It’s been nearly two years now since the heinous Triton malware incident was initially publicized. Many specifics were never released for security reasons, but as readers might be aware, a very large petrochemical facility in Saudi Arabia observed one day that their safety system—the commonly deployed Triconex product by Schneider Electric—was engaging and shutting down production, yet no threat could be found. They brought in Schneider Electric and then malware experts including FireEye and soon discovered that the culprit was a piece of malware that had infected their system.
What was especially disturbing about the situation is that this is the first time we know of that a piece of malware was deployed that specifically targeted safety and not production or financial resources. If it hadn’t tripped the Triconex system, this malware would have compromised fail-safes that protect human beings and could have led to massive injuries and deaths. Imagine, for example, if heavy equipment no longer stopped automatically if a person was in the vicinity for repairs or by accident, or if operators were no longer alerted to rising temperatures or pressures in acid or chemical tanks. It could be a disaster.
Triton Malware Update: Attribution Report released
In late 2018, FireEye released an Attribution Report that stated with a high degree of confidence that the deployment of Triton was supported by the Russian government. Or, to be more specific, by a Moscow-based technical research institution called the Central Scientific Research Institute of Chemistry and Mechanics, which includes specific individuals well-known for their expertise in maliciously exploiting cyber vulnerabilities. In other words, this appears to be a nation-state exploit.
It was fortunate that the errant engagement of the safety system led to the malware’s discovery, rather than a true safety system failure, so that no one got hurt. We can’t know if this was the intention of Triton—to announce to the world that this technology exists—or if it was a flaw in the malware that inadvertently called attention to itself prematurely. It’s also possible that the code was a type of “sleeper cell” meant to sit quietly on the system indefinitely until the hackers had reason to activate it. It could have been a warning, or the first steps to blackmail, and/or the perpetrators could be touting their ability to exploit a widely deployed safety system in use throughout the world. Of course, no one in Russia is stepping forward to explain their reasoning, but the existence of malware like Triton points to the possibilities of frightening new frontiers in cyber warfare.
New Triton Malware attacks
Although FireEye has not disclosed all the evidence that had led them to their Attribution conclusions, they recently announced that much of the evidence that they had uncovered online pointing to the Russian facility seems to be being systematically erased, perhaps adding credence to their conclusions. However, they have published some more details on the Tactics, Techniques and Procedures (TTPs) used by the Triton attackers, which may help investigators and cyber security experts anticipate and counter future moves.
Speaking of which, although they cannot provide too many details, FireEye reported in April that they have been called in to investigate an additional attack by the same group—again at a critical infrastructure facility. They did say that the specific Triton malware was not involved, but we don’t know if the attackers “improved” upon that code or if it is something with a different impact altogether. In any case, we assume that FireEye used the TTPs they identified to attribute the new attacks to the same group. Often TTPs can be used for attributions, much as the modus operandi of a serial burglar, killer or other criminal can help link crimes or identify suspects.
Protect yourself through visibility
Cyber security is a constant cat and mouse game between the good guys and the bad guys, but fortunately, it is quite possible to stay ahead of most any exploit—and not rely on luck or malware insufficiencies or whatever ended up saving the Saudi plant. The first step is to gain visibility into your system, and be instantly alerted to any changes on the network and investigate them immediately. It’s especially important now since it appears that the stakes are even higher than money now—it’s actual human lives that could be at risk.
Zane Blomgren is a Senior Security Engineer at Tripwire. During his 15-year tenure at Tripwire, he has served a number of roles including Pre-sales Engineer and Post-sales Professional Services Consultant. With over 20 years’ cyber security experience, Zane has been called on to help build foundational security controls and assist after cyberattacks have started, at companies around the globe. Zane marries his passion for security and his interest in collaborating with and learning from a wide variety of customers to apply best practices in even the most challenging of situations to create more reliable, secure systems for organizations in sectors including Energy, Transportation, Manufacturing and many others.