BOULDER CREEK, Calif. — Less than two months after October's U.S. Department of Homeland Security/FBI joint technical alert confirmed cyberattacks against industrial control systems , a new type of malware targeting industrial processes struck an unnamed critical infrastructure facility. The TRITON/TRISIS/HatMan malware is the first designed to attack an industrial plant's safety systems. Since the attack, security firms and the safety system supplier have provided detailed analyses of the attack and the malware.
A team from FireEye's Mandiant cybersecurity service wrote in a December blog that it responded to the attack when the new malware took remote control of a workstation running a Schneider Electric Triconex Safety Instrumented System (SIS). The SIS, used in oil and gas plants and nuclear facilities, monitors critical industrial processes and automatically shuts them down if they exceed safety limits. The new malware, which FireEye dubbed TRITON, then tried to reprogram the SIS controllers. Some controllers entered a failsafe mode, shutting down the industrial process and prompting the facility's owner to investigate and identify the attack.
The FireEye blog said TRITON's ability to prevent safety systems from operating as intended, which could then result in physical consequences, is consistent with attacks made by two previous types of malware — Stuxnet and Industroyer/Crash Override — that can disrupt the ICS of manufacturers and infrastructure systems like energy and water utilities. Although FireEye did not identify the attacker, the victim, or their locations, it did say the attack was characteristic of a nation state, not of cyber-criminal hackers, in its “targeting of critical infrastructure to disrupt, degrade, or destroy systems” without a clear monetary goal.
In this case, attackers needed enough specialized engineering expertise to understand the particular process being controlled by the SIS at a victim's site and how to manipulate it, as well as the specific SIS controllers used there. When TRITON modified application memory on the SIS controllers, this may have led to the failed validation check of application code between redundant processing units that triggered the controllers to begin a safe shutdown. The malware used Schneider Electric's proprietary TriStation protocol to interact with the SIS controllers. Since that protocol isn't publicly documented, the FireEye blog said this suggests the attackers had reverse-engineered it.