A MESSAGE FROM OUR FOUNDER AND CEO -
The appearance of a new malware aimed at industrial controls is quietly causing a major earthquake inside corporations and governments around the world. The TRITON malware program that reportedly attacked a Saudi electric power plant in early December could have severely damaged the plant, potentially even loss of life, if it had not been accidently discovered.
In the world of Industrial Control Systems (ICS) the key role of safety instruments allows computers to monitor and if need be shut down whole plants if a malfunction appears. The Triton malware is aimed specifically at Schneider Electric Triconex Safety Instrumented System that is intended for use inside industrial facilities such as nuclear power plants, oil refineries and off shore oil rigs.
The attack was discovered by what may have been an accidental shutdown when an application code between redundant processing units failed a validation check. This failure led investigators to stumble across the Triton malware program embedded in the power plant systems.
The Triton malware was implanted on the "Tristation" Windows control computers that are used to monitor, communicate and issue commands to the Triconex safety control units attached directly to the plant equipment. The malware was delivered on the Windows computer as Py2EXE, a compiled python script dependent on a zip file containing standard Python libraries. In addition, the payload zip file contained two binary files, inject.bin, a malicious function code, and imain.bin, malicious control logic.
Key to the Triton attack profile was code allowing it to deploy scripts. The malware could signal the Triconex controller to give up data on its status as well as issue commands for attack. The Triconex commands are usually binary data that is signed and run through check sums prior to being passed on to the network. In addition, another attack module enabled TriStation protocol function codes, packing and padding them into the appropriate format.
The Triton malware contained the capability to detect if an attempt was underway to discover it or the controller was to be shut down. If the controller shut down, the malware would attempt to return it to a running state but if this failed, the malware would overwrite itself in an effort to hide its tracks.
Triton was built with the ability to read and write programs, read and write individual functions and check the safety controller. The malware also was designed to communicate directly with the Triconex safety control units, sending specific commands such as shut down. The malware was clearly tailored specifically with internal command and control sequences that are not publically available, indicating that the developer was both sophisticated and able to reverse engineer Schneider source code in order to attack the electronic safety devices. This also indicated that the attackers not only knew the Tristation software design but also possessed Schneider equipment to test their attacks against.
The kind of control that the malware applied to the Triconex industrial safety systems could have had fatal consequences. Triton had the capability to shut down a safe process, allow a malfunctioning process to continue or even induce an unsafe process, masking the status so that operators would not be aware until it was too late. The impact on a conventional power plant could have destroyed equipment and potentially caused limited loss of life. However, if Triton were deployed inside a nuclear power plant the potential for a Chernobyl like incident is frighteningly real.
"The attacker targeted the (Triconex Safety Instrumented System) suggesting an interest in causing a high-impact attack with physical consequences. This is an attack objective not typically seen from cyber-crime groups," noted FireEye researchers who were able to examine a sample of Triton.
The researchers at FireEye were also very clear about Triton's pedigree. This was no ordinary piece of software cooked up inside mom's basement by a teen hacker. Triton is an expensive and well-designed industrial malware weapon system.
"The targeting of critical infrastructure to disrupt, degrade, or destroy systems is consistent with numerous attack and reconnaissance activities carried out globally by Russian, Iranian, North Korean, U.S., and Israeli nation state actors," noted the statement issued by FireEye.
CHARLES R. SMITH
CEO FOUNDER OF SOFTWAR INC.