Hackers shut down infrastructure safety system in attack: FireEye

Gladys Abbott
December 17, 2017

FireEye Inc. disclosed the incident on Thursday, saying it targeted Triconex industrial safety technology from Schneider Electric SE.

"Mandiant recently responded to an incident at a critical infrastructure organization where an attacker deployed malware created to manipulate industrial safety systems", Mandiant, division of FireEye, said. "The investigation found that the SIS controllers initiated a safe shutdown when application code between redundant processing units failed a validation check - resulting in an MP diagnostic failure message".

'Triton is a serious threat to critical infrastructure systems on par with the likes of Stuxnet and Industroyer because it specifically targets industrial control systems with the capability to cause physical damage or shutdown operations.

Hackers likely working for a nation-state recently invaded the safety system of a critical infrastructure facility in a watershed attack that halted plant operations, according to cyberinvestigators and the firm whose software was targeted. TRITON, according to the company, is a member of a very limited family of malware that can cause physical damage through cyberspace. A decade ago, hackers reportedly working on behalf of the U.S. and Israel deployed the Stuxnet worm to sabotage Uranium enrichment centrifuges in Iran.

Dubbed "TRITON" and "TRISIS" by the two groups of researchers, the malware was discovered after it was deployed against a victim in the Middle Easy, and inadvertently led to an automatically shutdown of the industrial process. In December of 2015 and again in December of a year ago, hackers breached security inside Ukrainian electric facilities and used their unauthorized access to cause power outages during one of the coldest months in Eastern Europe.

More news: Prince Harry and Meghan Markle's wedding date conflicts with FA Cup

Nevertheless, Triton provides hackers a blueprint on how to go about attacking critical infrastructure. While previously identified in theoretical attack scenarios, targeting SIS equipment specifically represents a risky evolution within ICS computer network attacks. Schneider has also acknowledged the attack that appears to be targeted and has alerted all its consumers that use this technology.

"Modifying the SIS could prevent it from functioning correctly, increasing the likelihood of a failure that would result in physical consequences", the firm said.

"Attacks targeting industrial control systems aren't just costly, they're unsafe ... if you take a step back and think about what could happen in an industrial facility, a valve could turn the wrong way, a reactor could blow up". Some controllers entered a fail safe mode, which caused related processes to shut down and caused the plant to identify the attack, FireEye said. While these attempts appear to have failed due one of the attack scripts' conditional checks, the attacker persisted with their efforts. This suggests the attacker was intent on causing a specific outcome beyond a process shutdown.

Triton is an attack framework built to tamper with such controllers by communicating with them through computers using the Microsoft Windows operating system.

"The targeting of critical infrastructure as well as the attacker's persistence, lack of any clear monetary goal and the technical resources necessary to create the attack framework suggest a well-resourced nation state actor".

Other reports by LeisureTravelAid

Discuss This Article