What is Triton? Hackers create new Stuxnet-like malware that has already hit the Middle East
Dragos researchers suspect attacks leveraging the malware could lead to loss of life.
A new malware specifically designed to target industrial control systems (ICS) of critical infrastructure has been discovered by security researchers. Dubbed Triton by FireEye's Mandiant and Trisis by Dragos, the malware is considered to be a serious threat and is in line with the four other ICS malware variants such as Stuxnet, Havex, Crashoverride and BlackEnergy2.
Both Mandiant and Dragos say that the malware has already been used by hackers in at least one incident. Triton has been designed to interact with the Triconex Safety Instrumented System (SIS), meaning any firm using SIS products could be vulnerable to attacks.
According to security researchers at Dragos, the malware targeted an unspecified firm in the Middle East. According to FireEye, the hackers behind the malware are likely state-sponsored.
"The targeting of critical infrastructure as well as the attacker's persistence, lack of any clear monetary goal and the technical resources necessary to create the attack framework suggest a well-resourced nation state actor," FireEye researchers said in a blog.
"Specifically, the following facts support this assessment: The attacker targeted the SIS suggesting an interest in causing a high-impact attack with physical consequences. This is an attack objective not typically seen from cyber-crime groups."
According to Dragos researchers, attacks leveraging the malware could lead to loss of life but, such a scenario would be highly unlikely.
"TRISIS represents, in several ways, 'game-changing' impact for the defense of ICS networks. While previously identified in theoretical attack scenarios, targeting SIS equipment specifically represents a dangerous evolution within ICS computer network attacks. Potential impacts include equipment damage, system downtime, and potentially loss of life," a Dragos report noted.
FireEye researchers say that the malware can shut down operations, preventing SIS from functioning properly and increasing the chances of major physical consequences.
"Once on the SIS network, the attacker used their pre-built TRITON attack framework to interact with the SIS controllers using the TriStation protocol. The attacker could have caused a process shutdown by issuing a halt command or intentionally uploading flawed code to the SIS controller to cause it to fail," FireEye researchers said.
"Instead, the attacker made several attempts over a period of time to develop and deliver functioning control logic for the SIS controllers in this target environment. While these attempts appear to have failed due one of the attack scripts' conditional checks, the attacker persisted with their efforts. This suggests the attacker was intent on causing a specific outcome beyond a process shutdown."