This story is over 5 years old.


Russian Malware Was Apparently Used in an Attempt to Sabotage a Saudi Petrol Plant

Cybersecurity firm FireEye points the finger at the Russian government and a government-linked facility for creating a destructive malware.
A oil facility in Saudi Arabia.
Image: Shutterstock

The hackers who created a malware that is believed to have sabotaged a Saudi Arabia petrochemical plant last year were working for the Russian government, according to a new report by a cybersecurity firm.

Earlier this year, researchers revealed a new type of malware that reportedly could have made a Saudi plant explode. They called the malware Triton or Trisis. Now, security firm FireEye revealed in a blog post that the Russian government was behind Triton, after a German daily broke the news of the attribution.


“FireEye Intelligence assesses with high confidence that intrusion activity that led to deployment of TRITON was supported by the Central Scientific Research Institute of Chemistry and Mechanics (CNIIHM; a.k.a. ЦНИИХМ), a Russian government-owned technical research institution located in Moscow,” the company wrote.

John Hultquist, the director of intelligence at FireEye, wrote on Twitter that his company “has linked the Triton incident that inadvertently shutdown a plant when the actors were trying to disable safety systems to a Russian government institute.” (FireEye calls the group behind Triton “TEMP.Veles.”)

Got a tip? You can contact this reporter securely on Signal at +1 917 257 1382, OTR chat at, or email

Triton is designed to sabotage industrial control systems made by Schneider Electric, which are often used in oil and gas facilities, as various companies revealed earlier this year. According to security firm Symantec, hackers used Triton in an attempt to damage the the National Industrialization Company in Saudi Arabia in 2017.

When asked whether he agreed with FireEye’s assessment, Robert Lee, a former NSA analyst who founded the infrastructure security company Dragos, which also analyzed the Triton malware, said that “we don’t do attribution.”

FireEye went as far as pointing the finger at “a professor at CNIIHM” who allegedly worked on the malware, based on breadcrumbs the company found in the malware itself and doing open source intelligence on his social media accounts. The company however, was careful in its attribution.

“While we know that TEMP.Veles deployed the TRITON attack framework, we do not have specific evidence to prove that CNIIHM did (or did not) develop the tool,” FireEye concluded in its blog post. “We infer that CNIIHM likely maintains the institutional expertise needed to develop and prototype TRITON based on the institute’s self-described mission and other public information.”

Update: The headline on an earlier version of this piece noted that researchers were ‘confident’ that Russian hackers tried to destroy a Saudi petrol plant. FireEye’s report attributed the creation of the malware to the Russian government, but did not say what it was used for or who deployed it; the New York Times earlier reported that Triton was used in the attack on the Saudi petrol plant.

Get six of our favorite Motherboard stories every day by signing up for our newsletter.