So far, there’s suggestive evidence that at least one state-sponsored attack has been carried out using the new strain of malware, although neither the identity of the target of the attack, nor the organization responsible for it have been disclosed. All we know for sure is that the attack was launched against an industrial concern in the Middle East.
The code base of the new threat utilizes the TriStation Protocol, which is a proprietary tool used by Triconex SIS products. There is no public documentation available for the protocol, which suggests that the hackers who developed the malware must have reverse engineered it.
A spokesman for FireEye had this to say about the code in general and the recent attack:
“The attacker gained remote access to an SIS engineering workstation and deployed the Triton attack framework to reprogram the SIS controllers. During the incident, some SIS controllers entered a failed safe state, which automatically shut down the industrial process and prompted the asset owner to initiate an investigation.
The attacker deployed Triton shortly after gaining access to the SIS system, indicating that they had pre-built and tested the tool, which would require access to hardware and software that is not widely available.”
The real danger of software like this is that it can reprogram control systems to ignore when equipment begins operating beyond normal operating parameters, which can lead to physical damage to critical infrastructure.
If deployed against a power station, for instance, it could result in widespread blackouts. If deployed against a nuclear installation, it could send the reactor into a meltdown.
Threats like these are becoming more common by the day, and with hundreds of millions of controllers deployed around the world, it’s just a matter of time before the hackers succeed at hitting close to home.