Sophisticated malware capable of forcing industrial equipment safety systems to fail was found in industrial control systems in the Middle East, according to information provided to CyberScoop and research produced Thursday by U.S. cybersecurity firms FireEye and Dragos.
Dubbed “Triton”or “Trisis,” the malware disrupts an emergency shutdown capability in Schneider Electric’s Triconex safety instrumented system (SIS). By targeting this system, Triton makes it easier for an industrial control system (ICS) to fail and break down.
SIS technology is often used in oil and gas production facilities, among other industrial environments.
Triton is the fifth known case of malware that has been specially designed to sabotage industrial control systems. In some instances, an ICS-focused failure could result in an explosion, damaged machines, property destruction, injury or loss of human life.
According to researchers with FireEye, Triton is likely the work of a nation-state, although it’s not clear which country is responsible. According to FireEye, the hackers caused the targeted industrial firm to shut down all operations. The only one known victim is based in the Middle East, said Sergio Caltagirone, director of threat intelligence and analytics with Dragos.
“TRISIS malware doesn’t seem to share or leverage previous ICS attack characteristics – but then again, this is only the fifth known [case of ICS-focused malware] so there isn’t much to build upon,” Caltagirone said. More than two other cybersecurity firms knew about Triton before FireEye and Dragos’ reports became public, including Symantec.
The most famous of ICS-focused malware prior to Triton is known as Stuxnet. That malware has been linked to a U.S. spy agency, reportedly used as part of an intelligence operation to disrupt Iran’s nuclear weapons development program.
Researchers say there are some limited similarities between Triton and Stuxnet.
“There are capabilities in [Triton] that allowed it to reprogram safety systems controllers,” explained Dan Scali, senior manager for ICS with FireEye. “This capability suggests the attacker was interested in modifying the industrial control system’s safety shutdown process, which could create significant physical consequences—similar to the potential consequences of STUXNET and Industroyer. It is very concerning the attacker targeted a safety system which is in place to protect people, the environment and the equipment at the facility.”
Citing customer confidentially, Scali declined to explain how the hackers behind Triton initially entered their victim’s network What is clear, however, is that the attackers were able to successfully gain remote access to an SIS engineering workstation, which was running Microsoft Windows, before then deploying Triton to reprogram safety controls.
“During the incident, some [Schneider Electric’s Triconex safety instrumented system] controllers entered a failed safe state, which automatically shutdown the industrial process and prompted the asset owner to initiate an investigation,” a FireEye blog post reads. “We assess with moderate confidence that the attacker inadvertently shutdown operations while developing the ability to cause physical damage.”
Both FireEye and Dragos say the people responsible likely previously obtained SIS technology, tested it and reverse engineered some of its code in order to pre-build an effective software exploit. Access to such a SIS system, in addition to having the technical knowledge to analyze the product, suggests these attackers were well-resourced and highly skilled.
Asked how the hackers may have acquired the SIS technology, Scali said: “they could’ve bought it from a number of sources. They also could have interacted with it in the environment. The larger challenge isn’t so much acquiring the device as understanding precisely how the technology and protocols work.”