FireEye Intelligence has publicly disclosed information highly suggesting activity linked to TRITON is associated with a Russian government-owned technical research institution. In their recent report, FireEye explains several factors contributing to their assessment that the Central Scientific Research Institute of Chemistry and Mechanics (CNIIHM; a.k.a. ЦНИИХМ) is associated with the development of the secondary malware strains (activity now dubbed TEMP.Veles by FireEye) that aided in the deployment of the primary TRITON payload last November against a Saudi Arabian Petrochemical plant. ICS forensic firm Dragos’ tracks activity related to TRITON/TRISIS as XENOTIME, and considers it “easily the most dangerous threat activity publicly known. It is the only activity group intentionally compromising and disrupting industrial safety instrumented systems.” Threat activity attribution is difficult, and many argue the “who” is less important than the “what” and the “how” an adversary strikes, but an adversary focused on physical destruction with the ability to remain undetected for an extended time requires added scrutiny and accountability. FireEye