Triton Wormed Their Way Into Another Critical Infrastructure, and Possibly Many More…
The advanced hacker group, Triton, was responsible for an attack on a Saudi petrochemical plant in 2017. The attack would have been successful in destroying the facility, except there was a bug in Triton malware’s coding.
Now, years later, researchers have confirmed finding traces of the Triton group in another critical infrastructure facility. Triton’s malware is designed to silently hide within a target’s network, taking the time to fully understand how the network looks and how each system is interconnected. The goal is to quietly gain access to the facilities safety instrumented systems and industrial control systems. The safety instrumented systems monitor the physical systems to ensure they do not operate outside of their normal operational state. By learning the ins and outs of the critical safety systems, the hacking group is able to execute their cyber attack without causing the systems to enter into a safe fail-over state.
Then, once the Triton group deploys the malware, they target the industrial control systems, which control the entire operations of the facility. By sabotaging these controls, there would be a significant disruption to daily operations, if not generate an entire shutdown of operations.
Triton group’s most recent victim has been very discrete about the incident. The name of the infrastructure is unknown, as is the type of facility and its location. What is known is, the attack was found after the malware caused a process to shutdown that led to an investigation. It is believed this shutdown was unintentional. Although the motives of the attack have not been confirmed, it is believed Triton was attempting to build the capability to cause physical damage to the facility when the shutdown inadvertently was triggered.
Due to the slow and steady approach used, there are concerns additional critical infrastructures may be compromised. In an attempt to catch the hacking group before damage is done, a list of hashes unique to the files found at the second facility has been published. The hope is, other at-risk facilities will use this hash list to check for any evidence their network files have been compromised.