FireEye researchers mentioned that the company’s Mandiant subsidiary is attacked by new industrial control systems(ICS) malware. The hackers shut down plant operations by targeting emergency shutdown systems.
Schneider Electric’s Triconex Safety Instrumented System (SIS) controllers were targeted specifically. The researchers are calling the malware Triton. The operations were shut down during reconnaissance performance by attackers.
“FireEye has not connected this activity to any actor we currently track; however, we assess with moderate confidence that the actor is sponsored by a nation state,” the researchers wrote. “The targeting of critical infrastructure as well as the attacker’s persistence, lack of any clear monetary goal and the technical resources necessary to create the attack framework suggest a well-resourced nation state actor.”
Russian, Iranian, North Korean, U.S. and Israeli state actors may be behind the attacks. “Intrusions of this nature do not necessarily indicate an immediate intent to disrupt targeted systems, and may be preparation for a contingency,” the researchers mentioned.
Phil Neray, vice president of industrial cyber security at CyberX, mentioned that his company believes the targeted plant was in Saudi Arabia, which would likely mean that Iran was responsible for the attack.
“It’s widely believed that Iran was responsible for destructive attacks on Saudi Arabian IT networks in 2012 and more recently in 2017 with Shamoon, which destroyed ordinary PCs,”
Neray said. “This would definitely be an escalation of that threat because now we’re talking about critical infrastructure — but it’s also a logical next step for the adversary.”
Chris Morales, head of security analytics at Vectra, mentioned that an attack like this was all but inevitable. “The connectivity and integration of traditional information technology with operational technology — IT/OT convergence — is increasing exponentially,” he said.
“The IoT and IT/OT convergence is accelerated by the speed of business and the implementation of AI to drive decisions in ICS environments,” Morales added. “In addition, more ICS devices are running commercial operating systems, exposing ICS systems to a wider swath of known vulnerabilities.”
____________________________________________________________________________________________
AlertSec ACCESS is a patent pending technology designed to check that devices are encrypted before access to a network is granted.