"FireEye Intelligence assesses with high confidence that intrusion activity that led to deployment of TRITON was supported by the Central Scientific Research Institute of Chemistry and Mechanics (CNIIHM; a.k.a. ЦНИИХМ), a Russian government-owned technical research institution located in Moscow. The following factors supporting this assessment are further detailed in this post," the company said in a press release.
The company added that it had allegedly found traces proving that the TEMP.Veles group, which, FireEye claimed, is linked to Russia, tested versions of the malicious software.
"Investigation of this testing activity reveals multiple independent ties to Russia, CNIIHM, and a specific person in Moscow. This person’s online activity shows significant links to CNIIHM," FireEye claimed, adding that the behavior patterns of the TEMP.Veles group point to Moscow time zone.
According to US media reports, Triton intrusion was used to compromise the database of the Saudi Arabian petrochemical plant and to cause an explosion at the facility in 2017. The cyberassault failed as hackers made a mistake in the computer code. The intrusion is thought to be the first ever case when the crackers managed to hack the security system of an industrial enterprise.
Russia has repeatedly faced accusations of hacking attempts to influence the elections in other countries and interfere in their domestic affairs. Moscow has repeatedly denied the accusations as baseless.