FireEye now says it has uncovered a strong link between the Triton intrusion –- the cybersecurity firm tracks this activity as TEMP.Veles –- and the Central Scientific Research Institute of Chemistry and Mechanics (CNIIHM), a technical research organization located in Moscow and owned by the Russian government.
FireEye has presented several pieces of evidence that show a connection between Triton and the CNIIHM, and the company claims to be in possession of even more information that reinforces the link, but which has been withheld due to its sensitive nature.
FireEye has pointed out that while there is strong evidence suggesting that the Russian institute has been involved in the development of some tools used in the Triton attack, it does not claim that the entire Triton framework is the work of this organization.
There are several aspects that have led to FireEye assessing with “high confidence” that Triton is linked to Russia, the CNIIHM, and an individual located in Moscow. One of the most important clues is related to the testing of some TEMP.Veles tools in a malware testing environment — the security firm has not named the service, but one of the most widely used is VirusTotal.
FireEye’s researchers discovered that a user who has been active in the aforementioned testing environment since 2013 has on several occasions tested various tools, including many customized versions of widely available applications such as Metasploit, Cobalt Strike, PowerSploit, the PowerShell-based WMImplant, and cryptcat.
The goal was apparently to ensure that the custom versions would evade detection by security software. Researchers pointed out that many of the tools were used in TEMP.Veles attacks just days after being analyzed in the malware testing environment.