Nation State Attackers Shut Down Industrial Plant with New ICS Malware

Share it on Twitter  
Share it on Facebook  
Share it on Linked in  

FireEye researchers yesterday reported that the company's Mandiant subsidiary had responded to an incident at an industrial plant, in which the attacker shut down plant operations by targeting emergency shutdown systems with malware specifically designed for industrial control systems (ICS).

Because it specifically targets Schneider Electric's Triconex Safety Instrumented System (SIS) controllers, the researchers are calling the malware Triton.

They believe the attacker shut down operations by mistake while performing reconnaissance to determine how to cause physical damage to the plant.

Nation State Attacks

"FireEye has not connected this activity to any actor we currently track; however, we assess with moderate confidence that the actor is sponsored by a nation state," the researchers wrote. "The targeting of critical infrastructure as well as the attacker's persistence, lack of any clear monetary goal and the technical resources necessary to create the attack framework suggest a well-resourced nation state actor."

These types of attacks, FireEye suggests, are consistent with activities carried about by Russian, Iranian, North Korean, U.S. and Israeli state actors. "Intrusions of this nature do not necessarily indicate an immediate intent to disrupt targeted systems, and may be preparation for a contingency," the researchers wrote.

Phil Neray, vice president of industrial cyber security at CyberX, told eSecurity Planet by email that his company believes the targeted plant was in Saudi Arabia, which would likely mean that Iran was responsible for the attack.

"It's widely believed that Iran was responsible for destructive attacks on Saudi Arabian IT networks in 2012 and more recently in 2017 with Shamoon, which destroyed ordinary PCs," Neray said. "This would definitely be an escalation of that threat because now we're talking about critical infrastructure -- but it's also a logical next step for the adversary."

Increasing Vulnerabilities

Chris Morales, head of security analytics at Vectra, said by email that an attack like this was all but inevitable. "The connectivity and integration of traditional information technology with operational technology -- IT/OT convergence -- is increasing exponentially," he said.

"The IoT and IT/OT convergence is accelerated by the speed of business and the implementation of AI to drive decisions in ICS environments," Morales added. "In addition, more ICS devices are running commercial operating systems, exposing ICS systems to a wider swath of known vulnerabilities."

A recent LNS Research survey of 130 strategic decision makers from industrial companies, sponsored by Honeywell, found that more than half of respondents said their facility has already suffered a security breach, and 45 percent still don't have an accountable enterprise leader for cyber security.

Only 37 percent of respondents are monitoring for suspicious behavior.

"Decision makers are more aware of threats and some progress has been made to address them, but this report reinforces that cyber security fundamentals haven't been adopted by a significant portion of the industrial community," Honeywell Industrial Cyber Security vice president and general manager Jeff Zindel said in a statement.