Search the Community

Symantec Hackers utilizing the Triton malware have managed to close down industrial operations in the Middle East, researchers have warned. On Thursday, cybersecurity researchers from FireEye's Mandiant revealed that threat actors deployed malware capable of manipulating emergency shutdown systems at a critical infrastructure firm in the Middle East. The new form of malware, dubbed Triton, is one of only a handful of malware families known to have been developed for the purpose of attacking industrial processes and core infrastructure we all rely upon for supplies such as gas, oil, and electricity. Stuxnet was one of the first indicators that such malware exists after the worm was used against industrial players in Iran in 2010, and in 2014, a South Korean nuclear facility was targeted. In 2016, Ukraine's capital Kiev had a power outage after malware took down a power grid. The new Trojan, which Symantec researchers say has been active since at least August this year, has been designed to communicate with a specific type of industrial control system (ICS), namely safety instrumented systems (SIS) controllers produced by Triconex. Triton is an attack framework built to tamper with such controllers by communicating with them through computers using the Microsoft Windows operating system. According to Symantec -- while it is early days into the investigation -- the malware appears to inject code which modifies the behavior of SIS devices, leading to threat actor control and potential damage. In the case of the victim company, Triton was used to target emergency shutdown capabilities. However, the security researchers believe Triton was intended for use in "causing physical damage," but the plant was shut down inadvertently during the attack instead. The malware was deployed in order to reprogram the SIS controllers but some of the devices entered a failed safe state which closed the plant down and alerted operators to the scheme. The majority of cyberattackers have money in mind when they deploy malware or infiltrate systems, whether it be to clear out customer accounts or to steal valuable corporate data. However, in this case, there was no clear financial goal -- but the groups' persistence, skill, the targeting of core infrastructure, and what appears to be resources at their disposal all points towards state sponsorship. In October, the FBI and US Department of Homeland Security (DHS) warned that energy companies are now under constant attack by threat actors seeking to steal information related to their control systems. Firms in the energy, nuclear, water, aviation, and critical manufacturing sectors are at risk, according to the agencies, from hackers which target small firms as stepping stones towards more valuable companies. Via zdnet.com