Hackers shut down infrastructure safety system in attack: FireEye

Andrew Cummings
December 16, 2017

"Attacks on an industrial process that are as specific in nature as TRISIS are considerably hard to repurpose against other sites although the tradecraft does reveal a blueprint to adversaries to replicate the effort".

Security researchers from FireEye's Mandiant investigative division have spotted a new form of malware that's capable of targeting industrial equipment.

However, these types of attacks on critical infrastructure are consistent with the tactics deployed by Russian, Iranian, North Korean, and Israeli state actors, according to FireEye, and are likely to be "preparation for a contingency plan" rather than an immediate attempt to disrupt a system.

Schneider Electric specializes in energy management and automation solutions, spanning hardware, software and services. "The targeted systems provided emergency shutdown capability for industrial processes".

Dan Scali, who led FireEye's investigation into the matter, said the hackers' system shutdown may not have been fully intentional, as they were exploring the depths of the plant's network.

The new form of malware, dubbed Triton, is one of only a handful of malware families known to have been developed for the goal of attacking industrial processes and core infrastructure we all rely upon for supplies such as gas, oil, and electricity. Elsewhere, the researchers continued: "While Trisis appears to be focused, ICS owners and operators should view this event as an expansion of ICS asset targeting to previously untargeted SIS equipment". Schneider has also acknowledged the attack that appears to be targeted and has alerted all its consumers that use this technology.

A December 14 post on FireEye's website said the malware, which it dubbed TRITON, had been deployed by an attacker to manipulate emergency shutdown capabilities for industrial processes at the facility. The investigation found that the SIS controllers initiated a safe shutdown when application code between redundant processing units failed a validation check-resulting in an MP diagnostic failure message.

FireEye researchers say that the malware can shut down operations, preventing SIS from functioning properly and increasing the chances of major physical consequences.

It is not likely that existing or external conditions, in isolation, caused a fault during the time of the incident.

'Industrial companies, with operations at risk, should look to proven technologies that leverage artificial intelligence and machine learning to continuously monitor industrial controls systems networks for anomalies that detect and mitigate possible attacks that could cause harm to the industrial control systems, ' he added. Some controllers entered a failsafe mode as the hackers attempted to reprogram them, causing related processes to shut down and allowing the plant to spot the attack.

Triton is an attack framework built to tamper with such controllers by communicating with them through computers using the Microsoft Windows operating system. Put more simply, whoever is behind the attack was looking to cause physical harm as opposed to trying to gain some sort of financial return. Researchers at antivirus provider Symantec also provided a brief analysis here.

Other reports by iNewsToday