Posted on April 10, 2019 at 2:24 PM
A malicious malware that was previously used to try to blow up a Saudi petrochemical plant has been used in another, unnamed facility that was equally compromised.
Researchers from the cybersecurity outfit FireEye have found another critical facility that has been under attack from the Russian linked Triton malware. This unnamed facility has also been found to be compromised with Triton. Triton is an umbrella term for a number of malicious comments that are used in concert to launch directed attacks against compromised equipment.
The malware burrows into the network of a specific target and is then used to sabotage control systems for industrial use. The malware has most often been used in critical power operations such as power plants and petrochemical factories, where the disruptions can be fatal. Compromising controls of such a facility can lead to untold disruption in the local populace, and in extreme circumstances, it can lead to near total destruction.
FireEye details attack timeline
FireEye, which has been nominated for a number of awards in recent years due to their work on cybersecurity, has published its latest findings on the attack on Wednesday. According to the company, the hackers had waited a year before they finally unleashed the malware on the facility. While they were in the system for a year, they used the time to learn about the network of the unnamed facility and the best way to pivot from one system to another.
The goal of the hackers was to infiltrate the facility’s instrument safety sub-system as quietly as possible. This sub-system monitors physical systems so that they do not operate outside their normal scope. It is a measure of how important these systems are that they are segmented away from everything else to lessen the opportunity of a cyber attack.
That didn’t stop the hackers from finding their way into the critical system, then focusing their attention on deploying Triton’s payloads. The key to this attack is to not overload the systems too much, which would trigger an automatic fail-state.
FireEye explains Triton strategic use
The attack that happened to the Saudi petrochemical plant happened in August of 2017 and would have been successful if it weren’t for a bug in the code. The entire facility’s future hung on a simple coding error. This is how thin the margins are in the security world.
The company says that these types of attacks are normally carried out by nation-states. These are contingency plans that are not, in most cases, concerned with a direct and immediate attack. The unnamed facility that FireEye mentioned was no exception to this. However, they would not say when the attack took place at the specific type of facility. They do, however, say that the time spent probing ensure that years of hard work do not go to waste.
The assessment of FireEye is that the attackers were aiming to build capacity for an eventual physical impact at the facility. This caused a shutdown in one of the processes that led to security companies getting called into asses if there was any danger. This was all with regards to the first attack, as they are under an NDA regarding the newest attack. They have however published hash lists for IT staff at similar facilities to check if their systems are compromised. The hash lists are unique to files found in the attack they have uncovered.
FireEye on Triton and the Russians
FireEye has published a white paper where it details the origins of Triton and provides proof of their allegation that Russian intelligence services were responsible for building it.