Hackers Successfully Shut Down "Critical Infrastructure" in an Unprecedented Attack

Triton malware corrupts Triconex SIS systems

Triton Takes Aim at ICS in the Middle East

In the incident, hackers used sophisticated malware to take remote control of a workstation running a Schneider Electric Triconex safety shutdown system, then sought to reprogram controllers used to identify safety issues.

A December 14 post on FireEye's website said the malware, which it dubbed TRITON, had been deployed by an attacker to manipulate emergency shutdown capabilities for industrial processes at the facility.

The TRITON malware has been built for the objective of attacking industrial hardware, specifically Triconex Safety Instrumented System (SIS) controllers, according to security researchers at FireEye, and has already been discovered targeting an organisation. "The investigation found that the SIS controllers initiated a safe shutdown when application code between redundant processing units failed a validation check - resulting in an MP diagnostic failure message".

"We assess with moderate confidence that the attacker was developing the capability to cause physical damage and inadvertently shutdown operations", the FireEye team says. The company website advertises the technology as a complete solution for process safety - offering systems and software for emergency shutdown, fire and gas control, high-intensity pressure management, and other life critical checks. By taking control of it, hackers can destroy or damage the process the SIS is monitoring by tricking it into thinking everything's normal, when in fact the process is operating at unsafe levels. "We have not attributed the incident to a threat actor, though we believe the activity is consistent with a nation-state preparing for an attack".

"The targeting of critical infrastructure as well as the attacker's persistence, lack of any clear monetary goal and the technical resources necessary to create the attack framework suggest a well-resourced nation state actor".

Stoke City v West Ham United
The Hammers have earned four points from their last two games, one point more than in the previous eight attempts. West Ham remain in the bottom three, but they at least now have some cause for optimism.

While FireEye and Schneider have not identified a victim or location, the cyber security company Dragos suggested the hackers targeted a Middle Eastern plant.

Instead, FireEye repeatedly points out in its report that the attackers were highly skilled and came prepared to wreak havoc. Experts say this means the group behind TRITON had pre-built and tested the malware beforehand and came prepared to inflict immediate damage.

Hackers, who researchers have said were possibly working for a nation-state, recently targeted an unnamed critical infrastructure site, causing operational outage. According to FireEye, the hackers behind the malware are likely state-sponsored. While a possible first attack on safety control system that disrupted the operations, attackers have previously targeted electric grids in Ukraine, not to forget the US- and Israel-powered Stuxnet that was used to target Iran's nuclear facilities.

In September, Symantec warned that a nation-state group named Dragonfly had ramped up operations against U.S. and European energy firms. "TRITON is also created to communicate using the proprietary TriStation protocol which is not publicly documented suggesting the adversary independently reverse engineered this protocol".

Hackers utilizing the Triton malware have managed to close down industrial operations in the Middle East, researchers have warned.

Latest News