Since Stuxnet first targeted and destroyed uranium enrichment centrifuges in Iran last decade, the cybersecurity world has waited for the next step in that digital arms race: Another piece of malicious software designed specifically to enable the damage or destruction of industrial equipment.
That rare type of malware has now reappeared in the the Middle East. And this time, it seems to have the express intention of disabling the industrial safety systems that protect human life.
Security firm FireEye today has revealed the existence of Triton, also known as Trisis, a family of malware built to compromise industrial control systems. Although it's not clear in what kind of industrial facility—or even what country—the sophisticated malware appeared, it targets equipment that's sold by Schneider Electric, often used in oil and gas facilities, though also sometimes in nuclear energy facilities or manufacturing plants. Specifically, the Triton malware is designed to tamper with or even disable Schneider's Triconex products, which are known as "safety-instrumented systems," as well as "distributed control systems," made by a separate company, used by human operators to monitor industrial processes.
SIS components are built to run independently from other equipment in a facility and monitor potentially dangerous conditions, triggering alerts or shutdowns to prevent accidents or sabotage. By obtaining a foothold in the DCS, hackers could use Triton create a situation that might cause physical harm, or an explosion or a leak. And because Triton's code also contains the express ability to disable Triconex safety measures, the failsafes that exist to shut down equipment in those situations would be unable to respond. That makes for a dangerous new escalation of hacker tactics that target critical infrastructure.
"[FireEye subsidiary] Mandiant recently responded to an incident at a critical infrastructure organization where an attacker deployed malware designed to manipulate industrial safety systems," FireEye's report on its new malware finding reads. "We assess with moderate confidence that the attacker was developing the capability to cause physical damage and inadvertently shutdown operations."
Triton acts as a "payload" after hackers have already gained deep access to a facility's network, says Rob Lee, the founder of security firm Dragos Inc. Lee says Dragos observed the malware operating in the Middle East about a month ago, and had since been quietly analyzing it, before FireEye revealed its existence publicly. When Triton is installed in an industrial control system, the code looks for Schneider's Triconex equipment, confirms that it can connect to it, and then begins injecting new commands into its operations. If those commands aren't accepted by the Triconex components, it can crash the safety system. In an emailed statement, Schneider Electric counters that "in this case those commands were accepted successfully by the Triconex components, and the plant was shut down safely."
Since Triconex systems are designed to "fail safe," that would lead to other systems turning off as a safety measure, disrupting a plant's operations. "If the safety system goes down, all other systems grind to a halt," Lee says.
That is, in fact, precisely what happened; FireEye discovered Triton responding to an incident in which a company's SIS entered a failed state safe—an automatic shutdown of industrial processes—for no clear reason. Hultquist believes that the SIS manipulation was accidental. A more likely intentional use would have been to keep the SIS running, while manipulating the DCS into disaster. "If the attacker had intended to do a real attack, it looked like they had better options, because they also controlled the DCS," Hultquist says. "They could have caused much more damage."
According to Lee, the extent of that potential damage—whether caused by malware or a physical attack—could be quite serious. "Everything could still appear to be working, but you’re now operating without that safety net," Lee says. "You could have explosions, oil spills, manufacturing equipment rip apart and kill people, gas leaks that kill people. It depends on what the industrial process is doing, but you could absolutely have dozens of deaths."
That targeting of safety systems makes Triton in some respects the most dangerous malware ever encountered, Lee argues. "It’s the most egregious we’ve seen in its potential impact," Lee says. "Even the hint of doing this is awful."
In a statement, Schneider Electric says that it is aware of the issue, and is investigating. "Schneider Electric is aware of a directed incident targeting a single customer’s Triconex Tricon safety shutdown system," the company says. "We are working closely with our customer, independent cybersecurity organizations and ICS-CERT to investigate and mitigate the risks of this type of attack. While evidence suggests this was an isolated incident and not due to a vulnerability in the Triconex system or its program code, we continue to investigate whether there are additional attack vectors. It is important to note that in this instance, the Triconex system responded appropriately, safely shutting down plant operations. No harm was incurred by the customer or the environment."
Triton represents just the third-ever known malware specimen focused on damaging or disrupting physical equipment. The first was Stuxnet, widely assumed to have been designed by the NSA in partnership with Israeli intelligence. And late last year, a piece of sophisticated malware known as Industroyer, or Crash Override, targeted Ukraine's power systems, triggering a brief blackout in the country's capital of Kiev. That attack is widely believed to be the work of a team of Russian government hackers known as Sandworm who have waged a cyberwar on Ukraine since 2014.
Hultquist sees Triton as escalating beyond those previous attacks, though. "The biggest difference is that the tool that we're seeing was built for controlling the safety systems," he says. "Because those are the failsafes to protect assets and people, messing with those systems could have very dangerous consequences. You're not just talking about turning off the lights. You're talking about potential physical incidents at a plant."
Neither FireEye nor Dragos was willing to comment on who might have created Triton, not to mention those hackers' motivations. But among the usual suspects, Iran has a long history of executing brazen cyberattacks in the Middle East. In 2012, Iranian malware known as Shamoon destroyed tens of thousands of computer at Saudi Aramco, a move widely seen at the time as retaliation against the West for Stuxnet's sabotage of Iranian nuclear ambitions. Late last year, a new variant of Shamoon surfaced, targeting Saudi computer systems and others around the Persian Gulf. And most recently, FireEye has closely tracked a pair of Iranian state-sponsored hacker groups that have probed critical infrastructure and even infected targets with "dropper" software that appears to be preparation for data-destroying attacks.
Both Lee and Hultquist say this implementation of Triton was likely a probe, or reconnaissance. That raises the possibility that it could be used again against targets in the West, Lee points out. That reuse of the malware would require a significant redesign, since Triconex are usually highly customized to the industrial facility where they're used. But Lee nonetheless argues that Triton creation could signal a new era of hackers targeting industrial safety systems, with all the risks of destruction and even deaths that implies.
"I don’t expect this to show up in Europe and North America, but the adversary has created a blueprint to go after safety systems," Lee says. "That tradecraft is what they’re testing out. And that’s what we should all be concerned about."
Download SafeUM — communicate privately, without advertising and spam.
110 Reykjavik, Iceland