Why Triton malware will 'change the game' of cyberwarfare

Mayer Brown partner and attorney Marcus Christian explains the exploit in Triconex systems, how hardware hacks work, and the legal ramifications of cyberattacks that target infrastructure.

Triton malware targeted critical infrastructure in the Middle East

TechRepublic's Dan Patterson spoke with Mayer Brown partner and attorney Marcus Christian to discuss how Triton malware works and how companies can defend against it. Below is a transcript of the interview.

Patterson: Last week, Schneider Electronic announced that the Triton malware discovered in January 2017 took advantage of a flaw in its triconnect system and targeted critical infrastructure, likely in the Middle East energy firm. For TechRepublic, ZDNet, I'm Dan Patterson, it's a pleasure to speak today with Marcus Christian. He is a partner and attorney at Mayer Brown, a data privacy attorney and partner there. Mr. Christian thank you very much for your time today. I wonder if we could start with some basics. First explain to me a little bit about the Triton malware and how it targets critical infrastructure systems.

Christian: Okay, so I'll explain it at a high level. As I understand it, Triton malware essentially is a way to get into critical industrial control systems basically. Obviously they'd be present in many applications in critical infrastructure, and a way to get into the systems to basically allow an attacker from a remote location to be able to disable some security safeguards essentially which would allow for a number of potential possibilities. It could be disabling critical systems or it could be as some people have speculated to allow for some physically destructive types of results also.

SEE: Defending against cyberwar: How the cybersecurity elite are working to prevent a digital apocalypse (PDF download)

Patterson: Do you have any indication of the target's identity, the attacker, and the motive?

Christian: As I understand it, and I'll tell you, my information has primarily come from publicly available sources, although I used to be a federal prosecutor I don't necessarily have access to governmental resources. As I understand it, this was a nation-state trying to test and expand its capability to launch an attack at a future time to build its ability to do so. As I understand it, the company that was affected is somewhere in the Middle East. I've seen some reports that get a little bit more in depth, based upon what I've seen I haven't seen anything definitive at this point.

Patterson: What are some the next steps in investigating not necessarily this attack specifically, but attacks like this? What are some of the procedural steps that one would go through to learn the motive and attacker?

Christian: So a couple things. One, from the governmental standpoint, what governments are going to be doing, whether they be interested in criminal which I think is less likely or intelligence objectives, is to determine, one, it'd be good to make an attribution to determine what party or parties may be behind this, to be able to identify the specific tools and methods they may have used to commit this attack. Also to be able to determine whether there may be similar targets in other places that either have been attacked or have such intrusions, or will be in the near future. And also to gain as much information about the potential attacker as possible. In the world of national security I imagine, countries around the world probably have information about this particular threat actor, its operations, its capabilities ,and so on and so forth.

Patterson: I appreciate that you noted one of the purposes of an investigation might be to gather intelligence or because this is an intelligence, an asset of the intelligence community, not necessarily looking for a legal prosecution here in the United States, but what are some of the ramifications if and when intelligence services do track down a potential perpetrator?

Christian: From an intelligence standpoint, I think the ramifications could be a country could use this to adjust its approach in terms of intelligence operations, in terms of national security operations, in terms of delving into and using, for example, defensive measures with respect to a country, but also a nation could decide to take certain offensive measures. We might not ever know about those offense measures that are taken, but it could occur. In a more visible way, countries could decide that some type of international sanctions may be appropriate for such actions. I'll just mention this because I'm sure you're probably thinking about it, in rare cases the United States has said, when nation states have committed certain acts of cyber intrusions against United States companies, has actually brought charges as you remember in the 2014 incidence against the PLA in China. But that's a very rare instance, and I would expect it to be more confined to even the intelligence operations or in terms of sanctions.

Patterson: What is the general global impact of Triton or malware similar to Triton? Particularly from a business and an enterprise business perspective, what are the takeaways? What do we learn about this, and then how do we defend against attacks like this?

Christian: I think for most people, if this isn't a game changer it certainly is evidence of the game changing. When you look back not too many years ago, most of what we were thinking about were viruses and attacks that hurt us financially. Now we're moving into attacks that are more destructive, that can stop operations for businesses at a particular time. And now, the concern is moving more into attacks that not only can bleed into the physical world in terms of effecting our equipment, turning computers into bricks, but also potentially harming people. When you get to that level, certainly the stakes are much higher. I've actually had matters where companies are engaging us to work with security firms to test their products in ways they haven't been tested before. In the cyber, oftentimes when we think about what is a hack, you start thinking and talking about it's a way to get into an information security system and do one, two, or three things, but in a broader sense, a hack is basically an action that takes some capability or equipment or device and puts it to an unintended use.

So as connected devices, equipment, and processes become more and more sophisticated, so do the potential unintended uses. And companies are certainly going to be investing in ways to be able to determine vulnerabilities to be able to deal with them on an ongoing basis and to be able to protect their companies and their operations as well as the people who use them.

SEE: Information security incident reporting policy (Tech Pro Research)

Patterson: I wonder if you could leave us with a forecast of the next say 18 to 36 months, what can we anticipate in terms of western cyberattacks that target critical infrastructure?

Christian: Unfortunately we're going to see more and more of it. In the past it's been occurring, countries have been stockpiling vulnerabilities, zeroed their exploits. They have been honing their abilities to try to affect critical infrastructure, and I think we're going to see more of these moments. As you look back, some people think about steel mill explosion that is talked about a few years ago. They think about the power grid in Ukraine that was brought down for a period of time. And now you have Triton, I think unfortunately the frequency of these types of events will increase. And the investments in trying to prevent them and address vulnerabilities will also increase. Certainly it's not a welcome development, but it's certainly something we'll be readying ourselves for.

Also see

Image: iStock/Zapp2Photo