Iran Used “Triton” Malware to Target Saudi Arabia: Researchers

The recently uncovered malware known as “Triton” and “Trisis” was likely developed by Iran and used to target an organization in Saudi Arabia, according to industrial cybersecurity and threat intelligence firm CyberX.

FireEye and Dragos reported on Thursday that a new piece of malware designed to target industrial control systems (ICS) had caused a shutdown at a critical infrastructure organization somewhere in the Middle East.

CyberX has also obtained samples of the malware and based on its threat intelligence team’s investigation, Triton/Trisis was likely created by Iran and the victim was likely an organization in Saudi Arabia.

“It’s widely believed that Iran was responsible for destructive attacks on Saudi Arabian IT networks in 2012 and more recently in 2017 with Shamoon, which destroyed ordinary PCs. This would definitely be an escalation of that threat because now we’re talking about critical infrastructure — but it’s also a logical next step for the adversary,” Phil Neray, VP of Industrial Cybersecurity for CyberX, told SecurityWeek.

“Stuxnet and more recently Industroyer showed that modern industrial malware can be used to reprogram and manipulate critical devices such as industrial controllers, and Triton appears to be simply an evolution of those approaches,” Neray added.

FireEye and Dragos would not comment on CyberX’s theory about Triton being developed and used by Iran. FireEye did however note in its report that the methods used were consistent with attacks previously attributed to Russian, Iranian, U.S., North Korean and Israeli nation-state actors.

Triton is designed to target Schneider Electric’s Triconex Safety Instrumented System (SIS) controllers, which are used to monitor the state of a process and restore it to a safe state or safely shut it down if parameters indicate a potentially dangerous situation.

The malware uses the proprietary TriStation protocol to communicate with SIS controllers, and it’s capable of adding new ladder logic that allows the attackers to manipulate devices.

In the attack analyzed by FireEye and Dragos, the hackers’ activities resulted in the SIS controller triggering a process shutdown, which led to the discovery of the attack. However, experts believe the shutdown was likely an accident. One possible scenario is that the attackers were conducting reconnaissance as part of an operation whose ultimate goal was to cause physical damage.

Schneider Electric has published an advisory to inform customers about the incident and provide recommendations on how to prevent potential attacks. The company says there is no evidence that the malware exploits any vulnerabilities in the Triconex product, but it’s still working on determining if there are any other attack vectors.

“I think it’s a little comical that Schneider Electric felt obliged to state that the attack did not leverage any vulnerabilities in the Tritex product,” Neray commented. “OT environments are ‘vulnerable by design’ because they lack many of the controls we now take for granted in IT networks such as strong authentication. As a result, once an attacker gets into the OT network — by stealing credentials or connecting an infected laptop or USB, for example — they have almost free reign to connect to any control device they choose, and then reprogram them with malicious ladder logic to cause unsafe conditions. Based on the FireEye report, this appears to be exactly what the TRITON attackers did, similar to the way Industroyer modified ABB configuration files to perform its attack on the Ukrainian grid.”