The US FBI has warned the global energy industry that the Triton malware still poses a threat, and it’s too early to relax.
Triton (also known as Trisis and HatMan) is designed to “force physical security systems to shut down or operate in an unsafe manner,” according to the FBI notification.
In particular, Triton malware was used in an attack on a petrochemical plant in the Middle East in 2017, which the United States blames on the Russian Central Research Institute of Chemistry and Mechanics (TsNIIHM). Last week, the US Department of Justice declassified the charges brought against TSNIIHM employee Evgeny Gladkikh and three other Russian citizens accused of cyber attacks on the global energy sector.
In the 2017 attack, Triton was used to attack the Schneider Electric Triconex security tool system, which initiates procedures for safely shutting down equipment in the event of an emergency. The attackers gained initial access, and then used lateral movement to move inside the IT and OT networks to get to the instrumental security system.
The malware modified the firmware in the memory of the Triconex Tricon security controllers, as a result of which, in the event of an emergency, safe shutdown procedures would not be initiated, and the enterprise would face serious danger, including possible human casualties.
According to the FBI notification, the CNIIHM is still attacking the global energy sector.
“Judging by the attack pattern and malware used in the first Triton attack, such attacks can be carried out on other security systems,” the FBI warned.
Although Schneider Electric has fixed the vulnerability exploited in the attack in Tricon controllers, their older, still vulnerable versions are still used in enterprises.
Owners and operators of potentially vulnerable critical infrastructure assets should regularly check and monitor their security tool systems and personnel working with them, as well as work out contingency plans.
In addition, the FBI recommends using unidirectional gateways for applications receiving data from security systems, implementing change management procedures for key positions of the operating state of the security controller, deploying security systems in isolated networks, as well as checking logs of network devices, web servers and third-party tools for signs of intelligence activity at an early stage.