FireEye is not giving much information about which specific industrial target was shut down by the newly designated Triton Trojan. We only know that it was an industry that was a part of the country’s “critical infrastructure”. They are, however, quite certain that some nation is behind this attack.
Triton is an especially dangerous form of malware. It is among the few that are designed to attack industrial control systems (ICS), which puts it in the same class as the infamous Stuxnet. Triton specifically alters commands within an industry’s emergency shut down systems, known as safety instrumented systems (SIS). The particular SIS controllers targeted were produced by a company called, Triconex, a subsidiary of Schneider Electric.
This malware is especially insidious because it has the potential to kill people. Stuxnet simply wanted to destroy machinery, but when you begin to manipulate safety systems, you open the door for serious accidents to happen. Imagine if you could override the warnings of a pressure gauge and allow the resulting explosion to occur without a warning. As FireEye noted in its report, the attacker had “interest in causing a high-impact attack with physical consequences.”
Triconex makes SIS controllers primarily for the oil and gas industry, however, they also work with turbomachinery for the power industry. This means that the attackers could potentially alter the safety parameters for the turbines and make them malfunction, thereby bringing down parts of the power grid, with all the problems that would entail. In other words, the attacker wanted to do serious harm, not only to a particular industry, but to a particular country.
There are only a few countries that possess such sophisticated malware. They are the U.S., Israel, Russia, Iran, and North Korea. Though FireEye does not want to mention the attacker, I believe there are strong indications as to which of these countries is behind the attack. First of all, because of Triconex’s strong relations with oil and gas industries, we can assume that the industry victimized was located in an oil producing country. It would also have to be a state with committed enemies. Although there are numerous conflicts among nations in the Middle East, none is more intense than the conflict between Iran and Saudi Arabia, who are currently engaged in a proxy war in Yemen.
Israel has recently improved relations with Saudi Arabia so they can be discounted as the attackers. Russia could benefit from undermining the Saudi oil industry, so they cannot be completely eliminated. In addition, they have deployed such ICS malware against the Ukrainian power grid. That said, only Iran is likely to risk such a potentially deadly attack. Add to this the fact that FireEye has connections to Saudi industries and the picture becomes more focused.
Apparently, the attacker really did want to cause noticeable physical damage. FireEye reports that the attacker somehow gained remote control of a workstation and from this position, could have simply shut down the plant. They did not. They persisted in trying to ramp up their attacks when they were repeatedly stopped from doing so. Eventually, the safety systems detected that something was wrong and closed down the entire plant, even though this wasn’t the extreme result the attackers were looking for.
Dragos, a security firm that specializes in ICS attacks, had, prior to FireEye’s report, already uncovered the attack in November. The company claims it withheld information on the malware, which it named, Trisis, for a number of reasons, least of which was to give the victim, or potential victims, time to deal with the attack before it was sensationalized by the media. It should also be noted that attackers can learn to improve their attack strategies by reading reports analyzing their malware. In addition, other nation-states could use the information to help build their own malware.
However, Dragos points out that attacks, such as the one reported on, must be highly targeted as each enterprise has its own safety standards. They note that,
“The amount of knowledge required specific to the SIS and process installation targeted is significant, and likely not possible to obtain through purely network espionage means. If even possible, the amount of time, effort, and resources required to: obtain necessary environment information; develop and design software tailored to the target environment; and finally, to maintain access and avoid detection throughout these steps all require a lengthy, highly skilled intrusion.”
This almost seems to imply that such attacks require a well-placed insider or a hack into Triconex itself. Actually, Triconex’s parent company, Schneider Electric, reported a flaw back in October, 2016 that could allow hackers to take over workstations. Did the hackers know this before the company did? There is really no way to tell. All we can do is wait and see if this attack is only the beginning of an all out cyber operation. We will also have to see if other Middle East countries get involved and this becomes even more of a cyber battlefield than it already is.