Infrastructure hacking“Watershed attack:” Hackers deploy new ICS attack framework, disrupting critical infrastructure
Hackers working for a nation-state recently invaded the safety system of a critical infrastructure facility in what cyber experts call “a watershed attack” that halted plant operations. Cybersecurity firm FireEye disclosed the incident on Thursday, saying it targeted Triconex industrial safety technology from Schneider Electric SE. Schneider confirmed that the incident had occurred and that it had issued a security alert to users of Triconex, which cyber experts said is widely used in the energy industry, including at nuclear facilities, and oil and gas plants. FireEye and Schneider declined to identify the victim, industry or location of the attack.
Hackers working for a nation-state recently invaded the safety system of a critical infrastructure facility in what experts call “a watershed attack” that halted plant operations. Cybersecurity firm FireEye disclosed the incident on Thursday, saying it targeted Triconex industrial safety technology from Schneider Electric SE. Schneider confirmed that the incident had occurred and that it had issued a security alert to users of Triconex, which cyber experts said is widely used in the energy industry, including at nuclear facilities, and oil and gas plants. FireEye and Schneider declined to identify the victim, industry or location of the attack.
Mandiant, a unit of FireEye, recently responded to an incident at a critical infrastructure organization where an attacker deployed malware designed to manipulate industrial safety systems. The targeted systems provided emergency shutdown capability for industrial processes. Mandiant says it assess with moderate confidence that the attacker was developing the capability to cause physical damage and inadvertently shutdown operations. This malware, which Mandiant calls TRITON, is an attack framework built to interact with Triconex Safety Instrumented System (SIS) controllers.
Mandiant notes it “has not attributed the incident to a threat actor, though we believe the activity is consistent with a nation state preparing for an attack.”
Mandiant says that TRITON is one of a limited number of publicly identified malicious software families targeted at industrial control systems (ICS). It follows Stuxnet which was used against Iran in 2010 and Industroyer which we believe was deployed by Sandworm Team against Ukraine in 2016. TRITON is consistent with these attacks, in that it could prevent safety mechanisms from executing their intended function, resulting in a physical consequence.
Incident summary
The attacker gained remote access to an SIS engineering workstation and deployed the TRITON attack framework to reprogram the SIS controllers. During the incident, some SIS controllers entered a failed safe state, which automatically shutdown the industrial process and prompted the asset owner to initiate an investigation. The investigation found that the SIS controllers initiated a safe shutdown when application code between redundant processing units failed a validation check — resulting in an MP diagnostic failure message.
