Content, Breach, Malware

FireEye: Schneider Triton Attackers Sought Infrastructure Damage Not Data or Money

Late last week, word surfaced that may foreshadow an ominous future: Hackers attacked Schneider Electric’s Triconex Safety Instrumented Systems (SIS), targeting controllers and disrupting industrial safety systems. FireEye, which uncovered the attack, said the suspected state-sponsored cyber gangsters used a new piece of malware called “Triton” aimed at industrial control systems, in this case Schneider’s controllers.

Because the attack lacked the hallmarks of a ransomware extortion, FireEye believes the hacker’s mission was to disrupt an operation. “The targeted systems provided emergency shutdown capability for industrial processes,” the security specialist's threat research team wrote in a blog post. “We assess with moderate confidence that the attacker was developing the capability to cause physical damage and inadvertently shutdown operations.”

FireEye categorized Triton as limited edition malware, following in the same path as the Stuxnet attack used against Iran in 2010 and Industroyer which the security watchdog believes was deployed by Russian operators, the Sandworm Team, against Ukraine in 2016. “Triton is consistent with these attacks, in that it could prevent safety mechanisms from executing their intended function, resulting in a physical consequence,” FireEye said.

Here are some more details of the attack, per FireEye:

  • The attacker gained remote access to an SIS engineering workstation and deployed the Triton malware to reprogram the SIS controllers.
  • During the incident, some SIS controllers entered a failed safe state, which automatically shutdown the industrial process and prompted the asset owner to initiate an investigation.
  • The attacker inadvertently shutdown operations while developing the ability to cause physical damage. Modifying the SIS could prevent it from functioning correctly, increasing the likelihood of a failure that would result in physical consequences.
  • The attacker deployed Triton shortly after gaining access to the SIS system, indicating that they had pre-built and tested the tool which would require access to hardware and software that is not widely available.

FireEye hedged its bet to formally attribute the attack to a state sponsored entity but did suggest that the hacker’s evident resources combined with no apparent demand for financial gain pointed in that direction. “The targeting of critical infrastructure as well as the attacker’s persistence, lack of any clear monetary goal and the technical resources necessary to create the attack framework suggest a well-resourced nation state actor,” the researchers wrote.

Here are some more details about the Triton malware, per FireEye:

  • Not all of Triton’s capabilities-- such as the ability to read and write programs and individual functions and query the SIS controller -- were used in the sample FireEye analyzed. That suggests the attacker did not leverage all of Triton’s reconnaissance tools.
  • The Triton sample left some clues into its inner workings: The malware left legitimate programs in place, expecting the controller to continue operating without a fault or exception. If the controller failed, Triton would try to get it running. If that failed, the malware would overwrite the malicious code with bogus data to cover its tracks.
D. Howard Kass

D. Howard Kass is a contributing editor to MSSP Alert. He brings a career in journalism and market research to the role. He has served as CRN News Editor, Dataquest Channel Analyst, and West Coast Senior Contributing Editor at Channelnomics. As the CEO of The Viewpoint Group, he led groundbreaking market research.