Triton Malware Exploited Zero-Day in Schneider Electric Devices

The recently discovered malware known as Triton and Trisis exploited a zero-day vulnerability in Schneider Electric’s Triconex Safety Instrumented System (SIS) controllers in an attack aimed at a critical infrastructure organization.

The malware, designed to target industrial control systems (ICS), was discovered after it caused a shutdown at an organization in the Middle East. Both FireEye and Dragos published detailed reports on the threat.

Triton is designed to target Schneider Electric Triconex SIS devices, which are used to monitor the state of a process and restore it to a safe state or safely shut it down if parameters indicate a potentially dangerous situation. The malware uses the TriStation proprietary protocol to interact with SIS controllers, including read and write programs and functions.

Schneider initially believed that the malware had not leveraged any vulnerabilities in its product, but the company has now informed customers that Triton did in fact exploit a flaw in older versions of the Triconex Tricon system.

The company says the flaw affects only a small number of older versions and a patch will be released in the coming weeks. Schneider is also working on a tool – expected to become available next month – that detects the presence of the malware on a controller and removes it.

Schneider has highlighted, however, that despite the existence of the vulnerability, the Triton malware would not have worked had the targeted organization followed best practices and implemented security procedures.

Specifically, the Triton malware can only compromise a SIS device if it’s set to PROGRAM mode. The vendor recommends against keeping the controller in this mode when it’s not actively configured. Had the targeted critical infrastructure organization applied this recommendation, the malware could not have compromised the device, even with the existence of the vulnerability, which Schneider has described as only one element in a complex attack scenario.

The company noted that its product worked as designed – it shut down systems when it detected a potentially dangerous situation – and no harm was incurred by the customer or their environment.

In its advisory, Schneider also told customers that the malware is capable of scanning and mapping systems.

“The malware has the capability to scan and map the industrial control system to provide reconnaissance and issue commands to Tricon controllers. Once deployed, this type of malware, known as a Remotely Accessible Trojan (RAT), controls a system via a remote network connection as if by physical access,” Schneider said.

The industrial giant has advised customers to always implement the instructions in the “Security Considerations” section of the Triconex documentation. The guide recommends keeping the controllers in locked cabinets and even displaying an alarm whenever they are set to “PROGRAM” mode.

While it’s unclear who is behind the Triton/Trisis attack, researchers agree that the level of sophistication suggests the involvement of a state-sponsored actor. Industrial cybersecurity and threat intelligence firm CyberX believes, based on its analysis of Triton, that the malware was developed by Iran and the targeted organization was in Saudi Arabia.

Related: Learn More at SecurityWeek’s 2018 ICS Cyber Security Conference

Related: DHS Warns of Malware Targeting Industrial Safety Systems