'Triton' Malware Attacks Industrial Safety Systems

Triton malware corrupts Triconex SIS systems

Triton Takes Aim at ICS in the Middle East

"We assess with moderate confidence that the attacker's long-term objective was to develop the capability to cause a physical outcome", the FireEye researchers said.

Security firm Symantec said to The Guardian: "While there have been a small number previous cases of malware created to attack industrial control systems (ICS), Triton is the first to attack safety instrumented system devices". FireEye said the Triton framework tool was built with "the ability to read and write programs, read and write individual functions and query the state of the SIS controller", and targeted systems that "provided emergency shutdown capability for industrial processes", however the researchers said the aim of the malicious actors went beyond simply shutting down systems.

In Schneider Electric's case, hackers were able to compromise an SIS workstation.

TRITON was used to modify application memory on SIS controllers in the environment, which could have led to a failed validation check.

The attacker, according to FireEye, was probably not a cyber crime group, because targeting the industrial control safety systems at the company suggested a darker goal - causing a high-impact attack with physical consequences. The researchers say that they haven't attributed the hack to a particular attacker, but they do say it bore hallmarks of threats from a nation-state. "We assess with moderate confidence that the attacker was developing the capability to cause physical damage and inadvertently shutdown operations".

In announcing the discovery, FireEye invoked the names of potent industrial control malware that has caused havoc in the past.

Tillerson: US willing to hold talks with NK without preconditions
Tillerson has previously expressed a desire to use channels of communication with Pyongyang, but U.S. North Korea says such drills are preparations for invasion. "They have too much invested in it".

Twitter to make it easier to post threads and 'tweetstorms'
Threading - sometimes referred to as " tweetstorms " - is the description given to a series of individual tweets linked together. For those who are just reading the tweets, it's now easier to spot thread because they now come with a "Show this thread" label.

Terrorist Outfit Al-Shabab Claims Responsibility for Somalia Police Academy Attack
On November 13, the Pentagon said U.S. forces had killed more than 40 Shabaab and Islamic State fighters over four days. Officers said the toll could have been far worse had the attacker detonated his bomb in the centre of the crowd.

They also likely performed advanced reconnaissance on their victim, which FireEye hasn't identified, because they knew it was using Triconex SIS controllers. The attacker could have caused a process shutdown by issuing a halt command or intentionally uploading flawed code to the SIS controller to cause it to fail.

The first clue is that attackers deployed TRITON right away after gaining access to an SIS engineering workstation with access to SIS controllers. Instead, the attacker made several attempts over a period of time to develop and deliver functioning control logic for the SIS controllers in this target environment. Engineering workstations capable of programming SIS controllers should not be dual-homed to any other DCS process control or information system network.

"Intrusions of this nature do not necessarily indicate an immediate intent to disrupt targeted systems, and may be preparation for a contingency", the FireEye team said, hinting that this could have also been a live field test for a more sinister attack. "Never leave the front panel key position in the "Program" mode when not actively configuring the controller", Schneider Electric wrote in an advisory.

Use a unidirectional gateway rather than bidirectional network connections for any applications that depend on the data provided by the SIS.

Monitor ICS network traffic for unexpected communication flows and other anomalous activity.

Latest News