“The Russian Government continues to engage in dangerous cyber activities aimed at the United States and our allies,” Treasury Secretary Steven T. Mnuchin said in a statement. “This Administration will continue to aggressively defend the critical infrastructure of the United States from anyone attempting to disrupt it.”
The lab — the Central Scientific Research Institute of Chemistry and Mechanics in Moscow — created the Triton malware, also known as Trisis and HatMan, used in an attack on a Saudi petrochemical facility in 2017 that resulted in tens of millions of dollars in lost production. Dozens of people could have been killed, but a coding error prevented the malware from working as intended, and a potential catastrophe was averted, experts said.
The lab is thought to have links to Russia’s GRU military spy agency.
The hackers who attacked the Saudi plant also have scanned and probed U.S. energy facilities, as well as oil and gas companies in Europe and the Persian Gulf, experts said. The Saudi plant was identified by E & E News in 2017 as Petro Rabigh.
The malware at Petro Rabigh was found almost by accident, said John Hultquist, senior director of intelligence analysis at the cybersecurity company Mandiant, which was among the firms called in to investigate the incident. The hackers tripped a safety system, causing the plant to shut down, which led to the cyber investigation, he said.
“This malware is a threat to human life,” Hultquist said. Mandiant in 2018 linked the malware to the Russian lab.
The sanctions are “a very significant move by the U.S. government,” said Robert M. Lee, a co-founder of Dragos, a cybersecurity firm that, like Mandiant, identified the malware. “It’s a good norm-setting moment. It’s a signal to say, ‘Hands off’ of industrial control equipment.”
The sanctions freeze any assets the institute holds in the United States, and Americans are barred from engaging in transactions with the lab.
It remains unclear why Russia would have targeted the Saudi plant.
The Treasury Department said in a news release that the use of the Triton malware “against our partners is particularly troubling given the Russian government’s involvement in malicious and dangerous cyber-enabled activities.”
Just this week, the United States unsealed charges against GRU operatives in connection with the NotPetya cyberattack, the costliest cyber intrusion in history, which damaged institutions across the globe. Russian hackers also have targeted the U.S. energy grid, potentially to enable future offensive operations, as well as the Organization for the Prohibition of Chemical Weapons and the World Anti-Doping Agency.
Four years ago, the GRU hacked and leaked Democratic emails, disrupting the presidential election. Russian hackers also probed state and local election systems in 2016, penetrating several, though they did not alter votes or manipulate information.