Hackers utilizing the Triton malware have managed to close down industrial operations in the Middle East, researchers have warned.
On Thursday, cybersecurity researchers from FireEye’s Mandiant revealed that threat actors deployed malware capable of manipulating emergency shutdown systems at a critical infrastructure firm in the Middle East.
The new form of malware, dubbed Triton, is one of only a handful of malware families known to have been developed for the purpose of attacking industrial processes and core infrastructure we all rely upon for supplies such as gas, oil, and electricity.
Stuxnet was one of the first indicators that such malware exists after the worm was used against industrial players in Iran in 2010, and in 2014, a South Korean nuclear facility was targeted. In 2016, Ukraine’s capital Kiev had a power outage after malware took down a power grid.
The new Trojan, which Symantec researchers say has been active since at least August this year, has been designed to communicate with a specific type of industrial control system (ICS), namely safety instrumented systems (SIS) controllers produced by Triconex.
Triton is an attack framework built to tamper with such controllers by communicating with them through computers using the Microsoft Windows operating system. According to Symantec — while it is early days into the investigation — the malware appears to inject code which modifies the behavior of SIS devices, leading to threat actor control and potential damage.
In the case of the victim company, Triton was used to target emergency shutdown capabilities.
However, the security researchers believe Triton was intended for use in “causing physical damage,” but the plant was shut down inadvertently during the attack instead.
The malware was deployed in order to reprogram the SIS controllers but some of the devices entered a failed safe state which closed the plant down and alerted operators to the scheme.
“The investigation found that the SIS controllers initiated a safe shutdown when application code between redundant processing units failed a validation check — resulting in an MP diagnostic failure message,” FireEye says. “We have not attributed the incident to a threat actor, though we believe the activity is consistent with a nation-state preparing for an attack.”
The majority of cyberattackers have money in mind when they deploy malware or infiltrate systems, whether it be to clear out customer accounts or to steal valuable corporate data.
However, in this case, there was no clear financial goal — but the groups’ persistence, skill, the targeting of core infrastructure, and what appears to be resources at their disposal all points towards state sponsorship.
“The targeting of critical infrastructure to disrupt, degrade, or destroy systems is consistent with numerous attack and reconnaissance activities carried out globally by Russian, Iranian, North Korean, US, and Israeli nation-state actors,” FireEye says. “Intrusions of this nature do not necessarily indicate an immediate intent to disrupt targeted systems, and may be preparation for a contingency.”
In October, the FBI and US Department of Homeland Security (DHS) warned that energy companies are now under constant attack by threat actors seeking to steal information related to their control systems.
Firms in the energy, nuclear, water, aviation, and critical manufacturing sectors are at risk, according to the agencies, from hackers which target small firms as stepping stones towards more valuable companies.
Previous and related coverage
The unusual malware has been specifically designed to target the core systems cities rely on.
Updated: 2.27 million users had the affected software installed on 32-bit Windows machines, CCleaner maker Piriform said.
Attackers are particularly interested in industrial control systems — and they’re still at it right now.