A mysterious security inviolability program infects a second critical infrastructure site

Sixteen months ago, researchers reported a worrying increase in the number of computer hacks targeting power plants, gas refineries and other types of critical infrastructure. Hackers who may have been working on behalf of a nation have caused an operational failure at a critical infrastructure site after deliberately targeting a system preventing life-threatening accidents to their health or their lives .

There had been compromises of critical infrastructure sites before. What was unprecedented in this attack – and a major concern for some researchers and critical infrastructure operators – was the use of advanced malware that targeted unidentified site security processes. These instrumented safety systems (SIS) combine hardware and software that many critical infrastructure sites use to prevent dangerous situations. When fuel pressure or reactor temperature reaches potentially dangerous thresholds, for example, an SIS automatically closes the valves or initiates a cooling process to prevent life-threatening or life-threatening accidents.
By focusing on the site's SIS, the malware threatened physical destruction, which, depending on the site and the type of accident, was potentially serious or even catastrophic. The malicious software alternately called Triton and Trisis because it targeted Schneider Electric's Triconex product line. Its development was eventually linked to a research institute supported by the Russian government.

Not an isolated incident

Researchers at FireEye – the same security company that discovered Triton and its links with Russia – said they discovered an additional intrusion using the same malware environment against another critical infrastructure site. As in the first intrusion, the attackers concentrated most of their resources on the occupational therapist or operational technology of the facility, which are systems for monitoring and managing processes and physical devices.

"After getting a foothold for the first time on the company's network, Triton has focused its efforts on accessing the OT network," FireEye researchers wrote. in a report released Wednesday. "They did not expose activities commonly badociated with espionage, such as the use of key recorders and screenshot cards, file browsing and / or the exfiltration of large amounts of information. . Most of the attack tools they used focused on network recognition, lateral movement, and maintaining presence in the target environment. "

Once the attackers in the new attack had access to the site's SIS controllers, they seemed to focus only on maintaining that control. This objective involved strategically limiting other activities to reduce the chances of being discovered.

The discovery uncovered a new set of unpublished custom tools showing that attackers have been operational since 2014. The existence of these tools and the obvious interest of the attacker for operational security have led FireEye researchers to believe that there might be other sites than those already known where the Triton attackers were or are still present.

In an email, John Hultquist, Director of FireEye's cyber espionage badysis, wrote:

We now know that the first incident was not isolated. There are others. This is particularly disconcerting given the danger badociated with this threat, of which we still know very little. Although we have found this at the Russian institute, we do not know how to explain why, or even if it is related to another country that could make a deal with the institute.

We publish the tools and other information about this actor in the hope that others will find them and we will all have a better idea of ​​this emerging and disconcerting actor. We understand that there is a risk that the actor will advance on the ground. It may have already happened. After publishing the blog on attribution in this case, the institute took operational security measures. They took information on their website and changed their WHOIS.

I hope it is a first step in the global hunt for this actor that leads to answers.

Wednesday's report omits essential details about the additional intrusion. For example, the moment the attack took place, its duration, if it created dangerous conditions, and if the malicious program targeted the same Triconex system as before, for example. A spokeswoman for FireEye refused to answer these questions.

The report includes a wealth of technical details about the new set of tools discovered and the means used by attackers to remain hidden within the infected network. The report also contains trade-off indicators to identify intrusions. FireEye urges researchers and network advocates to check if the data matches the previously observed attacks.