A hacker has recently used a highly sophisticated attack technique using Triton malware to shut down an industrial plant.
Cybersecurity researchers from the security firm, FireEye has recently issued an alert shortly after a hacker was discovered to have halted operations at an industrial plant. The hackers utilized a malware attack, dubbed by FireEye researchers as Triton to launch their attack. The attack is thought to be the predecessor of a larger attack that was likely to follow. The security researchers declined to name the industrial plant for security reasons.
The FireEye experts noted that the hackers possessed considerable skill and knowledge to launch an attack campaign of this magnitude. In addition, the lack of monetary incentive and obvious ample access to complex technical resources implies that the hacker is likely state-backed.
FireEye has declined to name the name or location of the affected industrial plant. According to Reuters , the security firm Dragos believes that the plant is located in the Middle East, while a different security firm, CyberX stated that the plant is located in Saudi Arabia.
Since the attack discovery, all Triconex users have been warned of possible links with the attack and the safety software. Triconxes is a security software mainly tailored to oil and nuclear plants. However, the nature and scope of this attack has raised the eyebrows of more than one security expert. According to Dragos’ Sergio Caltagirone, this attack signifies a watershed moment in the history of cyber attacks.
Symantec , the notable cybersecurity firm, has confirmed that the Triton malware has been in existence since at least August this year. The malware targets an organization’s safety instrumental system (SIS) and reprograms it to the hacker’s will. The reprogramming could cause an entire plant shut down, or an even more complex attack could manipulate the SIS which will enable it to continue running the plant under unsafe conditions, which will likely encourage a damaging industrial accident.
During the newly discovered attack, Triton attempted to manipulate the SIS controllers, however, instead of manipulating their code, the controllers automatically shut down into safe mode, which shut down the plant’s operations. Following this event, the operators were immediately notified of the malicious malware .
In their report, FireEye researchers noted that this latest attack and its nature implies involvement from either Israeli, Russian, Iranian, or North Korean state-backed hackers.
The report continues that while the hackers could have likely easily shut down the plant in an instant, their ultimate goal was to infiltrate and hijack control of the plant’s SIS. This implies a greater nefarious cause than simply shutting down an industrial plant.
The Triton malware is already the third of its kind that has been discovered by security experts. In 2010, experts found Stuxnet, which was used to disrupt and cease Iran’s nuclear program. Just last year, the malware Industroyer was utilized to target industrial plants located in Ukraine.