XENOTIME / Triton Group

Kandi Brian

XT

xenotime-triton

also known as: TEMP.Veles TRISIS Group HatMan Group CNIIHM-linked actors G0088 (MITRE ICS)

Described by Dragos as "easily the most dangerous threat activity publicly known." XENOTIME is the only threat actor ever confirmed to have intentionally targeted Safety Instrumented Systems — the last line of automated defense in industrial facilities designed to prevent explosions, fires, and chemical releases. The 2017 TRISIS attack on Petro Rabigh, a Saudi Aramco and Sumitomo Chemical joint venture refinery on Saudi Arabia's Red Sea coast, was the first cyberattack in history designed with the primary intention of causing physical casualties. Dragos CEO Robert M. Lee described TRISIS at the 2018 SecurityWeek ICS Cybersecurity Conference as "the first piece of malware specifically designed to kill people." The malware exploited a zero-day privilege-escalation vulnerability in Triconex Tricon firmware and installed the first remote access Trojan (RAT) ever deployed against SIS equipment. Subsequent operations expanded targeting to electric utilities in North America and Asia-Pacific, ICS manufacturers, and a second industrial facility. Evgeny Viktorovich Gladkikh — a programmer in TsNIIKhM's Applied Development Center (ADC), a Russian Ministry of Defense research institute — was indicted in June 2021. TsNIIKhM was sanctioned by OFAC in October 2020; Gladkikh, TsNIIKhM Director Sergei Bobkov, and Deputy Director Konstantin Malevanyy were individually sanctioned in March 2022. The FBI advises Triton "remains a threat."

attributed origin Russia — TsNIIKhM Applied Development Center (ADC), Ministry of Defense research institute, Moscow

dragos assessment "Easily the most dangerous threat activity publicly known"

unique distinction Only actor confirmed to intentionally target SIS controllers

first attack June 2017 (first SIS trigger); August 2017 (investigated deployment)

doj indictment Evgeny Gladkikh (TsNIIKhM ADC) — indicted June 2021, unsealed March 24, 2022

cniihm sanctions TsNIIKhM sanctioned OFAC Oct 2020; Gladkikh, Bobkov, Malevanyy sanctioned individually OFAC Mar 2022

active since At least 2014 (2017 first public incident)

expanded targeting ~12 orgs reached; electric utilities US + APAC (2018–2019)

iCS malware family TRISIS — 1 of only 9 confirmed ICS-specific malware families as of 2024 (Stuxnet, BlackEnergy2, Havex, Industroyer/CRASHOVERRIDE, TRISIS, INDUSTROYER2, PIPEDREAM/INCONTROLLER, Fuxnet, FrostyGoop). Note: Some sources also include COSMICENERGY, making it 10; the count depends on classification criteria and research source. All agree the number remains in the single digits.

Overview

XENOTIME occupies a singular position in the threat landscape. Every other threat actor profiled here — regardless of sophistication, state sponsorship, or historical impact — has operated within an implicit boundary: their cyber operations were designed to steal information, disrupt services, destroy data, or hold systems hostage. XENOTIME crossed a line that no documented threat actor had crossed before. In 2017, it deployed malware designed specifically to disable the last automated safety defenses in an operating petrochemical plant — systems that, if disabled, would allow an industrial accident to progress unchecked to catastrophic physical failure. The goal, according to every credible analysis, was to kill people. Dragos's characterization is precise: "Targeting a safety system indicates significant damage and loss of human life were either intentional or acceptable goals of the attack" — a consequence absent from all prior ICS attacks including the 2016 CRASHOVERRIDE attack on Ukraine's power grid. Robert M. Lee, Dragos CEO, stated it more directly at the 2018 SecurityWeek ICS Cybersecurity Conference: TRISIS was "the first piece of malware specifically designed to kill people."

clarification: "intentional or acceptable goals" vs "designed to kill"

Some readers notice a difference between Dragos's formal written language — "significant damage and loss of human life were either intentional or acceptable goals" — and Robert Lee's spoken conference statement that TRISIS was "designed to kill people." These are not contradictory; they reflect the difference between a precise analytical statement and a plain-language characterization. Dragos's written language is appropriately hedged because the forensic evidence establishes that disabling safety systems was the confirmed goal, but the specific physical consequence the attackers intended to produce (an explosion, a toxic release, or another incident) cannot be definitively established from the malware alone. The phrase "intentional or acceptable" is analytically precise: even if killing people was not the primary objective, designing malware to neutralize the systems that prevent industrial fatalities means accepting mass casualties as an acceptable outcome. Lee's "designed to kill people" is the correct plain-language summary of what that means in practice. This profile treats both formulations as accurate — one analytical, one direct.

The TRISIS malware (also known as TRITON and HatMan) targeted Schneider Electric's Triconex Safety Instrumented System (SIS) controllers — specifically Triconex Tricon hardware running firmware version 10.3 — at Petro Rabigh, a massive integrated petrochemical and refining complex on Saudi Arabia's Red Sea coast near the ancient city of Rabigh. Petro Rabigh is a joint venture between Saudi Aramco (37.5% stake) and Tokyo-based Sumitomo Chemical. The 3,000-acre complex produces more than five million tons of petrochemicals annually, including polypropylene and antifreeze, alongside millions of barrels of refined products. Its processes involve hydrogen sulfide and other toxic, pressurized materials. Safety Instrumented Systems are purpose-built, independently operated controllers that monitor process conditions and initiate emergency shutdowns if dangerous thresholds are crossed — shutting off valves, releasing pressure, and cutting power to pumps. They are deliberately separate from the primary Distributed Control System (DCS), engineered to function even if everything else fails. XENOTIME's TRISIS was designed to neutralize that last line while maintaining the appearance of normal operation — leaving operators unaware that their safety net had been cut.

The attack partially failed only because of a software bug. According to Schneider Electric's Andrew Kling, director of cybersecurity and software practices: "There was a mistake in the development of the malware that accidentally caused the Triconex to be tripped and taken to a safe state. As a result, this malware that was in development was uncovered." Blake Johnson of Mandiant confirmed: "The script was successful, but it backed itself out. We don't believe that was supposed to happen." Without that bug, XENOTIME's operators would have had full remote control of the SIS while plant processes continued running — free to disable safety shutoffs, modify safe operating parameters, and engineer whatever physical incident they chose. The potential worst-case scenario: a release of toxic hydrogen sulfide gases, explosions from high-pressure systems, or both. Incident responder Julian Gutmanis, who led Saudi Aramco's investigation: "We knew that we couldn't rely on the integrity of the safety systems. It was about as bad as it could get."

XENOTIME is attributed with high confidence by FireEye/Mandiant to TsNIIKhM (the State Research Center of the Russian Federation FGUP Central Scientific Research Institute of Chemistry and Mechanics, also written CNIIHM) — a Russian government-owned technical research institute under the Ministry of Defense located in Moscow. More specifically, the attribution points to TsNIIKhM's Applied Development Center (ADC), the unit that publicly described itself as engaged in "research concerning information technology-related threats to critical infrastructure" — defensive framing for an organization developing destructive ICS attack tools. TsNIIKhM was sanctioned by US Treasury OFAC on October 23, 2020. On March 31, 2022, the Treasury issued additional individual designations against TsNIIKhM's General Director Sergei Alekseevich Bobkov and Deputy General Director Konstantin Vasilyevich Malevanyy, both of whom the Treasury stated played crucial roles in the attack. Evgeny Viktorovich Gladkikh, a 36-year-old ADC programmer, was indicted by a federal grand jury in June 2021 and named publicly in March 2022. Dragos confirmed the attacker had been inside the first victim's network since 2014 — three years of silent pre-positioning before the SIS attack.

critical context: what an SIS does

A Safety Instrumented System is not a component of industrial process control — it is an independent, redundant, deliberately separate failsafe layer. When process conditions approach dangerous levels (over-pressurization, overheating, toxic gas buildup), the SIS overrides everything else and initiates emergency shutdown. Stuxnet disrupted centrifuge operations while hiding the disruption from operators. Industroyer/CRASHOVERRIDE cut power to Ukrainian grid substations. TRISIS was designed to disable the system that prevents an industrial plant from becoming a bomb. This is why Dragos and multiple ICS security professionals characterized it as the first malware designed with killing people as an objective.

TRISIS Technical Analysis

naming clarification: TRITON vs TRISIS vs HatMan

The same malware has three distinct names depending on which organization named it. Dragos named it TRISIS because it targets Schneider Electric's Triconex Safety Instrumented Systems. FireEye/Mandiant named it TRITON, also a reference to the Triconex product line. ICS-CERT (now CISA) named it HatMan based on an internal artifact in the malware binary. All three names refer to the same malware framework. This profile uses TRISIS as the primary name (consistent with Dragos's designation as the initial discoverer and the firm that has most extensively tracked the actor group behind it), with TRITON and HatMan used interchangeably as appropriate. Some legacy reporting and the DOJ indictment use "Triton" or "Trisis" interchangeably — the underlying subject is always the same framework. The MITRE ATT&CK for ICS technique mappings primarily use the name as referenced in each specific source.

TRISIS is one of only nine publicly confirmed malware families specifically designed to interact with and compromise industrial control systems — the others being Stuxnet (2010), Havex (2013), BlackEnergy2 (2014/2015), Industroyer/CRASHOVERRIDE (2016), INDUSTROYER2 (2022), PIPEDREAM/INCONTROLLER (2022), Fuxnet (2024), and FrostyGoop (2024). A tenth candidate, COSMICENERGY, was disclosed by Mandiant in 2023; its classification as a confirmed "deployed" ICS malware versus a tool with deployment potential is disputed among researchers, and some tallies include it while others do not. The near-universal takeaway — cited consistently by Dragos, Mandiant, and independent ICS security researchers — is that purpose-built ICS malware remains extraordinarily rare, making every new confirmed family a significant event. TRISIS sits among the original five families that predated the 2022-2024 expansion of this category. Its technical architecture reflects years of research investment in understanding the Triconex SIS platform's proprietary protocols, firmware structure, and communication mechanisms. Schneider Electric's forensic investigation at S4x18 confirmed that the attackers exploited a previously unknown zero-day privilege-escalation vulnerability in Triconex Tricon firmware — specifically in older versions, including version 10.3 installed at Petro Rabigh. Additionally, Schneider identified a remote access Trojan (RAT) embedded within the TRISIS framework — the first RAT ever confirmed to have infected safety-instrumented system equipment. Researchers at FireEye's Mandiant believe the attackers acquired a physical Triconex controller and TriStation 1131 software suite to test their malware against before deployment, because the framework was precisely calibrated to the specific model and firmware version installed at the target plant.

Target System: Schneider Electric's Triconex Tricon safety programmable logic controller (PLC) — a triple modular redundant (TMR) SIS designed to maintain safe operation even through hardware failures. The Triconex system uses a proprietary protocol called TriStation for communication between engineering workstations and controllers via UDP over port 1502. TriStation is not publicly documented; there is no official specification for its structure. TRISIS implemented a custom reverse-engineered version of the TriStation protocol to communicate directly with SIS controllers. Mandiant's FireEye Advanced Practices Team confirmed that correctly implementing TriStation communications would have required significant reverse-engineering effort, possibly assisted by the TSAA (Triconex System Access Application) protocol, which shares structural similarities with TriStation and has published documentation.
Zero-Day Privilege Escalation: Schneider Electric confirmed at the S4x18 ICS conference in January 2018 that TRISIS exploited a zero-day privilege-escalation vulnerability in older versions of Triconex Tricon firmware. This flaw allowed the malware to escalate to the highest privilege level of the controller, enabling direct manipulation of firmware in RAM. Schneider subsequently issued security patches for affected firmware versions and released a detection tool to identify compromised controllers. The root cause of exploitation was also tied to the physical key switch being left in Program mode, which Schneider documented as a prerequisite for the attack.
Framework Architecture: TRISIS is a multi-component Python-based framework, not a single executable. Components include a custom Python script acting as the main controller, four Python modules providing framework functionality, and malicious shellcode containing an injector and payload. The modular design allows operators to develop and test individual components independently — which is exactly what CNIIHM's ADC operators were doing in a development testing environment that FireEye monitored. CISA's technical analysis documented multiple obfuscation layers: .NET protection, string reversal, character replacement, base64 encoding, and packing. Anti-analysis techniques include VM checks, sandbox detection and evasion, and anti-debugging.
Embedded RAT: Schneider's forensic investigation identified a remote access Trojan embedded within the TRISIS framework — the first RAT ever confirmed to infect SIS equipment. The RAT operates at the highest privilege level of the controller, awaiting instructions from operators. Per Schneider's Andrew Kling: "Once it's set up and ready to go, the very moment [the attacker] wants the [safety] controller to not do what it's intended to do" — they can issue that command. The RAT provides operators with persistent read/write access to SIS controller memory and logic, independent of any process being actively running.
Firmware Modification: TRISIS modifies the in-memory firmware of Triconex SIS controllers via the zero-day flaw — adding additional programming that provides the attacker with read/write access to memory contents and the ability to execute custom code. This firmware modification is the key capability: it gives operators the ability to issue custom commands to the SIS controller, including commands to prevent emergency shutdown initiation even when unsafe process conditions are detected. The modification was designed to persist in the SIS controller's active memory, invisible to plant engineers checking normal operational status.
The Accidental Discovery: XENOTIME's intent was to deploy TRISIS silently and then use separate malware to cause the plant's primary processes to run in unsafe conditions — the SIS would appear to be monitoring normally while under attacker control and incapable of initiating protective shutdowns. Instead, a software bug in the TRISIS malware triggered fault detection in two Triconex controllers, causing them to enter a fail-safe shutdown state. Blake Johnson of Mandiant described it: "The script was successful, but it backed itself out. We don't believe that was supposed to happen." They either had not yet built or not yet deployed the follow-on payload that would have caused the physical incident. Had TRISIS deployed without triggering the fault, the attack would have proceeded invisibly. Note on terminology: Some sources — including Dragos's own early blog posts — describe this as an "apparent misconfiguration" or state the attack was prevented by "an apparent misconfiguration." Others describe it as a "software bug." These are not contradictory: Dragos used "misconfiguration" because from an outside analytical perspective, the operators appeared to have misconfigured their own tool; the Schneider Electric and Mandiant forensic findings described it as a bug in the malware code itself that caused unintended controller faults. Both characterizations describe the same event. This profile uses "software bug" because the forensic analysis concluded the fault arose from an error in the malware logic itself, not from the operators making an incorrect configuration choice. The operational result — unintended SIS shutdown that exposed the attack — is identical under either framing.
Two Emergency Shutdowns: The Petro Rabigh attack caused two separate emergency shutdowns — the first on June 2, 2017, which occurred on a Saturday evening when fewer engineers were present and was subsequently misattributed to mechanical failure by Schneider Electric technicians who examined the logs. The second shutdown occurred on August 4, 2017, triggering the forensic investigation that uncovered TRISIS. As Julian Gutmanis stated at S4x19: "The June investigation was insufficient. They should have investigated what occurred in the plant. So the attackers got another two months unimpeded. They ran executables multiple times between June and July before the August incident." The plant shutdown lasted more than a week after the August event. Gutmanis also revealed in 2019 that the attack infected six engineering systems — not the two originally reported publicly.
TRISIS as Blueprint: Dragos specifically noted that while TRISIS was highly tailored to the specific Triconex infrastructure at the target plant and is not directly scalable, "the malware provides a blueprint of how to target safety instrumented systems. This tradecraft is thus scalable and available to others even if the malware itself changes." The 2019 discovery of XENOTIME activity at a second industrial facility — using elements of the same framework — confirmed this assessment. By 2018, Dragos had also documented XENOTIME targeting safety controllers other than Triconex, demonstrating active capability development beyond the original platform.

Target Profile and Expansion

XENOTIME began with a focused operation against a single petrochemical facility but systematically expanded its target set following the 2017 incident — demonstrating that public exposure and sanctions did not deter continued operations.

Petro Rabigh, Saudi Arabia (believed) — 2014–2017: The first and only confirmed TRISIS deployment. A note on naming: The DOJ indictment and all government documents refer only to "victim company 1" — a Saudi Arabian petrochemical refinery — and have not officially named the facility. The identification of the facility as Petro Rabigh comes from journalism and open-source research, most authoritatively the E&E News/Energywire reporting by Blake Sobczak (March 2019) and the reporting by Wired, which independently confirmed the target. FireEye, Dragos, and Schneider Electric have not officially named the victim. This profile, consistent with the consensus of responsible security research publications, refers to the facility as Petro Rabigh because it is the facility most specifically identified by independent journalism and corroborated across multiple sources, while noting this is not an official government confirmation. Dragos confirmed the attacker had been inside the network since 2014 — three years of patient pre-positioning, learning the plant's ICS architecture before deploying the SIS-targeting payload in 2017. The facility operated refinery processes involving hydrogen sulfide and other hazardous materials — substances that, if released through a safety system failure, posed serious risk to plant workers and the surrounding area.
Second Industrial Facility — 2019: FireEye Mandiant disclosed at the Kaspersky Security Analyst Summit in April 2019 that it had discovered a second TRISIS attack — a full-blown active intrusion at another industrial organization, not yet publicly identified. The attackers had a foothold in the corporate network and were conducting reconnaissance and advancing deeper toward the OT network. Elements of the TRISIS framework were identified. Unlike the first incident, this discovery occurred before the attackers could deploy the full SIS attack capability.
~12 Organizations — Early Stage Compromises (2018+): Dragos documented approximately 12 organizations whose networks were hit with XENOTIME early-stage attack tooling — primarily corporate IT network access and reconnaissance, with the attackers working toward OT network access. These were not TRISIS deployments but represented the precursor intrusion activity that preceded the Saudi facility attack. The organizations spanned oil and gas, but also included ICS equipment manufacturers.
ICS Vendors and Manufacturers (2018): Dragos identified several compromises of ICS vendors and manufacturers by XENOTIME in 2018. This supply chain targeting mirrors Dragonfly's Havex strategy: compromising trusted vendors provides access to their customer base and provides intelligence about target facility configurations before direct attacks. A vendor compromise could enable XENOTIME to deliver malicious firmware or software updates to ICS installations worldwide.
US and Asia-Pacific Electric Utilities (Late 2018–2019): Starting in late 2018, XENOTIME expanded beyond oil and gas — probing the networks of electric utility organizations in the United States and the Asia-Pacific region. Different public reports give slightly different scope figures: Dragos stated that XENOTIME had targeted "at least 20 electric utilities" in the US and APAC when presenting at the E-ISAC conference in mid-2019, while Dragos's written threat page describes the activity as "targeting dozens of electric power utilities in at least the North American and Asia-Pacific regions." Both figures are from Dragos; the difference reflects different points in time as new targeting activity was identified. Neither figure implies confirmed intrusion into OT networks — Dragos documented reconnaissance and initial-access activity consistent with Stage 1 of the ICS Cyber Kill Chain, involving scanning for remote login portals and network resource enumeration, not confirmed OT compromise. No electric utility OT network intrusions by XENOTIME were publicly confirmed during this period. Dragos noted that electric utility environments also contain SIS-equivalent protection equipment that could be targeted using XENOTIME's established tradecraft.
US Refineries (2018 — Failed Attempt): The DOJ indictment against Evgeny Gladkikh confirms that between February and July 2018 — just months after the Petro Rabigh attack was publicly disclosed — Gladkikh and co-conspirators researched US-based refineries and "unsuccessfully attempted to hack the U.S. company's computer systems." The research phase included obtaining a 1970s US Department of Defense research paper detailing refinery physical vulnerabilities, explosive effects, and capacity — specifically identifying which US facilities would cause maximum damage. The attempted US intrusion was the first documented case of XENOTIME targeting the US energy sector.

Tactics, Techniques & Procedures

XENOTIME's TTPs span both standard enterprise IT intrusion techniques for gaining corporate network access and highly specialized ICS-specific techniques for the OT targeting phase. The IT phase resembles many other APT intrusions; the OT phase is unique in documented threat history.

XENOTIME tactics, techniques, and procedures mapped to MITRE ATT&CK for ICS
mitre id	technique	description
T0857 ICS	System Firmware — SIS Firmware Modification	The defining TRISIS capability: direct modification of Triconex SIS controller in-memory firmware via the TriStation protocol. The modified firmware adds attacker-controlled code that allows read/write access to memory and custom command execution. This modification was designed to persist invisibly in the SIS controller's active memory, enabling operators to disable emergency shutdown functions on demand while the SIS appeared to be operating normally to plant engineers. This is the only documented case of deliberate SIS firmware modification by a threat actor.
T0877 ICS	I/O Image — SIS Controller Communication	TRISIS implemented a custom reverse-engineered version of Schneider Electric's proprietary TriStation protocol to communicate directly with Triconex SIS controllers. This required significant research investment: TriStation is not publicly documented, and implementing a functional protocol client required reverse engineering the protocol from captured network traffic and controller firmware analysis. The protocol implementation enables direct read/write access to the SIS controller's memory and logic.
T1078	Valid Accounts — Credential Capture and Replay	XENOTIME used credential capture and replay as the primary lateral movement technique between IT and OT network segments — using legitimate credentials to authenticate to systems across network boundaries. Mandiant documented that the threat actor was present on the corporate network for at least one year before gaining access to the SIS engineering workstation. The long corporate network dwell time allowed systematic credential harvesting for accounts with OT network access.
T1059.006	Python-Based Framework Execution	TRISIS is built entirely in Python — a multi-component framework including a custom Python script, four Python modules, and embedded shellcode. The Python implementation reflects CNIIHM's development environment and enables rapid framework modification. CISA's technical analysis documented that the malware is obfuscated using .NET with multiple layers including string reversal, character replacement, base64 encoding, and packing. Anti-analysis techniques include VM checks, sandbox detection/evasion, and anti-debugging.
T1569.002	Service Execution — PSExec for Lateral Movement	Alongside proprietary tools, XENOTIME used standard Windows command-line tools and PSExec for lateral movement and remote execution on victim hosts — the same approach documented in Dragonfly, ALLANITE, and other ICS-targeting actors. Using PSExec with captured credentials allows remote command execution across network segments using legitimate Windows tools rather than exploit-based techniques, minimizing forensic artifacts and avoiding exploitation-based detection.
T1119	Automated Collection — ICS Reconnaissance	Following the 2017 TRISIS incident, XENOTIME's expanded operations included "significant external scanning, network enumeration and open-source research of potential victims, combined with attempts at external access." The DOJ indictment documented research using a 1970s US government document cataloging refinery physical vulnerabilities, explosive impact radii, and facility capacity — using open-source intelligence to identify which facilities would cause maximum physical damage in a successful SIS attack.
T0887 ICS	Wireless Sniffing — Physical Key Exploitation	A documented contributing factor in the Petro Rabigh attack: workers at the facility had left physical keys controlling Triconex system access in a position that allowed remote software access. SIS controllers have hardware key switches that control whether the system can be reprogrammed remotely — key positions include "Run" (normal operation, remote programming disabled) and "Program" (remote programming enabled). The physical keys at the plant were in Program mode, which allowed TRISIS to communicate with and modify the SIS firmware remotely. Physical key management is a critical SIS security control that the Petro Rabigh staff had not enforced.

Attribution: TsNIIKhM, the ADC, and Evgeny Gladkikh

attribution clarity note: the "was this Iran?" question

There is measurable online confusion about whether TRITON/TRISIS was the work of Iran rather than Russia, and it is worth addressing directly so readers understand why this profile states Russian attribution with confidence and not as one theory among equals.

When TRITON was publicly disclosed in December 2017, no firm had publicly attributed it to a specific state. CyberX, one of the first organizations to publish analysis, assessed with confidence that Iran was the likely actor — citing Saudi Arabia and Iran's adversarial relationship, Iran's prior destructive cyberattacks against Saudi Aramco (the 2012 Shamoon attack), and geopolitical motive. That assessment was reasonable based on the information available at the time and was widely reported. FireEye's initial December 2017 disclosure notably did not attribute the attack to any specific country, only stating that the techniques were consistent with prior activity attributed to Russian, Iranian, US, North Korean, and Israeli actors — a deliberately broad statement that some interpreted as keeping Iran in the frame.

In October 2018, FireEye published its attribution analysis linking TRISIS directly to TsNIIKhM (CNIIHM), a Russian Ministry of Defense research institute in Moscow. That report included specific technical evidence: a PDB path linked to a named individual, a TsNIIKhM IP address used in operational infrastructure, working-hour patterns consistent with Moscow Standard Time, and circumstantial evidence connecting the individual to TsNIIKhM specifically. Dragos's Joe Slowik offered a contemporaneous caution that private-sector attribution based on a single IP address and indirect indicators carries inherent uncertainty — a legitimate methodological point that does not undermine the overall analysis but is worth acknowledging.

What settles the attribution question, and why this profile does not hedge on the answer, is US government action: the Treasury Department sanctioned TsNIIKhM in October 2020 under CAATSA Section 224 for direct involvement in the attack; the DOJ indicted Evgeny Gladkikh (an ADC employee at TsNIIKhM) in June 2021; and Treasury further designated the General Director and Deputy General Director of TsNIIKhM in March 2022, stating explicitly that both played a crucial role in the August 2017 attack. These are not intelligence assessments by private security firms — they are formal US government legal and sanctions actions, backed by classified intelligence and subject to legal scrutiny. No US government body has attributed TRITON/TRISIS to Iran. CyberX's early Iran hypothesis, while historically notable as an example of attributional uncertainty, was superseded by the subsequent evidence base. The Russian-TsNIIKhM attribution is the correct, current, and legally supported conclusion.

FireEye's October 2018 attribution of TRISIS to TsNIIKhM (CNIIHM) was among the most methodologically detailed public ICS attribution analyses ever published. The evidence chain connected multiple independent technical and operational indicators to a specific individual at a specific sub-unit of a specific Russian government institute. US Treasury, DOJ, and FBI have each independently confirmed the attribution in official government actions and advisories.

The Responsible Unit — Applied Development Center (ADC): FireEye and subsequent US government documents identify the specific responsible unit as TsNIIKhM's Applied Development Center (ADC). The ADC publicly described its mission as research concerning information technology threats to critical infrastructure — framed defensively, but the US Treasury stated that ADC employees, including Gladkikh, used ADC resources to prepare, support, and execute computer intrusions against energy facilities. Konstantin Vasilyevich Malevanyy, sanctioned individually in March 2022, was Chief of the ADC since at least January 2017 — making him the ADC head throughout the entire TRISIS development and deployment period.
PDB Path to Developer Handle: A PDB (Program Database) path in a tested malware file contained what appeared to be a unique developer handle or username. This moniker was linked to a Russia-based individual active in Russian information security communities since at least 2011, credited with vulnerability research contributions to the Russian edition of Hacker Magazine. The same handle's social media profile showed the individual in proximity to Moscow throughout the profile history.
TsNIIKhM Professor Identification: A now-defunct social media profile using the same handle identified the individual as a professor at TsNIIKhM, located near Nagatinskaya Street in Moscow's Nagatino-Sadovniki district. FireEye noted TsNIIKhM has at least two research divisions with directly relevant expertise: a Center for Applied Research focused on protecting critical infrastructure from destructive impacts, and a Center for Experimental Mechanical Engineering that develops weapons and researches enterprise safety in emergency situations — precisely the institutional knowledge base required to develop TRISIS.
TsNIIKhM IP Address: An IP address registered to TsNIIKhM was used by TEMP.Veles operators for multiple operational purposes — monitoring open-source coverage of the TRISIS attack after disclosure, conducting network reconnaissance, and direct malicious activity in support of the TRISIS intrusion. Using the institutional IP address for operational monitoring is a significant OPSEC failure that directly linked TsNIIKhM to the active attack infrastructure.
Working Hours Pattern: Activity patterns from TEMP.Veles operators were consistent with Moscow Standard Time working hours — another corroborating indicator tying operations to the Moscow timezone where TsNIIKhM is headquartered.
Evidence Deletion Post-Attribution: After FireEye published its TsNIIKhM attribution report in October 2018, information about the institute began disappearing from its own website — photos, internal structural details, and information associated with specific IP addresses. FireEye reported this evidence deletion at the 2019 ICS Cyber Security Conference in Singapore, describing it as consistent with an institution that recognized it had been publicly identified and was attempting to reduce its documentary footprint.
Evgeny Gladkikh — DOJ Indictment (June 2021, unsealed March 2022): On June 23, 2021, a federal grand jury in the District of Columbia returned a three-count indictment against Evgeny Viktorovich Gladkikh, 36, a computer programmer in TsNIIKhM's Applied Development Center, formally charging him for his role in the TRISIS deployment at "victim company 1" (widely attributed to Petro Rabigh — the DOJ does not name the victim facility by name in the indictment, though this is consistent with all public analysis pointing to Petro Rabigh) and for attempted intrusions against US refineries in 2018. The DOJ stated that the defendant and co-conspirators hacked the victim facility's systems between May and September 2017 — a timeframe that encompasses both the June 2 accidental first shutdown and the August 4 second shutdown that triggered the forensic investigation. The DOJ stated that Gladkikh and co-conspirators designed TRISIS "to prevent the refinery's safety systems from functioning — by causing the ICS to operate in an unsafe manner while appearing to be operating normally." The indictment further documents that Gladkikh personally planted backdoors, reviewed plant safety logs and past safety exercise results, familiarized himself with software versions on logging servers, and established the exact model and features of Triconex SIS devices — one of which controlled sulfur recovery and burner management processes where improper operation could cause toxic gas release or explosions. The three counts carry maximum sentences of 20 years, 20 years, and 5 years respectively — a combined maximum of 45 years. The indictment was unsealed March 24, 2022, simultaneously with the Dragonfly/Akulov indictment. A $10 million Rewards for Justice reward was announced at the same time.
TsNIIKhM Institutional Sanctions — October 23, 2020: The US Treasury Department's OFAC sanctioned TsNIIKhM pursuant to Section 224 of CAATSA (Countering America's Adversaries Through Sanctions Act) for knowingly engaging in significant activities undermining cybersecurity on behalf of the Russian government. Secretary Steven Mnuchin stated: "The Russian Government continues to engage in dangerous cyber activities aimed at the United States and our allies." The designation blocked all TsNIIKhM property interests within US jurisdiction and prohibited US persons from transacting with the institution.
Individual Sanctions — March 31, 2022: Following the indictment unsealing, OFAC issued a second round of TsNIIKhM-related sanctions designating three individuals personally: Evgeny Viktorovich Gladkikh (the indicted programmer), Sergei Alekseevich Bobkov (TsNIIKhM's General Director since at least October 2017), and Konstantin Vasilyevich Malevanyy (Deputy General Director of TsNIIKhM; per separate TsNIIKhM organizational documentation, Malevanyy also served as Chief of the ADC — hence why some sources describe him as "ADC Chief" while official US government sanctions documents refer to him as "Deputy General Director"; both are accurate and refer to the same individual). The Treasury stated Bobkov and Malevanyy "work directly with military" clients and that both played a crucial role in the August 2017 Triton malware attack. These individual designations extended sanctions accountability from the institution to the specific leadership responsible for directing and overseeing the ADC's malicious operations.

Known Campaigns

TRISIS / Petro Rabigh — First SIS Attack in History 2014 – August 2017

The foundational XENOTIME operation and the most consequential ICS attack in terms of intent, if not impact. XENOTIME established a corporate network foothold at Petro Rabigh — a 3,000-acre integrated refining and petrochemical complex on Saudi Arabia's Red Sea coast, a joint venture between Saudi Aramco (37.5% stake) and Tokyo-based Sumitomo Chemical — by 2014, three years before the SIS attack. The attackers gained initial access via phishing and exploited a poorly configured firewall to pivot from the corporate IT network to the OT network. On Saturday evening June 2, 2017, the implanted TRISIS code accidentally triggered an emergency shutdown of one SIS controller. Schneider Electric technicians examined the system, pulled logs and diagnostics, attributed it to mechanical failure, and did not investigate further for cybersecurity indicators. This gave the attackers another two months of unimpeded access — during which they ran executables multiple times between June and July refining the deployment. On August 4, 2017, at 7:43 p.m., the second deployment triggered two emergency shutdowns, sending part of the complex offline in a fail-safe state. This shutdown initiated the forensic investigation that eventually uncovered TRISIS. Investigators, led by Julian Gutmanis working with Saudi Aramco, found the malware had infected six engineering systems — not the two initially reported publicly. The facility was shut down for more than a week. The potential worst case: release of toxic hydrogen sulfide from sulfur recovery operations, high-pressure explosions, or both. Gutmanis described the investigation: "We considered the entire organization to be compromised. We had a very sophisticated attacker. We knew that the systems, and the integrity of these systems, can no longer be trusted." Robert Lee of Dragos described TRISIS as "the first piece of malware specifically designed to kill people." The DOJ indictment designated the facility as "victim company 1."

Second Industrial Facility — TRISIS Framework Elements Deployed 2018 – 2019

FireEye Mandiant disclosed in April 2019 that it had identified a second active XENOTIME intrusion at an unidentified critical infrastructure organization — a full-blown, ongoing attack with elements of the TRISIS framework installed, not merely early-stage probing. In this intrusion, the attackers had been present on the corporate network for nearly a year before gaining access to an SIS engineering workstation. FireEye documented an expanded custom toolset not seen in the first attack: credential harvesting tools including SecHack and WebShell; a remote command execution tool called NetExec; and several backdoors based on OpenSSH, Bitvise, PLINK, and Cryptcat. FireEye noted the actors "attempted to reduce the chance of being observed during higher-risk activities by interacting with target controllers during off-hour times. This would ensure fewer workers were on site to react to potential alarms caused by controller manipulation." Dragos's Joe Slowik clarified that this second incident did not involve a new deployment of TRISIS itself — the discovery occurred before the attackers could deploy the full SIS attack capability. The identity and location of the second victim remain publicly unconfirmed. This disclosure confirmed XENOTIME's tradecraft had evolved between 2017 and 2019, with a richer and more operationally mature custom toolset for IT-side intrusion while preserving the SIS-targeting framework for the OT phase.

US Refinery Targeting — Post-Disclosure Escalation February – July 2018

Despite the public disclosure of the Saudi Arabia attack in December 2017 and subsequent attribution research, XENOTIME immediately pivoted to targeting US energy infrastructure. Between February and July 2018, Gladkikh and co-conspirators researched US-based oil refineries — specifically obtaining a 1970s DOD research paper cataloging physical vulnerabilities, explosive effects, and capacity for US refinery sites. This open-source research was specifically aimed at identifying which US facilities would produce the most significant physical damage and casualty potential in a successful SIS attack. They then conducted unsuccessful intrusion attempts against a US company operating multiple refineries. The attempted US targeting represents the group's most direct threat to American critical infrastructure and was confirmed in the 2021 DOJ indictment.

Electric Utility Targeting — First Cross-Sector ICS APT Late 2018 – 2019+

Starting in late 2018, Dragos documented XENOTIME expanding beyond oil and gas to probe electric utility organizations in the US and Asia-Pacific — a targeting shift first detected by Dragos in February 2019. By June 2019, Dragos had identified targeting activity against at least 20 electric utilities in the US, with the group scanning for and enumerating remote login portals and network resources. Dragos stated: "XENOTIME is now targeting dozens of electric power utilities in at least the North American and Asia-Pacific regions, and continues to target oil and gas worldwide." No confirmed successful intrusion into electric utility OT networks was documented at the time of disclosure. Dragos noted this made XENOTIME the first APT to have successfully transitioned ICS targeting from one industrial sector to another — a historically significant expansion. Joe Slowik of Dragos said the shift was "more brazen" with easily detectable scanning compared to the group's earlier, more discreet operations, and described it as signaling an intention to meet prerequisites for a future attack in the electric sector. Dragos's Sergio Caltagirone stated: "What was once considered an oil and gas threat is now an electric threat too. People will die, we just don't know when." Electric utilities operate SIS-equivalent protection systems that XENOTIME's established tradecraft could target with minimal modification.

Tools & Malware

TRISIS (TRITON / HatMan): The signature ICS malware framework. Multi-component Python-based tool targeting Schneider Electric Triconex SIS controllers via reverse-engineered TriStation protocol. Exploits a zero-day privilege-escalation vulnerability in older Triconex Tricon firmware (confirmed present in firmware version 10.3). Installs a remote access Trojan (RAT) in the SIS controller at the highest privilege level — the first RAT ever confirmed to infect safety-instrumented system equipment. Three-stage architecture: initial Python framework, TriStation protocol client, and custom payload shellcode. Anti-analysis protections include .NET obfuscation, string reversal, character replacement, base64 encoding, VM checks, sandbox detection, and anti-debugging. One of only nine known ICS-specific malware families in documented threat history per Dragos's classification (Stuxnet, Havex, BlackEnergy2, CRASHOVERRIDE/Industroyer, TRISIS, Industroyer2, PIPEDREAM, Fuxnet, and FrostyGoop). Note: some research sources count CosmicEnergy (discovered 2023) as a tenth family; Dragos has not publicly included it in its official ICS malware count, as CosmicEnergy lacked sufficient maturity and contained errors at the time of analysis. The Dragos 2025 Year in Review report confirmed Fuxnet and FrostyGoop as the eighth and ninth known ICS malware families.
SecHack (custom credential harvester): Documented by FireEye during its investigation of the second XENOTIME incident in 2019. A custom credential harvesting tool developed specifically for XENOTIME operations — distinct from commodity tools like Mimikatz — used to capture domain credentials for lateral movement across IT/OT network boundaries.
WebShell (custom web shell): A custom web shell used for persistent access to victim web-facing systems, documented in the second incident. Combined with other backdoors to maintain multiple independent access paths into target networks.
NetExec (custom remote execution tool): A custom remote command execution tool documented by FireEye in the second incident. Provides remote execution capability on victim hosts while the actors' custom tools "frequently mirrored the functionality of commodity tools and appear to be developed with a focus on anti-virus evasion," per FireEye's 2019 analysis.
OpenSSH / Bitvise / PLINK / Cryptcat Backdoors: Multiple custom backdoors based on OpenSSH, Bitvise, PLINK (PuTTY Link), and Cryptcat documented in the second incident — providing redundant persistent access channels that survive individual backdoor discovery and removal. Using multiple backdoor technologies simultaneously ensures the attackers retain access even if one is detected.
Custom Credential Capture Tools (first incident): Tailor-made credential gathering tools used in the first Petro Rabigh intrusion, documented by Dragos. Distinct from the SecHack tooling documented in the second incident, indicating ongoing custom tool development between operations.
PSExec (Sysinternals): Used for remote execution and lateral movement on victim hosts across both documented intrusions — consistent with multiple ICS-targeting actors that prefer legitimate Windows tooling for IT-side operations to minimize forensic detection signals.
Standard Windows Command-Line Tools: Dragos documented XENOTIME's use of standard Windows commands and command-line utilities — a living-off-the-land approach for the IT-side of the attack lifecycle that reduces the number of unique forensic artifacts while the custom tooling is reserved for OT-specific phases.
Mimikatz: The commodity credential-dumping tool was identified alongside custom tools in the second incident, confirming XENOTIME's hybrid approach of pairing standard red-team tooling with bespoke capabilities.
TriStation Protocol Client (custom, embedded in TRISIS): A reverse-engineered implementation of Schneider Electric's proprietary TriStation UDP protocol (port 1502). This component represents the most technically distinctive element of the XENOTIME toolkit — requiring deep understanding of a non-public industrial protocol and validated testing against physical Triconex hardware. FireEye researchers confirmed the implementation is functional and accurate, suggesting access to a physical Triconex controller and the TriStation 1131 software suite during development.

Indicators of Compromise

IOCs from CISA Malware Analysis Report (MAR): HatMan Safety System Targeted Malware (Update B), the CISA/DOE March 2022 advisory (AA22-083A), CrowdStrike and Dragos TRISIS analyses, FireEye's XENOTIME attribution research, and Schneider Electric's S4x18 forensic presentation. Full technical IOC sets are available in CISA's HatMan MAR.

ot detection note

TRISIS specifically targets safety systems that are typically managed by engineering teams rather than security teams, and that run on dedicated SIS networks separate from standard OT monitoring. Conventional IT-based detection — EDR, SIEM, network IDS — may not monitor or have visibility into SIS network segments. Detecting XENOTIME activity in the SIS environment requires dedicated safety system monitoring capability. Detection of early-stage IT network activity (corporate network reconnaissance, credential harvesting, OT-boundary crossing) is the most viable defensive detection window.

behavioral and technical indicators

file stage1.py, trilog.exe (HatMan stage 1 injector), inject.bin (shellcode payload) — TRISIS component filenames documented in CISA HatMan MAR

file SecHack, WebShell, NetExec — custom XENOTIME tools documented by FireEye in the 2019 second-incident analysis; presence on any OT-adjacent system is a high-confidence indicator of XENOTIME activity

protocol Unexpected TriStation protocol traffic (UDP port 1502) originating from any host other than authorized engineering workstations — unauthorized TriStation access is the primary SIS compromise indicator

firmware Triconex Tricon firmware version 10.3 (and other older versions) — confirmed vulnerable to the TRISIS zero-day privilege-escalation exploit; any installation running firmware below Schneider Electric's post-incident patched versions is at elevated risk

behavior Triconex physical key in Program mode (remote programming enabled) outside of authorized maintenance windows — key should be in Run mode during normal operations; unauthorized Program mode access is the precondition for TRISIS deployment

network Connections from corporate/IT network hosts to SIS engineering workstations or SIS network segments — SIS networks should have no inbound connections from IT; any such traffic represents IT/OT boundary violation

behavior Unexpected SIS controller reboots or fault messages — XENOTIME's two failed TRISIS deployments were both detected via unexpected SIS emergency shutdowns; unexplained SIS faults should trigger security investigation, not just engineering investigation

behavior Ignored or suppressed antivirus alarms — Petro Rabigh staff ignored multiple AV alerts triggered by TRISIS components prior to discovery; any AV alert on OT or SIS-adjacent systems must be treated as a security incident requiring investigation, not a false positive to be dismissed

file Python interpreter or Python script files on SIS engineering workstations or OT network hosts — TRISIS is Python-based; Python execution on dedicated safety system workstations is anomalous and warrants immediate investigation

Mitigation & Defense

XENOTIME remains active. The FBI advisory confirming TRISIS "remains a threat" and Dragos's continued tracking of the group — XENOTIME was explicitly listed among observed active threat groups in Dragos's 2023 OT Cybersecurity Year in Review, and Dragos's 2026 report (9th Annual, released February 2026, covering 2025 activity) confirms Dragos now tracks 26 OT threat groups, with XENOTIME confirmed active on Dragos's continuously maintained threat profile page — means that organizations with Safety Instrumented Systems should treat this as a current, ongoing threat requiring immediate defensive investment regardless of sector. The confirmed expansion to electric utilities means oil and gas operators are not the only at-risk population.

Physical Key Management — Highest Priority: The Petro Rabigh attack was enabled in part by Triconex physical keys being left in Program mode, allowing remote software access to SIS controllers. Establish and enforce strict physical key management procedures: SIS controller keys should be in Run mode during all normal operations, Program mode should require documented authorization and a physical presence requirement, and key state should be logged and audited. This single physical control would have significantly complicated or prevented the TRISIS deployment. Schneider Electric has issued guidance on this, and it applies to Triconex and all other SIS vendors' hardware key controls.
SIS Network Isolation: The SIS network should have zero network connectivity to corporate IT networks — no shared switches, no routed connections, no jump hosts with network connections to both. Even IT/OT segmentation that is standard for DCS networks is insufficient for SIS: the SIS must be completely air-gapped from any network that could provide an attacker traversal path. Monitor for any communication between IT network devices and SIS network devices. Any such traffic is a security incident requiring immediate investigation.
TriStation Protocol Monitoring: Any TriStation protocol traffic (UDP port 1502) originating from any host other than the specifically authorized SIS engineering workstation should trigger an immediate alarm. In a properly secured environment, only one or two designated engineering workstations should ever generate TriStation traffic — and only during authorized maintenance windows. Deploy network monitoring in the SIS network segment specifically watching for TriStation connections from unexpected sources.
Apply Schneider Electric's SIS Security Patches: Schneider Electric issued security patches for the Triconex vulnerabilities exploited by TRISIS following public disclosure. All Triconex Tricon installations should be at the current patched firmware version. Contact your Schneider Electric representative and CISA for current guidance on specific patch versions. For other SIS vendors (Emerson, Yokogawa, Honeywell), verify current security patch status with each vendor — TRISIS established that SIS platforms are now targeted, and all major vendors have since issued security bulletins and updates.
SIS Anomaly Monitoring — Treat Unexplained Shutdowns as Security Events: The XENOTIME attack caused two emergency shutdowns before it was detected — and the first was attributed to mechanical failure rather than investigated as a security incident. Any unexplained SIS fault, unexpected controller reboot, or anomalous process shutdown should trigger both an engineering investigation and a security investigation simultaneously. Establish a protocol for concurrent engineering and security response to SIS anomalies. The engineering team alone will look for mechanical or process causes; the security team must simultaneously check for unauthorized access, configuration changes, or malware indicators.
Threat Hunting for XENOTIME Pre-Positioning: XENOTIME spent three years on the corporate network before deploying TRISIS. Active threat hunting in the corporate IT environment — searching for credential harvesting activity, lateral movement toward OT-adjacent systems, and reconnaissance of ICS network architecture — can detect XENOTIME's pre-positioning phase long before it reaches the SIS environment. Organizations should hunt specifically for the behaviors documented in XENOTIME's IT-side TTPs: credential capture tools, Python execution on unexpected systems, and PSExec usage in unusual contexts.

analyst note

XENOTIME's significance in the threat landscape is categorical, not merely severe. Every other threat actor profiled in this series — regardless of state sponsorship, technical sophistication, or historical impact — operated within a framework where cyber effects caused cyber harm: data stolen, systems disrupted, services degraded, money diverted. XENOTIME made a deliberate, resource-intensive, years-in-the-making decision to cross the threshold where cyber effects could directly kill workers at an industrial facility. The three-year pre-positioning, the custom TriStation protocol implementation, the CNIIHM institutional expertise — these are not the signatures of an accident or an escalation that happened by surprise. This was planned, developed, tested, and executed with the specific intent of creating conditions under which an industrial catastrophe would occur. That it failed only because of a software bug is the only reason this profile discusses historical activity rather than a mass casualty event. Dragos CEO Robert Lee has consistently described XENOTIME as the line that separates "things we worried might happen" from "things we now know actors will do." The expansion to electric utilities means that the target list is every industrial organization with safety-critical systems — not just petrochemicals. The FBI's advisory that TRISIS "remains a threat" should be understood in that context: the actor exists, its capability exists, its targets have expanded, and the only reason the 2017 attack did not kill anyone is that the malware had a bug.

Sources & Further Reading

Primary government documents, vendor research, court filings, and firsthand incident reporting used to build this profile. All claims trace to at least one source listed here.