A highly capable malware reportedly used in a failed plot to blow up a Saudi petrochemical plant has now been linked to a second compromised facility.
FireEye researchers say the unnamed “critical infrastructure” facility was the latest victim of the powerful Triton malware, the umbrella term for a series of malicious custom components used to launched directed attacks.
Triton, previously linked to the Russian government, is designed to burrow into a target’s networks and sabotage their industrial control systems, often used in power plants and oil refineries to control the operations of the facility. By compromising these controls, a successful attack can cause significant disruption — even destruction.
According to the security company’s latest findings out Wednesday, the hackers waited almost a year after their initial compromise of the facility’s network before they launched a deeper assault, taking the time to prioritize learning what the network looked like and how to pivot from one system to another. The hackers’ goal was to quietly gain access to the facility’s safety instrumented system, an autonomous monitor that ensures physical systems don’t operate outside of their normal operational state. These critical systems are strictly segmented from the rest of the network to prevent any damage in the event of a cyberattack.
But the hackers were able to gain access to the critical safety system, and focused on finding a way to effectively deploy Triton’s payloads to carry out their mission without causing the systems to enter into a safe fail-over state.
In the case of the August 2017 attack in which Triton was deployed, the Saudi facility would have been destroyed had it not been for a bug in the code.
“These attacks are also often carried out by nation states that may be interested in preparing for contingency operations rather than conducting an immediate attack,” said FireEye’s report. “During this time, the attacker must ensure continued access to the target environment or risk losing years of effort and potentially expensive custom [industrial control system] malware,” said the report. “This attack was no exception.”.
FireEye would not comment on the type of facility or its location — or even the year of the attack, but said it was likely to cause damage.
“We assess the group was attempting to build the capability to cause physical damage at the facility when they accidentally caused a process shutdown that let to the Mandiant investigation,” said Nathan Brubaker, senior manager, analysis at FireEye, in an email to TechCrunch describing the first incident, but wouldn’t comment on the motives of the second facility.
But the security firm warned that the attackers’ slow and steady approach — which involved moving slowly and precisely as to not trigger any alarms — showed they had a deep focus on not getting caught. That, they said, suggests there may be other targets beyond the second facility “where the [hackers] was or still is present.”
The security company published lists of hashes unique to the files found in the second facility’s attack in a hope that I.T. staff in other at-risk industries and facilities can check for any compromise.
“Not only can these [tactics, techniques and procedures] be used to find evidence of intrusions, but identification of activity that has strong overlaps with the actor’s favored techniques can lead to stronger assessments of actor association, further bolstering incident response efforts,” the company said.