Incident Of The Week: 'Triton' Malware Takes Down Industrial Plant



Dan Gunderman
12/15/2017

In the dynamic world of cyber security, breaches are both tightly guarded and, sadly, imminent.

Combing through data, market research and threat-defense efforts taken by enterprises can be a daunting task. Here at Cyber Security Hub, we both track the latest industry news and make it more navigable for the IT professional. CSHub coverage extends outwards – as it helps enterprises batten down their proverbial hatches.

In this edition of “Incident of the Week,” we examine a reported attack that recently disabled operations in a critical infrastructure plant.

In what’s being called a “watershed” attack, hackers likely working for a nation-state tapped into the system of a large facility and stalled its output. Those familiar with the situation believe that it was a “reconnaissance” mission to explore the layout of the plant.

The incident was announced by FireEye Inc. on Thursday, and was said to target Triconex industrial safety technology from Schneider Electric SE, according to Reuters.

See Related: Incident Of The Week: NiceHash Gets Bad Hack In $70M Bitcoin Theft

Schneider confirmed the incident and said it released a security alert to Triconex users (a technology utilized within the energy industry). Schneider’s alert suggested the company is working with the U.S. Department of Homeland Security to investigate the breach.

While FireEye and Schneider have not identified a victim or location, the cyber security company Dragos suggested the hackers targeted a Middle Eastern plant. The firm CyberX went a step further, saying the victim was located in Saudi Arabia.

Officials say the hackers used malware (labeled “Triton” by FireEye) to take remote control of a workstation running a Schneider Electric Triconex safety shutdown system. In the next phase, hackers attempted to reprogram controls used to identity safety concerns. The plant was soon able to identify the attack.

Dan Scali, who led FireEye’s investigation into the matter, said the hackers’ system shutdown may not have been fully intentional, as they were exploring the depths of the plant’s network.

The incident marks the first report of hackers successfully cracking industrial plant safety systems. The shutdown is particularly troubling to operators, who may not be able to pinpoint a follow-up attack should the hackers attempt to disable other parts of the system. This might come as the infiltrators “fly low” and subtly bruise the system while failing to raise red flags.

The U.S. government has issued warnings in recent years about these suspected reconnaissance missions – which could scout a multitude of system vulnerabilities. Officials believe nation-state hackers in countries like Russia, Iran and North Korea could be behind a number of the attempts.

See Related: Incident Of The Week: ‘We Stumbled’ On Root Access, Apple Says

Wednesday’s customer security alert suggested that the breach was an isolated incident and did not trace back to a Triconex vulnerability.

Scott McConnell, spokesman for the Department of Homeland Security (DHS), also weighed in on the matter, saying the agency was examining the incident to gauge impact on critical infrastructure.

Triton is believed to be the third virus strain capable of affecting industrial systems. One, “Stuxnet,” was reportedly utilized in 2010 by the U.S. and Israel to target Iran’s nuclear program. Another, “Industroyer,” was spotted in 2016 and was reportedly used to cut power in Ukraine.