A group of hackers recently conducted targeted cyber-attacks on the emergency shutdown system of a critical infrastructure organisation by employing Triton, a new malware variant.
Triton is a specialised malware variant like Stuxnet and Industroyer and is used by hackers to target essential systems at critical infrastructure organisations.
Earlier today, security firm FireEye announced that the Triconex industrial safety technology at Schneider Electric SE that provided emergency shutdown capability for industrial processes was targeted by suspected hackers who used a specially created malware known as Triton to perform the operation.
Like Industroyer and Stuxnet, Triton is a specialised malware family used for targeting industrial control systems by hackers and is great at disabling safety mechanisms at critical infrastructure organisations, thereby resulting in physical consequences.
Researchers at FireEye said that they could assess with moderate confidence that hackers behind the latest cyber-attack on Schneider Electric SE were state-sponsored.
Firstly, by attacking an SIS engineering workstation and causing a diagnostic failure, the hackers wanted to ensure great physical damage. Secondly, the attackers deployed Triton only after gaining access to the SIS system, indicating that they had pre-built and tested the tool in advance.
Considering that an SIS system monitors the status of industrial processes and brings a process back into a safe state after it reaches a hazardous state, compromising an organisation’s SIS system means compromising its performance as a whole and creating a crisis situation.
Describing the hackers’ operation and capabilities demonstrated by Triton, the researchers said that Triton was built with a number of features, including the ability to read and write programs, read and write individual functions and query the state of the SIS controller. The malware also had the capability to communicate with Triconex SIS controllers and remotely reprogram them with an attacker-defined payload.
To ensure the safety of those employed by critical infrastructure organisations and to prevent physical after-effects of any cyber-attack on such an organisation, the researchers are asking asset owners to follow a number of recommendations.
These recommendations include segregating safety system networks from process control and information system networks, leveraging hardware features that provide for physical control of the ability to program safety controllers, and using a unidirectional gateway rather than bidirectional network connections for any applications that depend on the data provided by the SIS.
The researchers also asked asset owners to monitor ICS network traffic for unexpected communication flows and to implement strict access control and application whitelisting on any server or workstation endpoints that can reach the SIS system.
‘Triton is a serious threat to critical infrastructure systems on par with the likes of Stuxnet and Industroyer because it specifically targets industrial control systems with the capability to cause physical damage or shutdown operations. The safety systems targeted are key components for critical infrastructures as they are used to monitor industrial environments to ensure the safety of workers, environmental factors and other aspects of operations,’ said Edgard Capdevielle, CEO of Nozomi Networks and a FireEye partner.
‘Industrial companies, with operations at risk, should look to proven technologies that leverage artificial intelligence and machine learning to continuously monitor industrial controls systems networks for anomalies that detect and mitigate possible attacks that could cause harm to the industrial control systems,’ he added.