Triton Malware has been designed to target industrial systems and critical infrastructure
Hackers utilising the Triton malware have managed to close down industrial operations in the Middle East, researchers have warned.
Threat actors deployed malware capable of manipulating emergency shutdown systems at a critical infrastructure firm in the Middle East.
The new form of malware, dubbed Triton, is one of only a handful of malware families known to have been developed for the purpose of attacking industrial processes and core infrastructure we all rely upon for supplies such as gas, oil, and electricity.
Stuxnet was one of the first indicators that such malware exists after the worm was used against industrial players in Iran in 2010, and in 2014, a South Korean nuclear facility was targeted. In 2016, Ukraine's capital Kiev had a power outage after malware took down a power grid.
The new Trojan has been active since at least September 2017, has been designed to communicate with a specific type of industrial control system (ICS), namely safety instrumented systems (SIS) controllers produced by Triconex.
Triton is an attack framework built to tamper with such controllers by communicating with them through computers using the Microsoft Windows operating system. The malware appears to inject code which modifies the behaviour of SIS devices, leading to threat actor control and potential damage.
In the case of the victim company, Triton was used to target emergency shutdown capabilities.
However, the security researchers believe Triton was intended for use in "causing physical damage," but the plant was shut down inadvertently during the attack instead.
The malware was deployed in order to reprogram the SIS controllers but some of the devices entered a failed safe state which closed the plant down and alerted operators to the scheme.
"The investigation found that the SIS controllers initiated a safe shutdown when application code between redundant processing units failed a validation check -- resulting in an MP diagnostic failure message," FireEye says. "We have not attributed the incident to a threat actor, though we believe the activity is consistent with a nation-state preparing for an attack."
The majority of cyberattackers have money in mind when they deploy malware or infiltrate systems, whether it be to clear out customer accounts or to steal valuable corporate data.
However, in this case, there was no clear financial goal -- but the groups' persistence, skill, the targeting of core infrastructure, and what appears to be resources at their disposal all points towards state sponsorship.
Firms in the energy, nuclear, water, aviation and critical manufacturing sectors are at risk, according to the agencies, from hackers which target small firms as stepping stones towards more valuable companies.