Security

How the Triton malware shut down critical infrastructure in the Middle East

The December attack leveraged a zero-day flaw, and user error, to infect industrial equipment.

Building a slide deck, pitch, or presentation? Here are the big takeaways:
  • Triton, which attacked industrial hardware in the Middle East, was able to spread due to a zero-day exploit and human error that left a critical switch in the wrong position.
  • Industrial sites are tempting targets for cyberattacks. Businesses need to be ready to protect against crippling malware assaults in the future.—TechRepublic

The attack vector for Triton, the nation state-sponsored malware that attacked industrial sites in the Middle East in December 2017, has been revealed by the hardware manufacturer whose equipment was the target.

Schneider Electric recently published a security notification detailing how the Triton malware managed to infect its Triconex Safety Controllers using a zero-day exploit specific to some of its older controllers.

That wasn't the only cause of the infection, however: Had a critical Tricon key switch not been in "program" mode, the attack would never have been able to spread through the network.

"A complex malware infection scenario"

Regardless of the limited success of Triton's ultimate goals, it did manage to pull off several phases of what Triton called a complex scenario.

To begin, Triton had to gain unrestricted access to the safety network, which could be accomplished either physically or by remote. To get any further, however, Triton needed the aforementioned switch to be in "program" mode, and it was—as far as Schneider Electric can tell.

SEE: IT leader's guide to reducing insider security threats (Tech Pro Research)

Perhaps Triton's most important function was its ability to perform network reconnaissance, in which it could "scan and map the industrial control system to provide reconnaissance and issue commands to Tricon controllers," Schneider Electric said.

From there, Triton was designed to act as a remote access Trojan (RAT), enabling its controller to perform actions on the infected network as if it had physical access.

As our sister site ZDNet points out, flaws in Triton's payload script caused it to fail to do much besides simply infect the network—its payload failure triggered a response in the control systems, placing them in safe mode and preventing spread of the attack.

Industrial systems are tempting targets

Triton isn't the only example of an attack on industrial systems and the industrial internet of things (IIOT). Both are tempting targets, especially as industry continues to become more connected.

Estimates put the IIOT market at $151 billion by 2020, and if proper security measures aren't in place, companies, and even national infrastructure, could be crippled by the right attack.

SEE: Incident response policy (Tech Pro Research)

Schneider Electric makes some excellent suggestions for protecting your industrial control systems and IIOT hardware in its security bulletin. These are steps companies should be following regardless of who their hardware vendor is:

  • Make sure that proper antivirus software is installed on all machines.
  • Install security, OS, and firmware updates as soon as they are available.
  • Deploy safety features on all networks—even isolated ones.
  • Ensure that physical measures are in place to prevent unauthorized access to control systems. That includes locking cabinets as well as placing sensitive hardware behind access-controlled doors.
  • Restrict network access for outside devices until they can be verified to be virus and malware free.
  • Use the NIST Cybersecurity Framework to develop effective policies and assess your preparedness for an attack.
industrial-iot.jpg
Image: iStock/Zapp2Photo

Also see

About Brandon Vigliarolo

Brandon writes about apps and software for TechRepublic. He's an award-winning feature writer who previously worked as an IT professional and served as an MP in the US Army.

Editor's Picks

Free Newsletters, In your Inbox