A malware strain called Triton was designed to either shut down a production process or allow SIS-controlled machinery to work in an unsafe state. R
The group behind the malware, which FireEye has been tracking under the codename of TEMP.Veles, nearly succeeded when it almost caused an explosion at a Saudi petrochemical plant owned by Tasnee.
Tasnee is a privately-owned Saudi company and at the time the malware's origins were a mystery.
But, in a report, FireEye says that following further research into incidents where the Triton malware was deployed, it can now assess with "high confidence" that the Central Scientific Research Institute of Chemistry and Mechanics (CNIIHM) was involved.
CNIIHM is a government-owned technical research institution located in Moscow. FireEye's report does not link the Triton malware itself to CNIIHM, but said that the secondary malware strains used by TEMP.Veles were deployed during the incidents where Triton was deployed.
Clues in these secondary malware strains used to aid the deployment of the main Triton payloads had enough artefacts that allowed researchers to identify their source.