US imposed sanctions against Russia’s Central Scientific Research Institute of Chemistry and Mechanics (CNIIHM) on October 23.
A FireEye report published in October 2018 identified CNIIHM as the possible author of the Triton malware.
The Triton malware, also known as Trisis or HatMan, is a piece of malware that was designed to specifically target a certain type of industrial control system (ICS) equipment — namely, Schneider Electric Triconex Safety Instrumented System (SIS) controllers.
According to technical reports from FireEye, Dragos, and Symantec, the malware was distributed via phishing campaigns. Once it infected a workstation, it would search for SIS controllers on a victim’s network, and then attempt to modify the controller’s settings.
Researchers said Triton contained instructions that could either shut down a production process or allow SIS-controlled machinery to work in an unsafe state, creating a risk of explosions and risk to human operators and their lives.