TRITON malware threatens industrial machinery with physical damage

The new malware strain is capable of causing industrial IoT machinery to operate unsafely

The discovery of a new strain of malware capable of hacking industrial machinery has raised concerns that it could be used to shut down production lines and inflict physical damage to equipment.

The TRITON malware has been built for the purpose of attacking industrial hardware, specifically Triconex Safety Instrumented System (SIS) controllers, according to security researchers at FireEye, and has already been discovered targeting an organisation.

Production line SIS controllers are used to harvest the data generated by Internet of Things (IoT) factory machinery, such as industrial robots, sensors, valves and motors. The controllers act as an automated failsafe for equipment, ensuring that they operate within safe parameters and shutting down production lines if, for example, a machine becomes unstable.

It's thought that the authors of the malware designed it to allow remote access to an SIS, which can then be used to initiate an emergency shutdown on machinery, and were in the process of developing a way of causing physical damage to equipment.

"During the incident, some SIS controllers entered a failed safe state, which automatically shut down the industrial process and prompted the asset owner to initiate an investigation," said the FireEye research team. "The investigation found that the SIS controllers initiated a safe shutdown when application code between redundant processing units failed a validation check - resulting in an MP diagnostic failure message."

"We assess with moderate confidence that the attacker inadvertently shut down operations while developing the ability to cause physical damage for the following reasons."

By infecting the SIS controller, it's believed the malware could reprogramme the parameters, forcing unsafe machinery to continue to operate, potentially causing physical damage to the equipment or even injury to human operators.

FireEye has yet to attribute this type of malware activity to any threat actor it currently tracks. However it believes with "moderate confidence" that the author has been sponsored by a nation state, particularly as there doesn't appear to be any monetary goal.

"The attacker targeted the SIS suggesting an interest in causing a high-impact attack with physical consequences," said the FireEye team. "This is an attack objective not typically seen from cyber-crime groups."

However, these types of attacks on critical infrastructure are consistent with the tactics deployed by Russian, Iranian, North Korean, and Israeli state actors, according to FireEye, and are likely to be "preparation for a contingency plan" rather than an immediate attempt to disrupt a system.

TRITON's method of attack has historically only been seen in a handful of cases, including the Stuxnet malware, which was used to disrupt industrial machinery in Iran in 2010, and Industroyer, believed to be developed by the Russian-based Sandworm Team for use against Ukraine in 2016. In those cases, safety procedures were disabled on equipment, resulting in malfunctions and physical damage.

However, recent research by Symantec has warned that a new attack group known as Dragonfly has started to increase the number of its attacks against European and US industrial sectors.

Featured Resources

BIOS security: The next frontier for endpoint protection

Today’s threats upend traditional security measures

Download now

The role of modern storage in a multi-cloud future

Research exploring the impact of modern storage in defining cloud success

Download now

Enterprise data protection: A four-step plan

An interactive buyers’ guide and checklist

Download now

The total economic impact of Adobe Sign

Cost savings and business benefits enabled by Adobe Sign

Download now

Recommended

Your essential guide to internet security
Security

Your essential guide to internet security

23 Sep 2020
Best free malware removal tools 2020
Security

Best free malware removal tools 2020

21 Sep 2020
'NetWalker' ransomware explodes thanks to 'as a service' expansion
ransomware

'NetWalker' ransomware explodes thanks to 'as a service' expansion

4 Sep 2020
Malware attacks using machine identities doubled in 2019
cyber security

Malware attacks using machine identities doubled in 2019

4 Aug 2020

Most Popular

16 ways to speed up your laptop
Laptops

16 ways to speed up your laptop

16 Sep 2020
16 ways to speed up your laptop
Laptops

16 ways to speed up your laptop

16 Sep 2020
The Xbox Series X shows how far the cloud still has to go
Cloud

The Xbox Series X shows how far the cloud still has to go

25 Sep 2020