This was not someone in a basement, either. “The targeting of critical infrastructure as well as the attacker’s persistence, lack of any clear monetary goal and the technical resources necessary to create the attack framework suggest a well-resourced nation state actor,” they concluded.
The location of the plant or the nature of its operations was not disclosed, although Reuters reports that the security company Dragos said it was a plant in the Middle East, while another firm, CyberX, believed the target was in Saudi Arabia.
A security alert was issued for users of Triconex, a safety program that’s widely used in energy facilities such as nuclear plants and oil refineries. The nature of the breach has raised concerns among cybersecurity analysts. “This is a watershed,” said Sergio Caltagirone of Dragos. “Others will eventually catch up and try to copy this kind of attack.”
Cybersecurity firm Symantec says the Triton program has been around since August, and it targets a specific type of safety instrumental system (SIS) and reprograms them. The malware could cause the SIS to shut down plant operations or, with a sophisticated enough attack, nullify the SIS and allow an unsafe condition to escalate, leading to a widespread industrial accident.
In this particular case, when Triton attempted to reprogram the SIS controllers, some instead entered a safe shutdown mode, which halted plant operations and alerted the operators about the rogue software. FireEye believes the hackers accidentally triggered the shutdown while probing the plant’s security systems.
“The targeting of critical infrastructure to disrupt, degrade, or destroy systems is consistent with numerous attack and reconnaissance activities carried out globally by Russian, Iranian, North Korean, U.S., and Israeli nation-state actors,” FireEye said in its report.
The security company noted that the attacker could have easily shut down the plant, but instead continued with repeated attempts to gain control of the SIS. “This suggests the attacker was intent on causing a specific outcome beyond a process shutdown,” they said.
Triton is the third malware program analysts have encountered that’s able to interrupt industrial production. Stuxnet, discovered in 2010, is widely credited with helping to disrupt Iran’s nuclear program. The virus Industroyer was used in 2016 to cause widespread power outages in Ukraine.
