IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

TRITON malware threatens industrial machinery with physical damage

The new malware strain is capable of causing industrial IoT machinery to operate unsafely

The discovery of a new strain of malware capable of hacking industrial machinery has raised concerns that it could be used to shut down production lines and inflict physical damage to equipment.

The TRITON malware has been built for the purpose of attacking industrial hardware, specifically Triconex Safety Instrumented System (SIS) controllers, according to security researchers at FireEye, and has already been discovered targeting an organisation.

Production line SIS controllers are used to harvest the data generated by Internet of Things (IoT) factory machinery, such as industrial robots, sensors, valves and motors. The controllers act as an automated failsafe for equipment, ensuring that they operate within safe parameters and shutting down production lines if, for example, a machine becomes unstable.

It's thought that the authors of the malware designed it to allow remote access to an SIS, which can then be used to initiate an emergency shutdown on machinery, and were in the process of developing a way of causing physical damage to equipment.

"During the incident, some SIS controllers entered a failed safe state, which automatically shut down the industrial process and prompted the asset owner to initiate an investigation," said the FireEye research team. "The investigation found that the SIS controllers initiated a safe shutdown when application code between redundant processing units failed a validation check - resulting in an MP diagnostic failure message."

"We assess with moderate confidence that the attacker inadvertently shut down operations while developing the ability to cause physical damage for the following reasons."

By infecting the SIS controller, it's believed the malware could reprogramme the parameters, forcing unsafe machinery to continue to operate, potentially causing physical damage to the equipment or even injury to human operators.

FireEye has yet to attribute this type of malware activity to any threat actor it currently tracks. However it believes with "moderate confidence" that the author has been sponsored by a nation state, particularly as there doesn't appear to be any monetary goal.

"The attacker targeted the SIS suggesting an interest in causing a high-impact attack with physical consequences," said the FireEye team. "This is an attack objective not typically seen from cyber-crime groups."

However, these types of attacks on critical infrastructure are consistent with the tactics deployed by Russian, Iranian, North Korean, and Israeli state actors, according to FireEye, and are likely to be "preparation for a contingency plan" rather than an immediate attempt to disrupt a system.

TRITON's method of attack has historically only been seen in a handful of cases, including the Stuxnet malware, which was used to disrupt industrial machinery in Iran in 2010, and Industroyer, believed to be developed by the Russian-based Sandworm Team for use against Ukraine in 2016. In those cases, safety procedures were disabled on equipment, resulting in malfunctions and physical damage.

However, recent research by Symantec has warned that a new attack group known as Dragonfly has started to increase the number of its attacks against European and US industrial sectors.

Featured Resources

The state of Salesforce: Future of business

Three articles that look forward into the changing state of Salesforce and the future of business

Free Download

The mighty struggle to migrate SAP to the cloud may be over

A simplified and unified approach to delivering Enterprise Transformation in the cloud

Free Download

The business value of the transformative mainframe

Modernising on the mainframe

Free Download

The Total Economic Impact™ Of IBM FlashSystem

Cost savings and business benefits enabled by FlashSystem

Free Download

Recommended

Hackers could use new Wslink malware in highly targeted cyber attacks
malware

Hackers could use new Wslink malware in highly targeted cyber attacks

1 Nov 2021
FBI raids Chinese POS business following cyber attack claims
malware

FBI raids Chinese POS business following cyber attack claims

27 Oct 2021
Malware developers create malformed code signatures to avoid detection
malware

Malware developers create malformed code signatures to avoid detection

24 Sep 2021

Most Popular

Why convenience is the biggest threat to your security
Sponsored

Why convenience is the biggest threat to your security

8 Aug 2022
How to boot Windows 11 in Safe Mode
Microsoft Windows

How to boot Windows 11 in Safe Mode

29 Jul 2022
Microsoft successfully tests emission-free hydrogen fuel cell system for data centres
data centres

Microsoft successfully tests emission-free hydrogen fuel cell system for data centres

29 Jul 2022