Hackers Successfully Shut Down "Critical Infrastructure" in an Unprecedented Attack

Hackers Successfully Shut Down

Alerts have been issued by several governments this year warning of cyberattacks on critical infrastructure sites, however, this is possibly the first report of a targeted attack on a safety system at an industrial plant. Representatives with Schneider Electric could not immediately be reached for comment.

The incident marks the first report of hackers successfully cracking industrial plant safety systems.

"The targeting of critical infrastructure to disrupt, degrade, or destroy systems is consistent with numerous attack and reconnaissance activities carried out globally by Russian, Iranian, North Korean, U.S., and Israeli nation state actors", FireEye researchers stated in their analysis.

Researchers believe attackers were trying to develop a method of causing physical damage, similar to the Stuxnet attack. Last year, one such attack known as Industroyer was used to disrupt Ukraine's power grid. One, "Stuxnet", was reportedly utilized in 2010 by the US and Israel to target Iran's nuclear program. Still, it represents a new paradigm in industrial control hacking that's likely to be copied in future breaches.

It said: "While there have been a small number previous cases of malware created to attack industrial control systems (ICS), Triton is the first to attack safety instrumented system devices". While previously identified in theoretical attack scenarios, targeting SIS equipment specifically represents a risky evolution within ICS computer network attacks. During the incident, some SIS controllers entered a failed safe state, which automatically shutdown the industrial process and prompted the asset owner to initiate an investigation.

FireEye named this malware TRITON and said they've spotted a threat actor deploying it in live attacks.

More news: Man faces first-degree murder charge in Charlottesville vehicle ramming

"Modifying the SIS could prevent it from functioning correctly, increasing the likelihood of a failure that would result in physical consequences", the firm said.

The researchers said the attackers were well-prepared, noting that the Triton framework tool would have required reverse engineering the proprietary TriStation protocol, and the attack took was already built and tested before putting it into use. The attacker could have caused a process shutdown by issuing a halt command or intentionally uploading flawed code to the SIS controller to cause it to fail.

'Industrial companies, with operations at risk, should look to proven technologies that leverage artificial intelligence and machine learning to continuously monitor industrial controls systems networks for anomalies that detect and mitigate possible attacks that could cause harm to the industrial control systems, ' he added.

FireEye did not identify any nation-state as the likely aggressor, but said the company was moderately confident that the attacker is a government-sponsored group. While these attempts appear to have failed due to one of the attack scripts' conditional checks, the attacker persisted with their efforts.

"Attacks on an industrial process that are as specific in nature as TRISIS are considerably hard to repurpose against other sites although the tradecraft does reveal a blueprint to adversaries to replicate the effort". "The targeting of critical infrastructure as well as the attacker's persistence, lack of any clear monetary goal and the technical resources necessary to create the attack framework suggest a well-resourced nation state actor", the company said.

Related Articles