During the attack, the malware triggered a safety system that shut down operations. Had that not happened, the attackers could have set off a potentially deadly chain of events, FireEye researchers said.
“They could have had free rein to create dangerous conditions,” said John Hultquist, FireEye director of intelligence analysis. And they got close, he said.
The firm did not identify the plant’s owner, which had hired FireEye to do a forensic investigation.
FireEye said it linked the attack to the Central Scientific Research Institute of Chemistry and Mechanics through clues such as IP addresses and malware that revealed the online nickname of a hacker who worked for the lab.
The researchers also found computer code written in Cyrillic and noted that the attackers kept Moscow working hours — all potential signs the hackers were Russian.
The Russian Embassy in Washington did not respond to a request for comment Tuesday.
What made the attack potentially deadly was its use of a potent malware variant that FireEye has dubbed Triton. Though the firm has linked the institute to other malware strains used in the Saudi attack, it said, “We do not have specific evidence to prove” that the lab built Triton.
Nonetheless, Hultquist said, the link to the lab is highly suggestive of Russian government involvement.
“Russia has been extremely aggressive recently in U.S. and other global industrial control networks,” Hultquist said. “Shutting down a plant could lead to other unforeseen consequences. Anyone manipulating those safety systems could be endangering lives.”
In March, the Department of Homeland Security and the FBI issued a joint report alerting the public to Russian government targeting of energy, nuclear and other critical systems.
Security professionals are worried that the Triton malware could mark a dangerous escalation in global cyberwarfare, because it appears specifically made to sabotage a safety system whose sole purpose is to save lives by averting fatal incidents.
“FireEye’s attribution is certainly a strong possibility,” said Sergio Caltagirone, the director of threat intelligence for Dragos, a cyber firm that also has studied the malware. But, he noted, complex attacks such as this one could have required the efforts of more than one country.
Some security researchers, for instance, say it is possible that the Saudi operation was a joint effort by Russia and Iran.
The Kremlin has many reasons for targeting Saudi infrastructure, said Michael Carpenter, a former senior White House and Pentagon official who handled Russia policy. Among them, he said, Moscow sides with Tehran in the proxy war between Iran and Saudi Arabia, and it believes Riyadh is closely aligned with U.S. interests in the region. Moreover, he said, Moscow has an interest in driving global oil prices as high as possible to maximize Russian budget revenue and weaken Western economies.
“Probing for vulnerabilities within this one petrochemical plant is likely part of a broader effort to target Saudi oil production facilities,” Carpenter said.