Recently security researchers have revealed another dangerous piece of malware targeting industrial control systems (ICS). The infectious code dubbed Triton and is also known as Tisis, designed to cause health and life-risking accidents. This rare type of malware has appeared in Middle East and it seems to have the ability of disabling the industrial safety system that are used to save human lives.
In a report published by researchers from Mandiant division specifies that state aided attackers used malware to cause physical damage to an organization. But there is no mentioning of the organization or of the hacking group.
What is the purpose?
The ICS malware is designed to take down Triconex Safety Instrumented System (SIS) controllers made by Schneider Electric. An independent control system that monitors performance of critical systems, capable of taking instantaneous actions automatically, if risk is sensed.
Triton controls registered TriStation protocol, an engineering and maintenance tool used by Triconex SIS products. All this information is not documented but it seems that attackers reversed engineered it while making the malware.
“The attacker gained remote access to an SIS engineering workstation and deployed the TRITON attack framework to reprogram the SIS controllers.” FireEye researchers said.
How it gets installed?
Hackers mask the malicious code with a legitimate Triconex Trilog application. This helps the malicious code Tisis to get installed on an SIS engineering workstation running Windows operating system.
Also Read: Keyloggers: How To Stay Protected?
Is it Dangerous?
The latest version of TRITON malware has many features as analyzed by the researchers. It can read and write programs, individual functions and query the state of the SIS controller.
“During the incident, some SIS controllers entered a failed safe state, which automatically shutdown the industrial process and prompted the asset owner to initiate an investigation,” the researchers said.
What an attacker attains from TRITON?
TRITON allows attacker to reprogram SIS logic in such a manner that it shuts down a process running in safe state. Such setting won’t cause any physical damage but surely organizations will have to face financial losses due to process downtime.
Besides this, the bad guys can reprogram SIS logic and cause severe life-threatening damages by allowing unsafe conditions to run or by deliberately changing the processes to attain unsafe state first.
“The attacker deployed TRITON shortly after gaining access to the SIS system, indicating that they had pre-built and tested the tool which would require access to hardware and software that is not widely available.”
Also Read: Scarab Ransomware Targets E-mail Accounts
Researchers are certain that Triton is developing as a severe threat to critical infrastructures, like like Stuxnet, IronGate, and Industroyer, because it has the capabilities to cause physical damage or shut down operations.