Triton malware: Next-gen cyberweapon that can shut down power plants accidentally leaked online
Triton malware, considered to be an advanced variant of Stuxnet, was used to shut down a Middle East oil and gas facility.
A powerful malware, dubbed Triton or Trisis, which allows hackers to gain remote access to energy facilities' safety systems, has reportedly been accidentally leaked online for anyone to download. The malware is considered by some experts to be a next-generation cyberweapon and has already been used in December 2017 to shut down an oil and gas facility in the Middle East.
According to research from multiple cybersecurity firms including FireEye, Dragos, Symantec and Trend Micro, the malware is likely created by a nation-state and targets safety systems of industrial control systems (ICS). Triton specifically targets the safety instrument system (SIS) produced by Schneider Electric's Triconex.
Triton can reportedly allow hackers to dismantle safety systems that can lead to the breakdown of machinery or even cause explosions. Quoting three anonymous sources, Cyberscoop reported that the malware's framework was inadvertently posted to VirusTotal inadvertently by Schneider Electric. The malware has reportedly been publicly available since 22 December and could even have been downloaded by anyone.
"In line with industry protocol, a Schneider Electric employee posted a file to VirusTotal in the interest of enabling its security vendor members to analyze and respond to the new malware. Shortly afterwards, Schneider Electric received a request from a third party to take the file down, and promptly complied with that request," a Schneider Electric spokesperson told CyberScoop.
Despite Schneider Electric having removed the code from VirusTotal, Cyberscoop reports that the malicious code appears to have been copied and is still available via multiple GitHub accounts.
The malware's ability to actually cause physical damage appears to have shaken the infosec community. The malware was reportedly in development since mid-2016 and before its public disclosure, could even have been worth millions of dollars in the murky world of cybercrime.
"Trisis is the first ever to specifically target safety instrumented systems and it is the one that gives me the most concern," Robert Lee, CEO and founder of Dragos, told Cyberscoop. Trisis specifically targeted a system that is designed to protect human life. To me that is outrageous and infuriating. I expect this will be a watershed moment for the engineering community."
However, important details about Triton, such as the malware's creators, as well as other possible capabilities, remain unknown. Cybersecurity firms as well as US government agencies, including the NSA and the DHS, are still reportedly analysing Triton.