Skip to main content
  1. Home
  2. Computing
  3. News

Sophisticated ‘Triton’ malware shuts down industrial plant in hacker attack

By
Cybersecurity experts at FireEye have issued a warning after a recent hacker attack caused “operational disruption to critical infrastructure” at an unnamed industrial plant. The hackers introduced a malware program that FireEye is calling “Triton” into the security system, likely in preparation for a larger attack.

This was not someone in a basement, either. “The targeting of critical infrastructure as well as the attacker’s persistence, lack of any clear monetary goal and the technical resources necessary to create the attack framework suggest a well-resourced nation state actor,” they concluded.

Related

The location of the plant or the nature of its operations was not disclosed, although Reuters reports that the security company Dragos said it was a plant in the Middle East, while another firm, CyberX, believed the target was in Saudi Arabia.

A security alert was issued for users of Triconex, a safety program that’s widely used in energy facilities such as nuclear plants and oil refineries. The nature of the breach has raised concerns among cybersecurity analysts. “This is a watershed,” said Sergio Caltagirone of Dragos. “Others will eventually catch up and try to copy this kind of attack.”

Cybersecurity firm Symantec says the Triton program has been around since August, and it targets a specific type of safety instrumental system (SIS) and reprograms them. The malware could cause the SIS to shut down plant operations or, with a sophisticated enough attack, nullify the SIS and allow an unsafe condition to escalate, leading to a widespread industrial accident.

In this particular case, when Triton attempted to reprogram the SIS controllers, some instead entered a safe shutdown mode, which halted plant operations and alerted the operators about the rogue software. FireEye believes the hackers accidentally triggered the shutdown while probing the plant’s security systems.

“The targeting of critical infrastructure to disrupt, degrade, or destroy systems is consistent with numerous attack and reconnaissance activities carried out globally by Russian, Iranian, North Korean, U.S., and Israeli nation-state actors,” FireEye said in its report.

The security company noted that the attacker could have easily shut down the plant, but instead continued with repeated attempts to gain control of the SIS. “This suggests the attacker was intent on causing a specific outcome beyond a process shutdown,” they said.

Triton is the third malware program analysts have encountered that’s able to interrupt industrial production. Stuxnet, discovered in 2010, is widely credited with helping to disrupt Iran’s nuclear program. The virus Industroyer was used in 2016 to cause widespread power outages in Ukraine.

Editors’ Recommendations

Topics
Mark Austin
Mark Austin
Former Digital Trends Contributor
Mark’s first encounter with high-tech was a TRS-80. He spent 20 years working for Nintendo and Xbox as a writer and…
A dangerous new jailbreak for AI chatbots was just discovered
the side of a Microsoft building

Microsoft has released more details about a troubling new generative AI jailbreak technique it has discovered, called "Skeleton Key." Using this prompt injection method, malicious users can effectively bypass a chatbot's safety guardrails, the security features that keeps ChatGPT from going full Taye.

Skeleton Key is an example of a prompt injection or prompt engineering attack. It's a multi-turn strategy designed to essentially convince an AI model to ignore its ingrained safety guardrails, "[causing] the system to violate its operators’ policies, make decisions unduly influenced by a user, or execute malicious instructions," Mark Russinovich, CTO of Microsoft Azure, wrote in the announcement.

Read more