Security researchers have revealed that malicious software recently infected the industrial control systems of a company in the Middle East as part of a likely state-sponsored cyberattack targeting critical infrastructure components.
Mandiant, a division of cybersecurity firm FireEye, said its researchers recently responded to an incident in which an unknown attacker successfully deployed malware designed to manipulate industrial safety systems, effectively giving its perpetrators the power to potentially cause “physical consequences.”
“The targeted systems provided emergency shutdown capability for industrial processes,” Mandiant said Thursday. “We assess with moderate confidence that the attacker was developing the capability to cause physical damage and inadvertently shut down operations.”
The malware specifically targeted Triconex Safety Instrumented System (SIS) controllers sold by Schneider Electric, a French corporation that boasts operations in over 100 countries.
“Schneider Electric is aware of a directed incident targeting a single customer’s Triconex Tricon safety shutdown system,” Schneider warned clients this week. “We are working closely with our customer, independent cybersecurity organizations and ICS-CERT to investigate and mitigate the risks of this type of attack.
“While evidence suggests this was an isolated incident and not due to a vulnerability in the Triconex system or its program code, we continue to investigate whether there are additional attack vectors,” Schneider said in a statement.
Dubbed “Triton” by Mandiant, the malware is capable of prompting industrial control systems to abruptly shutdown, according to the security researchers.
Dragos Inc., a competing security firm, discovered the same malware targeting the safety controls of a company in the Middle East about a month ago and has been monitoring it ever since, Dragos founder Rob Lee told Wired.
“If the safety system goes down, all other systems grind to a halt,” said Mr. Lee.
Depending on the systems affected, the consequences could be catastrophic, Wired reported.
“Everything could still appear to be working, but you’re now operating without that safety net,” Mr. Lee told the magazine. “You could have explosions, oil spills, manufacturing equipment rip apart and kill people, gas leaks that kill people. It depends on what the industrial process is doing, but you could absolutely have dozens of deaths.”
Researchers were quick to compare Triton to Stuxnet, a computer worm widely attributed to U.S. and Israeli intelligence and credited with disrupting Iran’s nuclear program by sabotaging its centrifuges.
Neither of the cybersecurity firms identified the threat action responsible for Triton, but Mandiant said “the activity is consistent with a nation state preparing for an attack.”
“The targeting of critical infrastructure as well as the attacker’s persistence, lack of any clear monetary goal and the technical resources necessary to create the attack framework suggest a well-resourced nation state actor,” Mandiant said. “The targeting of critical infrastructure to disrupt, degrade, or destroy systems is consistent with numerous attack and reconnaissance activities carried out globally by Russian, Iranian, North Korean, U.S. and Israeli nation state actors. Intrusions of this nature do not necessarily indicate an immediate intent to disrupt targeted systems, and may be preparation for a contingency.”
• Andrew Blake can be reached at ablake@washingtontimes.com.
Please read our comment policy before commenting.