TRITON malware threatens industrial machinery with physical damage

The discovery of a new strain of malware capable of hacking industrial machinery has raised concerns that it could be used to shut down production lines and inflict physical damage to equipment.

The TRITON malware has been built for the purpose of attacking industrial hardware, specifically Triconex Safety Instrumented System (SIS) controllers, according to security researchers at FireEye, and has already been discovered targeting an organisation.

Production line SIS controllers are used to harvest the data generated by Internet of Things (IoT) factory machinery, such as industrial robots, sensors, valves and motors. The controllers act as an automated failsafe for equipment, ensuring that they operate within safe parameters and shutting down production lines if, for example, a machine becomes unstable.

It's thought that the authors of the malware designed it to allow remote access to an SIS, which can then be used to initiate an emergency shutdown on machinery, and were in the process of developing a way of causing physical damage to equipment.

"During the incident, some SIS controllers entered a failed safe state, which automatically shut down the industrial process and prompted the asset owner to initiate an investigation," said the FireEye research team. "The investigation found that the SIS controllers initiated a safe shutdown when application code between redundant processing units failed a validation check - resulting in an MP diagnostic failure message."

"We assess with moderate confidence that the attacker inadvertently shut down operations while developing the ability to cause physical damage for the following reasons."

By infecting the SIS controller, it's believed the malware could reprogramme the parameters, forcing unsafe machinery to continue to operate, potentially causing physical damage to the equipment or even injury to human operators.

FireEye has yet to attribute this type of malware activity to any threat actor it currently tracks. However it believes with "moderate confidence" that the author has been sponsored by a nation state, particularly as there doesn't appear to be any monetary goal.

"The attacker targeted the SIS suggesting an interest in causing a high-impact attack with physical consequences," said the FireEye team. "This is an attack objective not typically seen from cyber-crime groups."

However, these types of attacks on critical infrastructure are consistent with the tactics deployed by Russian, Iranian, North Korean, and Israeli state actors, according to FireEye, and are likely to be "preparation for a contingency plan" rather than an immediate attempt to disrupt a system.

TRITON's method of attack has historically only been seen in a handful of cases, including the Stuxnet malware, which was used to disrupt industrial machinery in Iran in 2010, and Industroyer, believed to be developed by the Russian-based Sandworm Team for use against Ukraine in 2016. In those cases, safety procedures were disabled on equipment, resulting in malfunctions and physical damage.

However, recent research by Symantec has warned that a new attack group known as Dragonfly has started to increase the number of its attacks against European and US industrial sectors.

Dale Walker

Dale Walker is the Managing Editor of ITPro, and its sibling sites CloudPro and ChannelPro. Dale has a keen interest in IT regulations, data protection, and cyber security. He spent a number of years reporting for ITPro from numerous domestic and international events, including IBM, Red Hat, Google, and has been a regular reporter for Microsoft's various yearly showcases, including Ignite.