The US Treasury has sanctioned a Russian government-funded research institute known as the Central Scientific Research Institute of Chemistry and Mechanics (CNIIHM), saying it is ‘connected to the destructive Triton malware’ that was used to attack a petrochemical facility in the Middle East in 2017. The sanction prohibits people in the US from carrying out business with the research institute.

‘While the Russian government claims to be a responsible actor in cyberspace, it continues to engage in dangerous and malicious activities that threaten the security of the United States and our allies,’ said US Secretary of State Mike Pompeo. ‘We will not relent in our efforts to respond to these activities using all the tools at our disposal, including sanctions.’

The Treasury Department says the Triton malware was used to attack a petrochemical facility in Saudi Arabia in August 2017. According to the agency, the CNIIHM research institution is responsible for building customised tools that enabled the assault. Specifically, the malware tampered with the facility’s critical safety mechanisms. Fortunately, the oil refinery successfully defaulted to a failsafe shutdown.

The US security firm Firefly released a report in 2018 that linked a professor at the CNIIHM with Triton. An IP address used at the Russian institute also was apparently connected with the incident. The Treasury Department also claims the hackers behind Triton were reported to be ‘scanning and probing’ at least 20 electric utilities in the US for vulnerabilities in 2019.

Earlier this year, an audit by the congressional Government Accountability Office found that thousands of US chemical facilities are vulnerable to hacking attacks because they rely on antiquated cybersecurity guidance. The agency warned that a successful cyberattack against information and process control systems at chemical facilities can disrupt or shut down operations and lead to serious health consequences and even loss of life.