TRITON malware threatens industrial machinery with physical damage

The new malware strain is capable of causing industrial IoT machinery to operate unsafely

The discovery of a new strain of malware capable of hacking industrial machinery has raised concerns that it could be used to shut down production lines and inflict physical damage to equipment.

The TRITON malware has been built for the purpose of attacking industrial hardware, specifically Triconex Safety Instrumented System (SIS) controllers, according to security researchers at FireEye, and has already been discovered targeting an organisation.

Advertisement - Article continues below

Production line SIS controllers are used to harvest the data generated by Internet of Things (IoT) factory machinery, such as industrial robots, sensors, valves and motors. The controllers act as an automated failsafe for equipment, ensuring that they operate within safe parameters and shutting down production lines if, for example, a machine becomes unstable.

It's thought that the authors of the malware designed it to allow remote access to an SIS, which can then be used to initiate an emergency shutdown on machinery, and were in the process of developing a way of causing physical damage to equipment.

"During the incident, some SIS controllers entered a failed safe state, which automatically shut down the industrial process and prompted the asset owner to initiate an investigation," said the FireEye research team. "The investigation found that the SIS controllers initiated a safe shutdown when application code between redundant processing units failed a validation check - resulting in an MP diagnostic failure message."

Advertisement
Advertisement - Article continues below
Advertisement - Article continues below

"We assess with moderate confidence that the attacker inadvertently shut down operations while developing the ability to cause physical damage for the following reasons."

By infecting the SIS controller, it's believed the malware could reprogramme the parameters, forcing unsafe machinery to continue to operate, potentially causing physical damage to the equipment or even injury to human operators.

FireEye has yet to attribute this type of malware activity to any threat actor it currently tracks. However it believes with "moderate confidence" that the author has been sponsored by a nation state, particularly as there doesn't appear to be any monetary goal.

"The attacker targeted the SIS suggesting an interest in causing a high-impact attack with physical consequences," said the FireEye team. "This is an attack objective not typically seen from cyber-crime groups."

However, these types of attacks on critical infrastructure are consistent with the tactics deployed by Russian, Iranian, North Korean, and Israeli state actors, according to FireEye, and are likely to be "preparation for a contingency plan" rather than an immediate attempt to disrupt a system.

Advertisement - Article continues below

TRITON's method of attack has historically only been seen in a handful of cases, including the Stuxnet malware, which was used to disrupt industrial machinery in Iran in 2010, and Industroyer, believed to be developed by the Russian-based Sandworm Team for use against Ukraine in 2016. In those cases, safety procedures were disabled on equipment, resulting in malfunctions and physical damage.

However, recent research by Symantec has warned that a new attack group known as Dragonfly has started to increase the number of its attacks against European and US industrial sectors.

Featured Resources

Preparing for long-term remote working after COVID-19

Learn how to safely and securely enable your remote workforce

Download now

Cloud vs on-premise storage: What’s right for you?

Key considerations driving document storage decisions for businesses

Download now

Staying ahead of the game in the world of data

Create successful marketing campaigns by understanding your customers better

Download now

Transforming productivity

Solutions that facilitate work at full speed

Download now
Advertisement

Recommended

Visit/mobile/google-android/356373/over-2-dozen-additional-android-apps-found-stealing-user-data
Google Android

Over two dozen Android apps found stealing user data

7 Jul 2020
Visit/antivirus/28144/best-antivirus
antivirus

Best antivirus for Windows 10

30 Jun 2020
Visit/security/hacking/356152/searching-for-a-new-job-that-linkedin-job-offer-may-be-fake
hacking

Searching for a new job? That LinkedIn job offer may be fake

19 Jun 2020
Visit/security/malware/355093/evasive-malware-threats-are-surging
malware

Evasive malware threats doubled in 2019

24 Mar 2020

Most Popular

Visit/mobile/google-android/356373/over-2-dozen-additional-android-apps-found-stealing-user-data
Google Android

Over two dozen Android apps found stealing user data

7 Jul 2020
Visit/laptops/29190/how-to-find-ram-speed-size-and-type
Laptops

How to find RAM speed, size and type

24 Jun 2020
Visit/cloud/356260/the-road-to-recovery
Sponsored

The road to recovery

30 Jun 2020