Jump to content
OKQL

Hackers use Triton malware to shut down plant, industrial systems

Recommended Posts

screen-shot-2017-12-15-at-08-41-15.jpg

Symantec

 

Hackers utilizing the Triton malware have managed to close down industrial operations in the Middle East, researchers have warned.

On Thursday, cybersecurity researchers from FireEye's Mandiant revealed that threat actors deployed malware capable of manipulating emergency shutdown systems at a critical infrastructure firm in the Middle East.

 

The new form of malware, dubbed Triton, is one of only a handful of malware families known to have been developed for the purpose of attacking industrial processes and core infrastructure we all rely upon for supplies such as gas, oil, and electricity.

 

Stuxnet was one of the first indicators that such malware exists after the worm was used against industrial players in Iran in 2010, and in 2014, a South Korean nuclear facility was targeted. In 2016, Ukraine's capital Kiev had a power outage after malware took down a power grid.

 

The new Trojan, which Symantec researchers say has been active since at least August this year, has been designed to communicate with a specific type of industrial control system (ICS), namely safety instrumented systems (SIS) controllers produced by Triconex.

 

Triton is an attack framework built to tamper with such controllers by communicating with them through computers using the Microsoft Windows operating system. According to Symantec -- while it is early days into the investigation -- the malware appears to inject code which modifies the behavior of SIS devices, leading to threat actor control and potential damage.

 

In the case of the victim company, Triton was used to target emergency shutdown capabilities.

However, the security researchers believe Triton was intended for use in "causing physical damage," but the plant was shut down inadvertently during the attack instead.

 

The malware was deployed in order to reprogram the SIS controllers but some of the devices entered a failed safe state which closed the plant down and alerted operators to the scheme.

 

Quote

"The investigation found that the SIS controllers initiated a safe shutdown when application code between redundant processing units failed a validation check -- resulting in an MP diagnostic failure message," FireEye says. "We have not attributed the incident to a threat actor, though we believe the activity is consistent with a nation-state preparing for an attack."

 

The majority of cyberattackers have money in mind when they deploy malware or infiltrate systems, whether it be to clear out customer accounts or to steal valuable corporate data.

 

However, in this case, there was no clear financial goal -- but the groups' persistence, skill, the targeting of core infrastructure, and what appears to be resources at their disposal all points towards state sponsorship.

 

Quote

"The targeting of critical infrastructure to disrupt, degrade, or destroy systems is consistent with numerous attack and reconnaissance activities carried out globally by Russian, Iranian, North Korean, US, and Israeli nation-state actors," FireEye says. "Intrusions of this nature do not necessarily indicate an immediate intent to disrupt targeted systems, and may be preparation for a contingency."

 

In October, the FBI and US Department of Homeland Security (DHS) warned that energy companies are now under constant attack by threat actors seeking to steal information related to their control systems.

Firms in the energy, nuclear, water, aviation, and critical manufacturing sectors are at risk, according to the agencies, from hackers which target small firms as stepping stones towards more valuable companies.

 

Via zdnet.com

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


×
×
  • Create New...