A shadowy attacker has been seen attacking critical infrastructure in the Middle East with a malware called Triton, designed to manipulate industrial safety systems.
FireEye’s Mandiant division said that an incident that it investigated saw Triton targeting emergency shutdown capability for industrial processes, but that the threat actor is likely developing the capability to cause physical damage.
Triton, an attack framework built to interact with Triconex Safety Instrumented System (SIS) controllers, is one of a limited number of publicly identified malicious software families targeted at industrial control systems (ICS), the firm explained. It follows in the footsteps of Stuxnet, which was used against Iranian nuclear facilities in 2010, and Industroyer which was likely deployed by Sandworm Team against Ukraine in 2016.
As for who’s behind it, “We have not attributed the incident to a threat actor, though we believe the activity is consistent with a nation state preparing for an attack,” researchers said in an analysis. “The targeting of critical infrastructure as well as the attacker’s persistence, lack of any clear monetary goal and the technical resources necessary to create the attack framework suggest a well-resourced nation state actor.”
Mandiant said that in this incident, the attacker gained remote access to an SIS engineering workstation and deployed Triton to reprogram the SIS controllers; some of them entered a failed safe state triggered by validation checks, which automatically shut down the industrial process and prompted the asset owner to initiate an investigation.
“Modifying the SIS could prevent it from functioning correctly, increasing the likelihood of a failure that would result in physical consequences,” the firm said.
The attacker deployed Triton shortly after gaining access to the SIS system, indicating that the group had pre-built and tested the tool. That would require access to hardware and software that’s not widely available to the average cybercrime group.
The end game is unknown at this point. “The targeting of critical infrastructure to disrupt, degrade or destroy systems is consistent with numerous attack and reconnaissance activities carried out globally by Russian, Iranian, North Korean, US and Israeli nation state actors,” said Mandiant. “Intrusions of this nature do not necessarily indicate an immediate intent to disrupt targeted systems, and may be preparation for a contingency.”