Safety-Tampering 'Triton Malware' Is Infecting More Infrastructure Websites
The Triton Malware was first discovered by FireEye researchers. It was seen targeting the Triconex control systems by Schneider Electric. Due to a bug in the system, the malware made it in. The attack was linked to the Central Scientific Research Institute of Chemistry and Mechanics in Moscow.
What happened next is FireEye publishing a report on one more instance of seeing Triton used on the internet, this time attacking power plants and refineries. Triton was being utilized to affect the Safety Instrumented Systems (SIS) around these installations, raising the risk of venting toxic materials, catching fire, explosions and so forth.
With the second case, it was revealed that Triton attacks were ongoing since as far back as 2014, showing a suite of tools that showed just how well the Triton operators were doing their jobs.
What makes Triton dangerous?
The most dangerous detail about targeting SIS systems is the fact that it leaves power plants and facilities not just in a shutdown state, but also making them permanently inoperable, potentially even killing people inside them or near them. Much like cases involving Stuxnet and the so-called 'sandworm attacks' of years past that were attributed to Russia, this can be considered an act of industrial sabotage. During 2018 alone, these kinds of attacks caused $10 billion worth in damage to infrastructures around the world.
It turns out, there are more incidents than this one, and even though the origins of the attacks were traced to the Russian institute, currently there is insufficient information to make an assessment. The institute may be contracted out to another threat actor, or its computers may be used by someone unaffiliated with things on a government level, such as a private individual or individuals.
Lack of details on the attack itself
The report released by FireEye doesn't mention some things, such as the time of the attack, how long it lasted, whether there was any damage done and if the malware was after the same Triconex system as was the case before that. The FireEye spokeswoman declined to answer questions regarding details on the attack.
On the other hand, the report does include technical details on the tool set they discovered, as well as how the attackers are using these tools to stay hidden on an infected network. The report also shows how the intrusions were identified. FireEye urged researchers and cyber security of businesses to see whether the data matches the one on attacks that occurred previously.