A recent digital attack on the control systems of an industrial plant has renewed concerns about the threat hacking poses to critical infrastructure. And while security researchers offered some analysis last month of the malware used in the attack, called Triton or Trisis, newly revealed details of how it works expose just how vulnerable industrial plants—and their failsafe mechanisms—could be to manipulation.
At the S4 security conference on Thursday, researchers from the industrial control company Schneider Electric, whose equipment Triton targeted, presented deep analysis of the malware—only the third recorded cyberattack against industrial equipment. Hackers were initially able to introduce malware into the plant because of flaws in its security procedures that allowed access to some of its stations, as well as its safety control network.
The Schneider researchers shared two crucial pieces of information about what came next in the intrusion, though: The attack on the Schneider customer in part exploited a previously unknown, or zero day, vulnerability in Schneider’s Triconex Tricon safety system firmware. And the hackers deployed a remote access trojan in the second stage of their exploitation, a first for malware that targets industrial control systems.
The researchers say that the malware targets the Triconex firmware vulnerability, manipulates the system to steadily increase its ability to make changes and issue commands, and then deposits the RAT, which awaits further remote instructions from the attackers.
“During our extensive investigation, Schneider Electric identified a vulnerability in the Tricon firmware, which is limited to a small number of older versions of the Tricon,” Schneider said in a customer advisory. “This vulnerability was a part of a complex malware infection scenario … a directed incident affecting a single customer’s Triconex Tricon safety shutdown system.”
In this specific Triton attack, hackers apparently intended to manipulate the layers of built-in emergency shutdown protocols to keep the system running while they bored deeper and gained more control. If malware can defeat a plant’s safety shutdown features, it can then work to sabotage the system in countless ways. In this attack, though, the malware accidentally triggered emergency system shutdowns that gave it away. As a result, the hackers never revealed the actual payload they had planned to deliver, or the true intent of their attack.
Triton performs system analysis and reconnaissance as it works, which could be a payoff for attackers in itself if they’re after victim data or network information. But regardless of the goals of these specific hackers, Triton illustrates just how many ways attackers could go about destabilizing or physically destroying industrial systems. A malfunctioning waste-processing plant could poison the environment, grid hacking can cause blackouts, and a power plant attack could even potentially cause explosions.
Analysts note that though Triton should serve as a vital wakeup call in the industrial control community, its existence shouldn’t come as a surprise. “The position that this is the first instance of targeting [certain] engineering and physical infrastructures is at best an assumption,” says Jeff Bardin, the chief intelligence officer of the threat tracking firm Treadstone 71, which monitors nation state hacking around the world, particularly in the Middle East. “Just because you just now discovered it does not mean this is the first time. Controller software has flaws across the spectrum.”
The researchers say that the attackers had intimate knowledge of both Schneider products and their target industrial plant. While Schneider platforms run on mainstream PowerPC processors, they use proprietary hardware and software. Hackers would have needed to invest time and resources reverse-engineering Schneider code to map the systems and find the vulnerability.
“It is clear to me that the attacker put a significant amount of time and energy into this RAT and this didn’t happen overnight,” says Marty Edwards, former director of the Industrial Control Systems Cyber Emergency Response Team within the Department of Homeland Security. He notes that even though the attackers made mistakes that ultimately exposed them, their level of insight into the system is still problematic. “What the attackers put in their code to try not to fault the controllers was extremely impressive. The fact they got as far as they did is an indicator of an excellent knowledge of the platform.”
Triton is likely the work of sophisticated nation state hackers, though researchers have been wary of attributing it to a particular country at this point. The security company Dragos Inc., which originally released analysis of Triton at the same time as the firm FireEye, reported in December that the attack happened at a plant in the Middle East. Schneider Electric wouldn’t share details about what entity was targeted or where.
In a customer advisory, Schnieder says that the attack exploited the older 10.3 version of the Triconex firmware, and the company is working on patches for all of its “Version 10X” offerings to mitigate Triton attacks. The company will also release tools to detect and eliminate Triton in February. When the patches are ready, Schnieder even says that it will send IT support representatives to its clients to help them correctly install the firmware fixes.
Analysts have largely lauded Schneider’s response and transparency, noting that addressing these types of vulnerabilities takes extensive, multinational cooperation across the security industry. But Triton contains a deeper lesson in the need for more robust security review within all industrial control and embedded device systems. Though malware targeting these platforms has been rare up to this point, it is appearing more and more, and critical infrastructure organizations need to prepare.