or did not) develop\" the Triton tool itself, with its multiple parts. \"We infer that CNIIHM likely\r\nmaintains the institutional expertise needed to develop and prototype TRITON based on the institute’s self-described mission and other public information.\"\r\nEmails and calls to CNIIHM went unreturned, and three people currently or formerly affiliated with the institute\r\ndid not respond to requests for comment. A spokeswoman for a partner institution said in a statement that it was\r\nnot aware of any malicious activity at CNIIHM.\r\nAn August nightmare\r\nIn mid-August 2017, as the initial investigation ramped up, the Petro Rabigh hackers realized they’d been spotted.\r\nThey deleted traces of the Triton tool set from engineering workstations at the complex in a belated effort to cover\r\nhttps://www.eenews.net/articles/the-inside-story-of-the-worlds-most-dangerous-malware/\r\nPage 5 of 11\n\ntheir tracks.\r\nAt least six Triconex controllers had been compromised by the malware, which was built to replace operating\r\ncode and co-opt the safety equipment during an emergency. The hackers were only able to overwrite devices left\r\nin \"program\" mode.\r\nCircumstances around the August shutdown suggested the attackers didn’t mean to trigger the infected devices\r\nand set off an investigation, sources said. They meant to maintain persistent access on the machines, waiting for\r\nthe right moment to strike.\r\nBut now that they had been caught, the hackers weren’t about to give up access without a fight. When Petro\r\nRabigh’s security team changed user passwords and enabled two-factor authentication — a way of adding an extra\r\nstep for logging into accounts — the hackers were ready. They had already penetrated the corporate network, so\r\nthey were able to change phone numbers tied to certain accounts in Petro Rabigh contact lists. The updated phone\r\nnumbers redirected to websites controlled by the hackers, enabling them to capture and use any login codes sent to\r\nthe devices via text message.\r\nPetro Rabigh was living out any large organization’s cyber nightmare: It was squaring off against a highly\r\nsophisticated adversary, or perhaps multiple adversaries, that had demonstrated deep knowledge of their target’s\r\nsystems and the ability to shift tactics on a dime.\r\nThe attackers had also demonstrated they could pivot to Petro Rabigh’s control systems, a rare feat, and from there\r\ninstall a tailor-made tool to cut away a vital safety net.\r\nThe hackers apparently had no regard for the potential physical consequences to the petrochemical plant, or to the\r\nworkers inside it.\r\nhttps://www.eenews.net/articles/the-inside-story-of-the-worlds-most-dangerous-malware/\r\nPage 6 of 11\n\nAn important question remained: Who were they?\r\nThe Iranian narrative\r\nAs the FireEye specialists rehabilitated Petro Rabigh’s systems, they searched for digital breadcrumbs that would\r\nlater feed into their CNIIHM report.\r\nEvidence emerged that APT34 — APT referring to an \"advanced, persistent threat\" in cyberspace — had probed\r\nPetro Rabigh’s networks. The threat group, which private-sector cyber analysts have tied to the Iranian\r\ngovernment, is also known as OilRig because it tends to hit energy firms in the Middle East.\r\nOn the surface, APT34 looked to be a prime suspect for the Triton malware: Iran, a perennial foe of Saudi Arabia,\r\nwould have ample motive to target Saudi oil and gas facilities with destructive intent. It wouldn’t even be the first\r\ntime. In 2012, suspected Iranian hackers carried out the infamous Shamoon cyberattack on Saudi Aramco’s\r\ncorporate computers, wiping out files, emails and core operating software in tens of thousands of machines. The\r\nShamoon virus replaced the Windows startup page with an image of a burning American flag.\r\nAn intrusion into Petro Rabigh would fit with Iran’s reputation as an emerging cyber power. After suffering\r\ndamage to its nuclear enrichment facilities in Natanz due to the U.S.-deployed Stuxnet worm, the Iranian regime\r\nramped up investment in both defensive and offensive cybersecurity technologies, analysts say. What better way\r\nfor Tehran to demonstrate its hacking prowess than by striking at Saudi Arabia’s oil, gas and chemical sectors?\r\nPlus, Iranian hackers were actively targeting that sector, according to various cybersecurity reports. In July 2017,\r\nFireEye competitor CrowdStrike detected a malicious spear-phishing email targeting an employee at an\r\nunidentified Middle East petrochemical company. CrowdStrike tracks APT34 as Helix Kitten, a nod to Persian\r\ncats.\r\nBut Iranian hackers don’t have an extensive track record of breaching complicated industrial control networks.\r\nThe Russia connection\r\nEarly findings from the FireEye investigation into Triton complicated the Iranian narrative. The hackers had let\r\nslip a few clues that pointed toward Moscow, not Tehran.\r\nIn fall 2017, there wasn’t yet enough evidence to make a confident assessment. And the geopolitical math didn’t\r\nseem to add up: Relations between Russian President Vladimir Putin and Saudi Crown Prince Mohammed bin\r\nSalman were on the upswing that year. Saudi Arabia’s King Salman met with Putin in Moscow two months after\r\nthe Triton infection was discovered, joining what Putin reportedly described as \"substantive and meaningful\" talks\r\nbetween two of the world’s top oil producers.\r\nSome observers raised the prospect that Petro Rabigh could have been a target of convenience, offering a live test\r\nbed for Russian hackers to get their feet wet in industrial networks before moving on to their ultimate marks.\r\nAn attack on a Saudi petrochemical plant orchestrated out of the Kremlin looks \"quite strange,\" noted Dmitriy\r\nFrolovskiy, a Moscow-based political analyst and writer, in an email. \"With the current good level of relations\r\nhttps://www.eenews.net/articles/the-inside-story-of-the-worlds-most-dangerous-malware/\r\nPage 7 of 11\n\nbetween Putin and MBS, it is dubious that somebody from higher levels of the Kremlin would dare to issue an\r\norder to attack an object in [Saudi Arabia].\"\r\nIn 2017, Saudi Arabia was also exploring an initial public offering of Aramco, a tempting prospect for Russian\r\nenergy investors. Russian and Saudi companies were already teamed up on exports of liquefied natural gas from\r\nnew Arctic energy projects. On the other hand, Moscow had been expanding its footprint in petrochemicals. Petro\r\nRabigh’s location along the Red Sea gives it easier access to African and European markets, putting it in more\r\ndirect competition with Russia.\r\n\"Moscow was always interested in the Horn of Africa and saw it as a strategic location to affect global trade\r\nroutes,\" Frolovskiy pointed out. \"It still sees it this way.\"\r\nFacts on the ground at Petro Rabigh matched up with Russia’s playbook, based on U.S. intelligence assessments.\r\nBy prying into that facility with hacking tools and retaining the ability to disrupt supply routes, Russian hackers\r\ncould maximize Moscow’s options in the event of future conflicts.\r\nTop U.S. officials have warned of analogous Russian efforts to position themselves in U.S. critical infrastructure,\r\nkeeping their finger off the trigger until some wider dispute called for action.\r\nIn a 2016 analysis, then-U.S. Director of National Intelligence James Clapper said Russia was laying the\r\ngroundwork to bring down the grid or disrupt oil and gas facilities. Clapper’s successor in the Trump\r\nadministration, Dan Coats, offered a more plain-spoken assessment earlier this year:\r\n\"Moscow is now staging cyberattack assets to allow it to disrupt or damage U.S. civilian and military\r\ninfrastructure during a crisis,\" Coats said.\r\nName and shame\r\nEarly in 2018, the cybersecurity firm Dragos revealed that it had spotted the group behind the Triton malware\r\nchasing after other targets. Some of those targets included U.S. facilities, placing the malware in a new and\r\nalarming light for the U.S. Department of Homeland Security.\r\nDragos said the malware had a \"game-changing\" impact on the defense of large industrial plants. Its analysts\r\nadded that \"any modification\" to operating safety systems \"represents a significant risk and potential for damage\r\nor even loss of life.\"\r\nDHS placed Triton, which it called HatMan, in the ignominious company of the Stuxnet worm and the\r\nCrashOverride malware that disabled a major substation north of Kiev, Ukraine, in late 2016. But the agency\r\nadded that Triton \"surpasses both forerunners with the ability to directly interact with, remotely control, and\r\ncompromise a safety system — a nearly unprecedented feat.\"\r\nYet even at that scale, DHS, Schneider Electric and Dragos declined to name names and identify the bad actors\r\nresponsible for Triton.\r\nFireEye’s decision to name CNIIHM, and link an IP address there to Triton activity, reignited a debate in the\r\ninformation security community about the value of such details.\r\nhttps://www.eenews.net/articles/the-inside-story-of-the-worlds-most-dangerous-malware/\r\nPage 8 of 11\n\n\"As soon as you publish that stuff, you lose the source — it’s gone,\" said Jon DiMaggio, senior threat intelligence\r\nanalyst at Symantec Corp. \"They’re going to stop using that infrastructure.\"\r\nA fount of trackable, malicious activity dating back to 2014 was all but guaranteed to run dry.\r\n\"[FireEye] decided that the overall benefit to making the community aware of it outweighed that,\" DiMaggio\r\nnoted, adding that he, personally, didn’t have a problem with FireEye’s decision to publicize the CNIIHM\r\nconnection. Still, DiMaggio urged private firms in particular to tread lightly when posting information that could\r\ncast a cloud over individuals.\r\n\"If you get down to naming people and you’re wrong, then you really might be causing some issues,\" he said.\r\n\"Leave that for governments to do with their indictments.\"\r\nKatie Nickels, threat intelligence lead for MITRE Corp.’s ATT\u0026CK team, which categorizes malicious cyber\r\ntactics, said she sees a use for attribution. \"When people say ‘attribution,’ they mean different things. Some people\r\nmean the operator behind the keyboard. Others mean tying activity to a threat group,\" she said.\r\n\"As a defender, do I care if it’s North Korea or Russia, or another country? I’m not convinced,\" Nickels said. \"But\r\nI think at a minimum, there is value in tracking it back to a group or campaign.\"\r\nFireEye declined to comment beyond the public version of its Triton analysis.\r\nThe FBI has declined to comment on whether it is investigating CNIIHM or people affiliated with the institute,\r\nciting agency protocol.\r\n‘Preparing for an attack’\r\nThe shutdown at Petro Rabigh one and a half years ago stands as the most recent known example of a cyber\r\ndisruption to a major industrial safety and control system.\r\nOn Dec. 14, 2017, FireEye published its first Triton analysis for public consumption and offered a vague account\r\nof the August shutdown at Petro Rabigh, identified only as a \"critical infrastructure organization.\"\r\n\"We believe the activity is consistent with a nation state preparing for an attack,\" FireEye experts concluded.\r\nhttps://www.eenews.net/articles/the-inside-story-of-the-worlds-most-dangerous-malware/\r\nPage 9 of 11\n\nJohn Hultquist, director of intelligence analysis at U.S. cybersecurity firm FireEye, testified before\r\nthe House Homeland Security Committee on Feb. 26. FireEye and other private cybersecurity firms\r\nhave emerged as significant sources of intelligence about hackers that target U.S. infrastructure. |\r\nHouse Committee on Homeland Security\r\nSchneider Electric investigators carried out their own Triton investigation in parallel with Aramco and FireEye.\r\nWhat they found was a highly customized set of tools that could start from a Windows-based engineering\r\nworkstation and dig all the way into the device memory of a Tricon 3008 v10.3 controller, taking advantage of a\r\npreviously unknown vulnerability or \"zero day\" in the device along the way.\r\n\"This attack, this situation, has all the hallmarks of a nation-state attack,\" said Andrew Kling, the director of\r\ncybersecurity and architecture at Schneider Electric, at the 2018 S4 conference in Miami.\r\nKling described the attackers as having \"unlimited resources,\" sophisticated skills and plenty of time to map out\r\ntheir intrusion. Yet the malware had limitations, including glitches that ultimately led to its discovery and removal.\r\nAt its core, Triton carried a remote access Trojan, or RAT, a tool that gave hackers the ability to read and write\r\ncode on the infected safety systems. It was tailored to the specific model and firmware version installed at Petro\r\nRabigh.\r\nOuting a suspect\r\nThe hackers behind the 2017 attack remain active, and the intruders’ ultimate goal isn’t known, according to\r\nmultiple sources and cybersecurity firms. They’ve moved on to hitting vendors of industrial equipment, often\r\nusing \"off-the-shelf\" tools that are widely used.\r\nE\u0026E News reached out to several individuals affiliated with CNIIHM, including one who apparently updated a\r\npersonal website the day after the FireEye report went live last October.\r\nFireEye has withheld additional evidence contributing to its \"high confidence\" report, and it declined to comment\r\non the identity of one or more individuals its analysts linked to Triton activity.\r\nStill, it’s possible to draw a line from the clues FireEye dropped to at least two specific individuals. One\r\nresearcher affiliated with the Russian institute has been publicly active in cybersecurity circles since 2011, as\r\nnoted in the FireEye report, and E\u0026E News confirmed that he contributed to the Russian-language Hacker\r\nmagazine.\r\nThat person declined comment, citing a non-disclosure agreement with his employer. But a North America-based\r\ncybersecurity researcher who had worked on a project with this Russian national said nothing seemed out of the\r\nordinary.\r\n\"He likes to do security research and present the results to the community, just like many aspiring youngish and\r\ntalented researchers out there, from what I see,\" his collaborator said.\r\n\"But we never talked about our professional sides at all,\" the collaborator said. \"And I never know what he or\r\nanyone does, behaves and thinks outside of what I see.\"\r\nhttps://www.eenews.net/articles/the-inside-story-of-the-worlds-most-dangerous-malware/\r\nPage 10 of 11\n\nSource: https://www.eenews.net/articles/the-inside-story-of-the-worlds-most-dangerous-malware/\r\nhttps://www.eenews.net/articles/the-inside-story-of-the-worlds-most-dangerous-malware/\r\nPage 11 of 11", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "references": [ "https://www.eenews.net/articles/the-inside-story-of-the-worlds-most-dangerous-malware/" ], "report_names": [ "the-inside-story-of-the-worlds-most-dangerous-malware" ], "threat_actors": [ { "id": "5fb9f77b-1273-4658-884e-49f5f511dcd7", "created_at": "2022-10-25T15:50:23.591795Z", "updated_at": "2026-04-10T02:00:05.383475Z", "deleted_at": null, "main_name": "TEMP.Veles", "aliases": [ "TEMP.Veles", "XENOTIME" ], "source_name": "MITRE:TEMP.Veles", "tools": [ "Mimikatz", "PsExec" ], "source_id": "MITRE", "reports": null }, { "id": "ce10c1bd-4467-45f9-af83-28fc88e35ca4", "created_at": "2022-10-25T15:50:23.458833Z", "updated_at": "2026-04-10T02:00:05.419537Z", "deleted_at": null, "main_name": "APT34", "aliases": null, "source_name": "MITRE:APT34", "tools": [ "netstat", "Systeminfo", "PsExec", "SEASHARPEE", "Tasklist", "Mimikatz", "POWRUNER", "certutil" ], "source_id": "MITRE", "reports": null }, { "id": "dfee8b2e-d6b9-4143-a0d9-ca39396dd3bf", "created_at": "2022-10-25T16:07:24.467088Z", "updated_at": "2026-04-10T02:00:05.000485Z", "deleted_at": null, "main_name": "Circles", "aliases": [], "source_name": "ETDA:Circles", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "cffb3c01-038f-4527-9cfd-57ad5a035c22", "created_at": "2022-10-25T15:50:23.38055Z", "updated_at": "2026-04-10T02:00:05.258283Z", "deleted_at": null, "main_name": "OilRig", "aliases": [ "COBALT GYPSY", "IRN2", "APT34", "Helix Kitten", "Evasive Serpens", "Hazel Sandstorm", "EUROPIUM", "ITG13", "Earth Simnavaz", "Crambus", "TA452" ], "source_name": "MITRE:OilRig", "tools": [ "ISMInjector", "ODAgent", "RDAT", "Systeminfo", "QUADAGENT", "OopsIE", "ngrok", "Tasklist", "certutil", "ZeroCleare", "POWRUNER", "netstat", "Solar", "ipconfig", "LaZagne", "BONDUPDATER", "SideTwist", "OilBooster", "SampleCheck5000", "PsExec", "SEASHARPEE", "Mimikatz", "PowerExchange", "OilCheck", "RGDoor", "ftp" ], "source_id": "MITRE", "reports": null }, { "id": "0f09b73e-caa9-40e6-bd0b-c13503e4e94c", "created_at": "2023-01-06T13:46:39.001286Z", "updated_at": "2026-04-10T02:00:03.1772Z", "deleted_at": null, "main_name": "TEMP.Veles", "aliases": [ "Xenotime", "G0088", "ATK91" ], "source_name": "MISPGALAXY:TEMP.Veles", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "67b2c161-5a04-4e3d-8ce7-cce457a4a17b", "created_at": "2025-08-07T02:03:24.722093Z", "updated_at": "2026-04-10T02:00:03.681914Z", "deleted_at": null, "main_name": "COBALT EDGEWATER", "aliases": [ "APT34 ", "Cold River ", "DNSpionage " ], "source_name": "Secureworks:COBALT EDGEWATER", "tools": [ "AgentDrable", "DNSpionage", "Karkoff", "MailDropper", "SideTwist", "TWOTONE" ], "source_id": "Secureworks", "reports": null }, { "id": "c786e025-c267-40bd-9491-328da70811a5", "created_at": "2025-08-07T02:03:24.736817Z", "updated_at": "2026-04-10T02:00:03.752071Z", "deleted_at": null, "main_name": "COBALT GYPSY", "aliases": [ "APT34 ", "CHRYSENE ", "Crambus ", "EUROPIUM ", "Hazel Sandstorm ", "Helix Kitten ", "ITG13 ", "OilRig ", "Yellow Maero " ], "source_name": "Secureworks:COBALT GYPSY", "tools": [ "Glimpse", "Helminth", "Jason", "MacDownloader", "PoisonFrog", "RGDoor", "ThreeDollars", "TinyZbot", "Toxocara", "Trichuris", "TwoFace" ], "source_id": "Secureworks", "reports": null }, { "id": "67709937-2186-4a32-b64c-a5693d40ac77", "created_at": "2023-01-06T13:46:38.495593Z", "updated_at": "2026-04-10T02:00:02.999196Z", "deleted_at": null, "main_name": "OilRig", "aliases": [ "Crambus", "Helix Kitten", "APT34", "IRN2", "ATK40", "G0049", "EUROPIUM", "TA452", "Twisted Kitten", "Cobalt Gypsy", "APT 34", "Evasive Serpens", "Hazel Sandstorm", "Earth Simnavaz" ], "source_name": "MISPGALAXY:OilRig", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "20012494-3f05-48ce-8c0f-92455e46a4f9", "created_at": "2022-10-25T16:07:24.319939Z", "updated_at": "2026-04-10T02:00:04.934107Z", "deleted_at": null, "main_name": "TEMP.Veles", "aliases": [ "ATK 91", "G0088", "Xenotime" ], "source_name": "ETDA:TEMP.Veles", "tools": [ "Cryptcat", "HatMan", "Mimikatz", "NetExec", "PsExec", "SecHack", "TRISIS", "TRITON", "Trisis", "Triton", "Wii" ], "source_id": "ETDA", "reports": null }, { "id": "b6436f7b-6012-4969-aed1-d440e2e8b238", "created_at": "2022-10-25T16:07:23.91517Z", "updated_at": "2026-04-10T02:00:04.788408Z", "deleted_at": null, "main_name": "OilRig", "aliases": [ "APT 34", "ATK 40", "Chrysene", "Cobalt Gypsy", "Crambus", "DEV-0861", "EUROPIUM", "Earth Simnavaz", "Evasive Serpens", "G0049", "Hazel Sandstorm", "Helix Kitten", "IRN2", "ITG13", "Scarred Manticore", "Storm-0861", "TA452", "Twisted Kitten", "UNC1860", "Yellow Maero" ], "source_name": "ETDA:OilRig", "tools": [ "AMATIAS", "Agent Drable", "Agent Injector", "AgentDrable", "Alma Communicator", "BONDUPDATER", "CACTUSPIPE", "Clayslide", "CypherRat", "DNSExfitrator", "DNSpionage", "DROPSHOT", "DistTrack", "DropperBackdoor", "Fox Panel", "GREYSTUFF", "GoogleDrive RAT", "HighShell", "HyperShell", "ISMAgent", "ISMDoor", "ISMInjector", "Jason", "Karkoff", "LIONTAIL", "LOLBAS", "LOLBins", "LONGWATCH", "LaZagne", "Living off the Land", "MailDropper", "Mimikatz", "MrPerfectInstaller", "OILYFACE", "OopsIE", "POWBAT", "POWRUNER", "Plink", "Poison Frog", "PowerExchange", "PsList", "PuTTY Link", "QUADAGENT", "RDAT", "RGDoor", "SEASHARPEE", "Saitama", "Saitama Backdoor", "Shamoon", "SideTwist", "SpyNote", "SpyNote RAT", "StoneDrill", "TONEDEAF", "TONEDEAF 2.0", "ThreeDollars", "TwoFace", "VALUEVAULT", "Webmask", "WinRAR", "ZEROCLEAR", "ZeroCleare", "certutil", "certutil.exe" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434209, "ts_updated_at": 1775792256, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/f6377275c9fe95563e9aeb8e9a2e08916a3ad1ad.pdf", "text": "https://archive.orkl.eu/f6377275c9fe95563e9aeb8e9a2e08916a3ad1ad.txt", "img": "https://archive.orkl.eu/f6377275c9fe95563e9aeb8e9a2e08916a3ad1ad.jpg" } }