On October 23, OFAC designated State Research Center of the Russian Federation FGUP Central Scientific Research Institute of Chemistry and Mechanics (TsNIIKhM) to OFAC’s Specially Designated Nationals and Blocked Persons List because of TsNIIKhM’s involvement with Triton malware. TsNIIKhM is a Russian government-controlled research institution.

OFAC’s press release is available here.

The 2017 Triton Malware Attacks

Triton malware, which is also known as TRISIS and HatMan, is a software designed to gain unauthorized access to, and manipulate, industrial control systems (ICS).

In August 2017, hackers utilized the Triton malware at a petrochemical plant in the Middle East to remotely take over the plant’s safety systems. The malware was initially deployed through phishing that targeted the petrochemical plant. Once the malware infiltrated the plant’s internal systems, the hackers targeted specific ICS controllers, which are designed to activate an emergency shutdown if a dangerous condition is detected.

If the hackers succeeded, the 2017 Triton malware attacks could have resulted in significant physical damage and loss of life. Fortunately, the plant automatically shut down after several of the ICS controllers entered into a failed safe state.

According to OFAC’s press release, TsNIIKhM supported the August 2017 cyber-attacks. Thus, OFAC designated TsNIIKhM pursuant to Section 224 of the Countering America’s Adversaries Through Sanctions Act (CAATSA). In addition, OFAC noted that, in 2019, TsNIIKhM also allegedly scanned and probed at least twenty electric utilities in the United States to attempt to find vulnerabilities.

Other Cyber Attacks

Cyber-attacks on corporations have substantially increased in recent years. The Triton malware is merely one example of malicious software that hackers used to target industrial control systems. Other examples include code which reportedly targeted Iranian nuclear facilities in 2010, and Industroyer, which targeted Ukraine’s power grid in 2016.

Ransomware attacks are another type of cyber-attack, where a company’s data is stolen or rendered inaccessible. Then, the attackers demand payment to restore the data and/or refrain from releasing it publicly. In our October 7 post, we discussed OFAC and FinCEN’s updated ransomware advisories. To learn how to ensure that your company’s cybersecurity plans and policies give appropriate consideration to possible US regulatory complications related to any possible ransomware payment, please click here.

We will continue to monitor developments. Please contact the authors or your usual Herbert Smith Freehills contacts for more information.

Jonathan Cross

Jonathan Cross
Counsel, New York
+1 917 542 7824

Brittany Crosby-Banyai

Brittany Crosby-Banyai
Associate, New York
+1 917 542 7837