Researchers have discovered a malware named Triton in one of critical infrastructure company in the middle east which is capable of compromising industrial control systems.
FireEye’s Mandiant researchers who discovered the threat said that the malware was used to target the emergency shutdown system at a critical infrastructure firm.
“TRITON is one of a limited number of publicly identified malicious software families targeted at industrial control systems (ICS). It follows Stuxnet which was used against Iran in 2010 and Industry which we believe was deployed by Sandworm Team against Ukraine in 2016. TRITON is consistent with these attacks, in that it could prevent safety mechanisms from executing their intended function, resulting in a physical consequence.” said in the blog post published by the company.
The malware is designed to communicate with a specific type of industrial control system (ICS), namely safety instrumented systems (SIS).
Triton malware which has been active since August works by infecting a windows computer connected to SIS device. It injects a code which alters the behavior of SIS device.
Here in this case attacker gained remote access to the SIS engineering workstation and injected TRITON attack framework to alter the SIS controllers but some SIS controllers entered the failed safe state and automatically shut down the industrial process.
“TRITON was deployed on an SIS engineering workstation running the Microsoft Windows operating system. The malware was named to masquerade as the legitimate Triconex Trilog application. This application is used for reviewing logs and is a part of the TriStation application suite. The malware was delivered as a Py2EXE compiled python script dependent on a zip file containing standard Python libraries, open source libraries, as well as the attacker-developed Triconex attack framework for interacting with the Triconex controllers” said researchers.
Researchers said they have informed U.S. Department of Homeland Security about the threat.
Schneider Electric has responded to the threat in a statement that “Schneider Electric is aware of a directed incident targeting a single customer’s Triconex Tricon safety shutdown system. We are working closely with our customer, independent cybersecurity organizations and ICSCERT to investigate and mitigate the risks of this type of attack. While evidence suggests this was an isolated incident and not due to a vulnerability in the Triconex system or its program code, we continue to investigate whether there are additional attack vectors.”