TRITON malware ‘will likely continue’ threatening ICS systems, global critical infrastructure sector

TRITON malware ‘will likely continue’ threatening ICS systems, global critical infrastructure sector

The Federal Bureau of Investigation (FBI) alerted the ICS community of ‘continued activity’ by the group responsible for the deployment of TRITON malware. The agency warned that critical infrastructure asset owners and operators should be mindful of the risks posed to safety instrumented systems (SIS), regardless of vendor, ‘as these safety systems will likely continue to be targeted by sophisticated cyber actors.’ 

The agency’s disclosure that Russian Central Scientific Research Institute of Chemistry and Mechanics (TsNIIKhM) hackers were able to gain access to and manipulate a Middle East–based petrochemical plant’s SIS in 2017 shows that cybercriminals are able, and willing, to cause disruptions that affect the industrial environment. The SIS is typically made up of sensors, logic solvers, and final control elements to take a process to a safe state when predetermined conditions are violated. The key function of SIS is to monitor the process for potentially dangerous conditions and process demands, and take action when needed to protect the process.

“The group responsible for the deployment of TRITON malware against the Middle East-based petrochemical plant’s safety instrumented system in 2017, the Russian Central Scientific Research Institute of Chemistry and Mechanics (TsNIIKhM), continues to conduct activity targeting the global energy sector,” the FBI said in a private industry notification. 

The federal agency identifies that the group ‘continues to conduct activity targeting the global energy sector.’ It also added that the TRITON attack marks a notable shift in industrial control system (ICS) targeting as the first attack designed to allow physical damage, environmental impact, and loss of life in the event of a plant’s running in an unsafe condition. 

The FBI notification follows last week’s unsealing of two US indictments against three Russian Federal Security Service (FSB) officers and a Russian TsNIIKhM employee for cyber operations against the global energy sector. 

“The US Government has publicly attributed TRITON malware to TsNIIKhM, a Russian government-controlled research institution that supports the Russian armed forces with advanced research, weapons, and cyber capabilities,” the FBI said. 

TRITON malware was designed to target a specific SIS controller model with a particular version of firmware, running a small range of specific versioned firmware, and used in critical infrastructure facilities to initiate immediate shutdown procedures in the event of an emergency. The malware is designed to cause physical safety systems to cease operating or to operate in an unsafe manner. Its potential impact could be similar to cyberattacks previously attributed to Russia that caused blackouts in Ukraine in 2015 and 2016. 

Detailing the 2017 attack, “the actor gained initial access and then moved laterally through the information technology (IT) and operational technology (OT) networks onto the safety system and installed TRITON malware,” the FBI said. “This provided the actor access to and control of Schneider Electric’s Triconex devices used in the facility’s ICS safety system. The facility automatically entered a safe state after several of the Triconex ICS safety controllers detected an anomaly caused by software bugs in the TRITON malware,” it added. 

The subsequent investigation of the shutdown revealed the attacker’s presence and the malware itself, the FBI said. The facility’s automatic shutdown and detection of malware prevented the cyberattack from reaching its full capabilities. TRITON malware’s design gave the attackers complete remote control of the SIS, providing them the capability to cause significant physical damage and loss of life if the plant were to enter an unsafe state, according to investigations and analysis that followed the event, it added. 

After the August 2017 cyberattack, the hackers again obtained unauthorized access to a file server to collect information on how the facility responded to the incident, the FBI said. Russian hackers have previously conspired to deploy malware and take other disruptive actions for the strategic benefit of Russia through unauthorized access to victim computers and ICS, it added. 

“These cyberattacks used some of the world’s most destructive malware to date, including KillDisk and Industroyer, which each caused blackouts in Ukraine in 2015 and 2016, respectively,” the federal agency said. “Russian cyber actors have also deployed non-disruptive malware, such as Havex, which enables the actors to return to compromised and otherwise vulnerable ICS devices for future espionage purposes,” it added.

In addition to the advisories issued by the U.S. security agencies, the Cyber Security Agency of Singapore (CSA) said in an advisory that it “has received information of an ongoing campaign by threat actors targeting Industrial Control Systems (ICS) systems. This is the same campaign as reported by the United States Federal Bureau of Investigation (FBI).” 

The agency added that the “threat actors would typically target the Safety Instrumented Systems (SIS) of an industrial process, which is used to initiate safe shutdown procedures in the event of an emergency. In the case whereby the SIS fails to initiate its shutdown procedures, potential consequences include damage to a facility, system downtime or even loss of life.”

“What’s clear is that the unsealed indictments indicate the Russians have been relentlessly active in conducting operations against the energy sector worldwide, even during relatively peaceful periods of time,” Grant Geyer, chief product officer of Claroty, wrote in a blog post. “With the war in Ukraine and economic sanctions taking effect against Russian interests, the government’s alarm bells about cyber-related retaliation are not hyperbolic,” he added.

Cybersecurity now transcends the IT/OT divide, Ignacio Paredes, Accenture’s managing director for technology, cybersecurity energy lead in the Middle East, wrote in a recent blog post. “This autonomous mindset was fine in the old world of OT, when industrial control systems weren’t connected to the internet or to enterprise IT. But today, OT’s rising connectivity means it’s subject to similar cyber threats to IT. Yet in many cases the approach to cybersecurity governance hasn’t kept pace,” he added.

A complimentary guide to the who`s who in industrial cybersecurity tech & solutions

Free Download

Related