FireEye, a mainstream cybersecurity consulting firm has recently exposed that a state-funded malware development group was behind an attempt to blow a Saudi-based Petrochemical facility using malware a second time. Called the “Triton” group, they have developed the eponymous malware, it takes control of machinery in order to overwork itself with the chance of eventual breakdown if not it continues for an extended period. It is closely resembling the goal of Stuxnet malware, which was allegedly developed by the United States government in 2005 to shut down Iranian nuclear weapon facilities through accelerated wear and tear of its centrifuges.
“The TRITON intrusion is shrouded in mystery. There has been some public discussion surrounding the TRITON framework and its impact at the target site, yet little to no information has been shared on the tactics, techniques, and procedures (TTPs) related to the intrusion lifecycle, or how the attack made it deep enough to impact the industrial processes. The TRITON framework itself and the intrusion tools the actor used were built and deployed by humans, all of whom had observable human strategies, preferences, and conventions for the custom tooling of the intrusion operation,” explained Steve Miller, FireEye’s Principal Allied Security Researcher.
The confirmation of a second Petrochemical facility in Saudi Arabia being infected by their malware means that it is beyond a normal virus infection against a system. There is a specific target, and only those specific targets get infected, which is a huge departure from a “public” malware that infects whatever computer it can infect.
“We assess the group was attempting to build the capability to cause physical damage at the facility when they accidentally caused a process shutdown that let to the Mandiant investigation,” emphasized Nathan Brubaker.
FireEye’s study reveals that hackers are operating as a military, they do not assault system overnight, but takes campaigns in installment basis, with major adjustments in between campaigns to improve itself. As malware is also software and uses system resources like any other software would, it cannot directly render damage to the hardware directly. Instead, malware can overwork the system, in effect accelerating otherwise normal wear and tear.
“These attacks are also often carried out by nation states that may be interested in preparing for contingency operations rather than conducting an immediate attack. During this time, the attacker must ensure continued access to the target environment or risk losing years of effort and potentially expensive custom [industrial control system] malware. This attack was no exception,” added the report.
At the time of this writing, other than the Saudi Petrochemical second plant, there are no visible indication that other company or facilities are infected. But this does not mean that Triton will not attack other entities, it will take awhile to build enough evidence to pinpoint a specific state who is acting behind Triton beyond mere accusation.
“Not only can these [tactics, techniques and procedures] be used to find evidence of intrusions, but identification of activity that has strong overlaps with the actor’s favored techniques can lead to stronger assessments of actor association, further bolstering incident response efforts,” concluded the report.