Researchers found malware called Triton on the industrial control systems of a company located in the Middle East. Attackers planted Triton, also called Trisis, with the intent of carrying out a “high-impact attack” against an unnamed company with the goal of causing physical damage, researchers said.
FireEye’s Mandiant threat research team revealed the existence of the malware on Thursday. They said adversaries behind Triton are targeting Triconex Safety Instrumented System controllers sold by Schneider Electric.
Researchers are comparing Triton’s targeting of industrial control systems to malware used in watershed attacks Stuxnet and Industroyer (or Crashoverride).
“It follows Stuxnet which was used against Iran in 2010 and Industroyer which we believe was deployed by Sandworm Team against Ukraine in 2016,” researchers said in a blog post outlining their research. “Triton is consistent with these attacks, in that it could prevent safety mechanisms from executing their intended function, resulting in a physical consequence.”
On Wednesday, Schneider Electric warned its customers of Triton (PDF).
“Schneider Electric is aware of a directed incident targeting a single customer’s Triconex Tricon safety shutdown system. We are working closely with our customer, independent cybersecurity organizations and ICSCERT to investigate and mitigate the risks of this type of attack. While evidence suggests this was an isolated incident and not due to a vulnerability in the Triconex system or its program code, we continue to investigate whether there are additional attack vectors,” the company said in a statement.
According to researchers at Dragos, credited for discovering the malware last month, Triton targets the Triconex Safety Instrumented System (SIS) by “enabling the replacement of logic in final control elements.”
“It is not currently known what exactly the safety implications of Trisis would be. Logic changes on the final control element implies that there could be risk to the safety as set points could be changed for when the safety system would or would not take control of the process in an unsafe condition,” Dragos stated in a report detailing the malware.
According to FireEye, Triton masquerades as a legitimate Triconex Trilog application used for reviewing system logs. “The malware was delivered as a Py2EXE compiled python script dependent on a zip file containing standard Python libraries, open source libraries, as well as the attacker-developed Triconex attack framework for interacting with the Triconex controllers,” researchers wrote.
Triton attack scenarios include using the malware to shut down the Triconex SIS process that is in a safe state. The impact would be disruption of plant operations and service downtime.
Attackers could also reprogram the SIS controller not to shut down in an unsafe environment, creating risks to human safety or damage to equipment, according Mandiant researchers.
Each of the attack scenarios assume an adversary already has a foothold on targeted systems.
Lastly, attackers could manipulate Triconex’s distributed control system to create unsafe conditions at the same time program SIS to allow the unsafe state resulting in possible equipment failure or human harm.
“FireEye has not connected this activity to any actor we currently track; however, we assess with moderate confidence that the actor is sponsored by a nation state,” researchers said. “We assess with moderate confidence that the attacker was developing the capability to cause physical damage and inadvertently shutdown operations,” Mandiant researchers said.
Dragos said Triton as having a “game-changing” impact on industrial control systems and specifically safety systems. “Targeting SIS equipment specifically represents a dangerous evolution within ICS computer network attacks. Potential impacts include equipment damage, system downtime, and potentially loss of life. Given these implications, it is important to ensure nuance in how the industry responds and communicates about this attack,” Dragos researchers said.
Schneider offers a number of detection and mitigation measures in its advisory that range from making sure Triconex systems are deployed on isolated networks and that USB drives, CDs or laptops connecting to that network should be scanned for malware ahead of time.