Security researchers from FireEye and Dragos have discovered a nasty piece of malware targeting industrial control systems (ICS).
The malware (called “TRITON” and “TRISIS”) was discovered after it was used against a victim in the Middle East, and unintentionally led to an automatical shutdown of the industrial process.
TRITON has been specially designed to target Schneider Electric’s Triconex Safety Instrumented System (SIS), which is an autonomous control system that individually monitors the status of the process under control.
FireEye researchers said:
“If the process exceeds the parameters that define a hazardous state, the SIS attempts to bring the process back into a safe state or automatically performs a safe shutdown of the process. If the SIS and DCS (Distributed Control System) controls fail, the final line of defense is the design of the industrial facility, which includes mechanical protections on equipment (e.g. rupture discs), physical alarms, emergency response procedures and other mechanisms to mitigate dangerous situations,”
The TRITON malware is intended to reprogram the SIS controllers by an attacker-defined payload. Some of those controllers joined a broken safe state, which directs to the shutdown of the industrial process.
While Dragos researchers did not want to think on who was behind this crime, FireEye has said that the targeting of critical infrastructure as well as the attacker’s insistence, lack of any clear financial intent and the technical supplies important to create the attack framework suggest a well-resourced nation-state actor.