Attackers disrupt plant operations with ICS-tailored malware

Security researchers from FireEye and Dragos have analyzed and detailed a new piece of malware targeting industrial control systems (ICS).

Dubbed “TRITON” and “TRISIS” by the two groups of researchers, the malware was discovered after it was deployed against a victim in the Middle East, and inadvertently led to an automatically shutdown of the industrial process.

ICS malware

About the malware

The malware has been specifically designed to target Schneider Electric’s Triconex Safety Instrumented System (SIS) – an autonomous control system that independently monitors the status of the process under control.

“If the process exceeds the parameters that define a hazardous state, the SIS attempts to bring the process back into a safe state or automatically performs a safe shutdown of the process. If the SIS and DCS (Distributed Control System) controls fail, the final line of defense is the design of the industrial facility, which includes mechanical protections on equipment (e.g. rupture discs), physical alarms, emergency response procedures and other mechanisms to mitigate dangerous situations,” FireEye researchers explained.

The malware is meant to reprogram the SIS controllers with an attacker-defined payload. In this particular case, some of those controllers entered a failed safe state, which lead to the shutdown of the industrial process.

“The malware is not capable of scalable and long-term disruptions or destruction nor should there be any hype about the ability to leverage this malware all around the community,” Dragos researchers noted.

“Attacks on an industrial process that are as specific in nature as TRISIS are considerably difficult to repurpose against other sites although the tradecraft does reveal a blueprint to adversaries to replicate the effort. However, because SIS are specifically designed and deployed to ensure the safety of the process, environment, and human life an assault on one of these systems is bold and unsettling. While fear and hype are not appropriate in this situation, this is absolutely an escalation in the types of attacks we see against ICS and should not be taken lightly.”

Who’s behind the attack?

While Dragos researchers did not want to speculate on who was behind this attack, FireEye has said that the targeting of critical infrastructure as well as the attacker’s persistence, lack of any clear monetary goal and the technical resources necessary to create the attack framework suggest a well-resourced nation state actor.

“The attacker targeted the SIS suggesting an interest in causing a high-impact attack with physical consequences. This is an attack objective not typically seen from cyber-crime groups,” they noted.

“The attacker deployed TRITON shortly after gaining access to the SIS system, indicating that they had pre-built and tested the tool which would require access to hardware and software that is not widely available. TRITON is also designed to communicate using the proprietary TriStation protocol which is not publicly documented suggesting the adversary independently reverse engineered this protocol.”

Don't miss