Internet Security Technology

Triton: A new malware threatens the Middle East

Written by Andy Prosper

A malware called Triton has been discovered in the Middle East. She is targeting security systems in the industry. The consequences of Triton’s damage would be catastrophic.

Since Stuxnet attacked and manipulated uranium enrichment centrifuges in Iran for the first time in 2010, the world is waiting for the next step in the digital arms race: a new malicious malware designed to attack or manipulate industrial assets. One of these rare types of malicious software has now surfaced in the Middle East. And it seems to have a special purpose: shutting down security systems designed to protect human life.

The security company FireEye has confirmed the existence of Triton, also known as Trisis. This is malicious software whose job it is to compromise industrial control equipment. So far, it is not known in what kind of industrial plant the highly developed malware wreaked havoc, nor in which country. But you know what she’s after: Equipment sold by Schneider Electric. This is mainly used in the oil and gas industry, but sometimes also in nuclear power plants or manufacturing facilities. Triton appears to have been specifically designed to manipulate or disable Schneider’s Triconex products. These are safety systems and process control systems produced by different companies to control industrial processes.

The components of the safety system are designed to work independently of other equipment in a facility to monitor potentially dangerous operations. In an emergency, they trigger an alarm or initiate a shutdown, shutdown, affected device or system to prevent accidents or sabotage attempts.

By infiltrating process control systems, hackers can use the Triton malware to create a whole new set of dangerous situations, such as triggering injuries, explosions or leaks. Since Triton’s code is programmed so that the malware can easily shrug off Triconex’s security precautions, the “fail-safe” technique that would shut down in such a scenario would fail. This creates new and dangerous hacker tactics that target critical infrastructures.

“American security firm Mandiant has responded to an incident in a critical infrastructure. There, an attacker infiltrated malware specifically designed to manipulate security systems in the industry, “reports FireEye. “We expect the attacker to be developing the ability to physically injure people and cause unintentional shutdown processes.” Triton behaved like a payload after hackers gained access to a plant’s network Rob Lee, founder of the security company Dragos.

Lee explains that his company first noticed the malware in the Middle East a month ago and has since analyzed it. Only then did FireEye tell the public about their existence.

When Triton is installed in an industrial switching system, the code looks for Schneider Electric Triconex equipment. The program then confirms that it can connect to it and then begins to feed it with new instructions. If these commands are not accepted by the Triconex components, it can crash the entire security system. In the case mentioned above, it had not come to the “commands were successfully adopted by the Triconex components and the system was shut down safely,” writes Schneider Electric in an email.

Because Triconex systems were designed to be fail-safe, this would cause other systems to shut down for security reasons, disrupting plant operations. “If the security system fails, all the other systems will also stop,” says Lee.

And that’s exactly what happened in the Middle East: FireEye discovered that Triton responded to an incident in which a company’s security system shut down safely – an automatic shutdown of all industrial processes – for no apparent reason. John Hultquist, chief analyst for cyber espionage at FireEye, believes that the manipulation of the system was rather random. More understandable would be the intention to keep the system running while manipulating the process control system. “If the hackers had really wanted to attack, they would have had better options, because they had also controlled the process control system,” says Hultquist. “They would have done much more can cause damage. ”

According to Lee, the extent of this potential damage – whether caused by malware or a physical attack – would be much more serious. “Everything would seem normal and functional, except that you would work without a safety net,” Lee says. “It could cause explosions, oil disasters, manufacturing plants could burst or gas leak and kill some people. It all depends on what the industrial process is in charge of, but dozens might die.

Triton’s focus on security systems makes it one of the most dangerous malware ever, Lee says. “With these potential effects, it’s one of the most monstrous malware ever,” Lee continues. “The very thought of doing so is terrible.”

In a statement to Prodigitalweb, Schneider Electric writes that they know and investigate the problem. “Schneider Electric recognizes that there was a targeted malfunction that targeted the single user’s Triconex Tricon Safety Shutdown System,” the letter said. “We work closely with our customers, cybersecurity independent organizations and ICS-CERT to identify and mitigate the risks of such an attack. While the evidence points to a single, isolated incident rather than vulnerabilities in the Triconex system or programming code, we investigate if there are other attack vectors. We point out that the Triconex system reacted in this case absolutely correct and safely shut down all operations in the system. Neither the customer nor the environment has suffered damage. ”

Triton is only the third known type of malware designed to harm physical things. The first was Stuxnet, which many believe was developed by the NSA in collaboration with Israeli intelligence. And at the end of last year, the Trojan Industroyer or Crash Override attacked the Ukrainian power supply and made sure that the lights went out for a short time in Kiev. Experts consider the Russian hacker group Sandworm responsible. The state hackers have been conducting a cyber war against Ukraine since 2014.

According to Hultquist, Triton could escalate much further than his two predecessors. “The biggest difference is that the tool we’re dealing with was built to control security systems,” he says. “Because this fail-safe technology is designed to protect people and equipment, it can have dangerous consequences. This is not just about switching off the lights for a moment, but about the fact that it could come to actual physical incidents on site. ”

Neither FireEye nor Dragos wanted to comment on who could have developed Triton and with what goals.

One of the usual suspects is Iran, whose list of cyber-attacks in the Middle East is long. In 2012, for example, the Iranian malware Shamoon destroyed tens of thousands of computers at Saudi Aramco. Many saw this attack as a retaliatory strike against the West after Stuxnet sabotaged Iran’s nuclear ambitions. Last year, a new variant of Shamoon targeted computer systems in Saudi Arabia and around the Persian Gulf. Recently, FireEye has monitored two state-sponsored hacker groups that have investigated critical infrastructure and even infected some targets with dropper software. This software seems to be preparing a data attack.

Both Lee and Hultquist believe that this implementation of Triton was a test and used for research purposes. This, in turn, allows for the possibility that the malicious software could also be used against targets in the West, Lee says. Even if it has to be rewritten because Triconex systems are tailored to each individual customer and the particular industrial plant in which they are used. Nonetheless, Lee fears that the development of Triton could usher in a new era. One in which hackers attack security systems and thus accept the risks of death and destruction. “I do not think this malware will show up in Europe or North America, but the enemy has developed a blueprint to attack security systems,” Lee said. “That’s what the tests. And that should worry us all. ”


About the author

Andy Prosper