Triton has been associated with a high-profile attack on critical infrastructure facilities. Triton is designed to target safety systems for industrial devices specifically. The targeted devices in Triton attacks are involved in shutting down industrial processes in case of an emergency. Triton seems to be designed to cause physical infrastructure damage and was not intended to shut down operations but, rather, to damage equipment irreparably. Triton is designed to attack the Triconex Safety Instrument System controllers. Triton is a sophisticated threat that is likely part of a nation state-sponsored attack rather than the work of individuals, due to the considerable resources needed to develop and deploy sophisticated threats like Triton, as well as the profile of Triton's targets.
Why the Cybercrooks Have Created Triton
There are only a few currently known families of threats that attack Industrial Control Systems like this one. Stuxnet, used in attacks against centrifuges in Iran in 2010, remains one of the best-known threats of this type. Triton seems to fit these strategies and, in the case of the Triton, this threat prevents safety mechanisms from working correctly, which can cause irreparable, costly physical damage to industrial equipment. It seems that to deploy Triton, the attacks gained remote access to an engineering workstation. Apparently, an automatic shutdown was triggered by some of the safety controllers, which resulted in the discovery of Triton when inspecting the results of the attack. The discovery of Triton is an important moment since it indicates that the attackers have been able to infiltrate safety systems in industrial control systems that are used in important plants, which include nuclear, oil and gas power plants. In at least one facility, Triton has been responsible for the complete shutdown of operations.
The Harm that a Triton Attack can Cause
Triton targets the Triconex industrial safety technology, which is manufactured by Schneider Electric SE. The Triton attacks were disclosed on December 14, 2017, and a security alert was sent to all users of this technology. The nature of the attack and the location of the shutdown have not been revealed, although some have suggested that the Triton attack that was discovered occurred in Saudi Arabia. This seems to be the first reported breach of this type. Apparently, Triton will fool the safety systems into indicating that everything is functioning correctly, while the attackers damage the targeted mechanisms. Triton is a sophisticated threat that may be part of an effort on the part of the attackers to continue to develop their capabilities to carry out these attacks. Most importantly, the fact that these kinds of attacks have occurred at all indicates that others may try to copy these tactics and create similar threats. Triton may be a tool in a state-sponsored attack and may provide a model for similar attacks on critical infrastructure.
Mapping the History and Consequences of Triton
It seems that Triton has been active since August 2017. Triton seems to infect a computer running the Windows operating system that is linked to the safety system. Apart from Stuxnet, which is the first and most notable threat that attacks Industrial Control Systems, PC security researchers also reported attacks in December 2016, which were used to cut the power supply in Ukraine by using a threat that has been called Industroyer or Crash Override. If the Triton attack's target was indeed Saudi Arabia, then it is possible that Triton may have been developed and deployed with the support of the Iranian government. In fact, other threat attacks, such as the virus Shamoon, have been linked to the conflict between these two nation states. However, Triton attack does not indicate a vulnerability in Triconex, but an isolated specific incident where attacks tried to cause damage deliberately by picking and exploiting a specific target.
Triton is an extraordinary beast of a malware that has raised some serious red flags about critical infrastructure in the real world and the threats that it faces coming from cyberspace. Just like Stuxnet, the Israeli/American cyberweapon that was used to disrupt uranium enrichment centrifuges in Iran back in 2010, Triton's goal is the destruction of industrial equipment.
People first started to talk about the Triton malware in 2017, when information about a cyber-attack that disrupted Schneider Electric's Triconex product line got leaked. Schneider's Triconex products are known as "safety instrumented systems" or "distributed control systems" and are used to monitor industrial processes, mostly in oil and gas facilities, but also in manufacturing plants and even nuclear energy facilities.
These safety instrumented systems, or SIS for short, are built in such a way that they run independently from other equipment in the facility and monitor for any potential dangers to its operations, triggering alerts or shutdowns in a bid to prevent accidents or sabotage.
Triton a/k/a Trisis acts as a sort of "payload" and allows hackers that have managed to gain deep access in a facility's network to search for Schneider's Triconex units, confirm whether they can connect to them, and begin to inject new commands into their operations. If the commands aren't accepted by the Triconex controllers, the system has a built-in "fail-safe" that shuts down the whole facility for no apparent reason.
This is precisely what happened in the 2017 incident, which almost would have gone unnoticed if it wasn't for Triconex controllers shutting down the operations on two separate occasions, a couple of months apart. The first outage was misidentified as a mechanical glitch, but the plant's owners called in investigators after the second one, which led to the discovery of Triton/Trisis.
Who is Behind Triton/Trisis?
There has been some speculation about the people behind Triton. As more details of the 2017 incident became public, it became clear that the target was an oil and gas facility in Saudi Arabia, which led many to believe that the oil-rich country's archenemy, Iran, had something to do with it.
Security researchers from several companies investigating Triton have stated that the malware was specifically targeting the Saudi Arabian petrochemical plant and that the "tailored" attack on the company's corporate IT network might date back to as far as 2014.
As researchers from FireEye, a cybersecurity firm that was called involved in the Triton investigation, dug further, they pointed the finger at another possible culprit – Russia. They managed to find a file the hackers had left behind on the petrochemical company's network and were able to track other files from the same test bet, containing several names in Cyrillic and an IP address that was used to launch operations linked to the malware. The IP address was registered with Moscow's Central Scientific Institute of Chemistry and Mechanics.
FireEye also stated that they had found evidence that suggested a connection between Triton and a professor at the government-funded institute, but they didn't give out a name. The cybersecurity firm, however, noted that there was no specific evidence found that could definitively prove that the institute had developed Triton. Researchers are still actively looking into the malware's origins, so the possibility of other theories about who might be behind it can still emerge.
Custom malware targeting critical infrastructure facilities has become an even bigger threat with the expanded connectivity of the modern era. Threats, such as Triton can find a way into systems that are designed to be protected from outside influences.
The group behind Triton managed to infiltrate the plant's network through a poorly configured firewall after they had initially found their way into the company's corporate IT network. Then, they managed to infiltrate an engineering workstation, from which they learned the make and model of the plant's safety instrumented systems, as well as the versions of firmware they were running.
This put them in a position in which they could cause serious damage, not only damaging the equipment but also threatening those who work at the plant, as well as the people living in the surrounding area.
As Rob Lee, founder of Dragos Inc., another security company involved in the investigation noted: "You could have explosions, oil spills, manufacturing equipment rip apart and kill people, gas leaks that kill people. It depends on what the industrial process is doing, but you could absolutely have dozens of deaths."
The results of such attacks can be terrifying, considering the worst industrial disaster to date involved a leak of poisonous gases. A Union Carbide plant located in Bhopal, India released a vast cloud of toxic fumes in December 1984, killing thousands in the area and leaving many more severely injured. The cause of the incident was poor maintenance and human error, but if you put intentional sabotage in the mix, things can get a whole lot worse.