On Thursday, FireEye Inc. (NASDAQ: FEYE) subsidiary Mandiant reported that it had responded to a malware attack designed to manipulate industrial safety systems. This may not sound like a big deal, but it most assuredly is because the attack is very likely to have been launched by a nation state out to damage another country’s safety mechanisms, causing them to fail.
The most famous attack seeking to manipulate control systems was the 2010 U.S. Stuxnet attack against Iran’s nuclear weapons development systems that destroyed almost a thousand of Iran’s centrifuges used to enrich uranium. Last year, Russia used malware called Industroyer to attack Ukraine’s electricity grid.
The new attack, which Mandiant dubbed “Triton” is built to attack Triconex Safety Instrumented System (SIS) controllers manufactured by France’s Schneider Electric.
According to Mandiant, the attacker gained remote access to an SIS workstation and set the Triton attack to reprogram the controllers. Some of the controllers entered a fail-safe state and automatically shut down the industrial process, prompting the owner to begin an investigation.
Mandiant engineers said they had “moderate confidence” in their conclusion that the attack inadvertently caused the shutdown while seeking to cause physical damage to the systems. They gave the following reasons for that conclusion:
- Modifying the SIS could prevent it from functioning correctly, increasing the likelihood of a failure that would result in physical consequences.
- TRITON was used to modify application memory on SIS controllers in the environment, which could have led to a failed validation check.
- The failure occurred during the time period when TRITON was used.
- It is not likely that existing or external conditions, in isolation, caused a fault during the time of the incident.
The engineers also cited their reasons for believing — again with “moderate confidence” — that the attack was launched by a “well-resourced nation state actor”:
- The attacker targeted the SIS suggesting an interest in causing a high-impact attack with physical consequences. This is an attack objective not typically seen from cyber-crime groups.
- The attacker deployed TRITON shortly after gaining access to the SIS system, indicating that they had pre-built and tested the tool which would require access to hardware and software that is not widely available. TRITON is also designed to communicate using the proprietary TriStation protocol which is not publicly documented suggesting the adversary independently reverse engineered this protocol.
- The targeting of critical infrastructure to disrupt, degrade, or destroy systems is consistent with numerous attack and reconnaissance activities carried out globally by Russian, Iranian, North Korean, U.S., and Israeli nation state actors. Intrusions of this nature do not necessarily indicate an immediate intent to disrupt targeted systems, and may be preparation for a contingency.
Neither the location of the attack nor its specific target was reported, but Dark Reading cited Symantec and CyberX as suggesting that the target was located in the Middle East and may have been Saudi Arabia.
Mandiant’s full report is available at FireEye.