Triton framework used in industrial control attacks

Researchers analyzed industrial control system attacks and found malware designed to cause real-world damage and potentially shut down critical infrastructure.

The industrial control system (ICS) attacks that were spotted by FireEye's Mandiant threat research team used what FireEye called the Triton framework, because it targets Triconex Safety Instrumented System (SIS) controllers. FireEye said the Triton framework tool was built with "the ability to read and write programs, read and write individual functions, and query the state of the SIS controller" and targeted systems that "provided emergency shutdown capability for industrial processes." However, the researchers said the aim of the malicious actors went beyond simply shutting down systems.

"The attacker could have caused a process shutdown by issuing a halt command or intentionally uploading flawed code to the SIS controller to cause it to fail. Instead, the attacker made several attempts over a period of time to develop and deliver functioning control logic for the SIS controllers in this target environment," FireEye researchers wrote in a blog post. "While these attempts appear to have failed due [to] one of the attack scripts' conditional checks, the attacker persisted with their efforts. This suggests the attacker was intent on causing a specific outcome beyond a process shutdown."

The researchers said the attackers were well-prepared, noting that the Triton framework tool would have required reverse-engineering the proprietary TriStation protocol, and the attack tool was already built and tested before putting it into use. This "persistence, lack of any clear monetary goal and the technical resources necessary to create the attack framework suggest a well-resourced nation-state actor," researchers said, but no specific nation state was suggested.

Although it is unclear which organization was the target of the Triton framework ICS attacks, some research pointed to a victim in the Middle East. Phil Neray, vice president of industrial cybersecurity at CyberX, based in Framingham, Mass., claimed "Saudi Arabia [was] the likely target of this attack, which would indicate Iran as the likely attacker."

"It's widely believed that Iran was responsible for destructive attacks on Saudi Arabian IT networks in 2012 and, more recently, in 2017 with Shamoon, which destroyed ordinary PCs. This would definitely be an escalation of that threat, because now we're talking about critical infrastructure. But it's also a logical next step for the adversary," Neray told SearchSecurity. "Stuxnet and, more recently, Industroyer showed that modern industrial malware can be used to reprogram and manipulate critical devices such as industrial controllers, and Triton appears to be simply an evolution of those approaches."