Triton (malware)

Triton (also known as Trisis or HatMan) is malware first discovered at a Saudi Arabian petrochemical plant in 2017.^[1]^[2] It can disable safety instrumented systems, which can then contribute to a plant disaster.^[3]

Background

In December 2017, it was reported that the safety systems of an unidentified power station, believed to be in Saudi Arabia, were compromised when the Triconex industrial safety technology made by Schneider Electric SE was targeted in what is believed to have been a state sponsored attack. The computer security company Symantec claimed that the malware, known as "Triton", exploited a vulnerability in computers running the Microsoft Windows operating system to access a computer connected to the Triconex system.^[2]

While the attack wasn’t reported until December 2017, the first signs appeared in June 2017 when the attackers triggered the plant’s safety system, temporarily shutting down the plant. The shutdown was believed at the time to be a mechanical issue with the safety system. In August 2017, the plant shut down a second time, prompting investigation which led to the discovery of the malware.^[3]

The attack was found to be exploiting a zero-day vulnerability to create a backdoor to easily access the Triconex systems. It was discovered also that one of the major factors that led to the attack on the plant was that several physical keys had been left in a state by which the Triconex systems could be accessed. The malware was found to be capable of creating a situation where the safety systems could be disabled, potentially leading to unsafe conditions for workers at the plant.^[3] Due to this possibility, Triton is often credited as the first piece of malware created to target industrial safety systems with the primary intention of causing human death.^[2]^[3]

In 2018, FireEye, a company that researches cyber-security, reported that the malware most likely came from the Central Scientific Research Institute of Chemistry and Mechanics (CNIIHM), a research entity in Russia.^[4]

It was reported by Wired that Triton's attacks were registered in North America, China, and Russia.^[5]

Impact

While the incident at the Saudi Arabian plant didn’t lead to any human harm, it led to investigation by cybersecurity researchers and entities such as the US Department of Homeland Security.^[2] The incident shows both the potential for cyberattacks on critical infrastructure, but also allows for learning opportunities from the mistakes made at the plant leading to the incident.^[3]

References

^ Franzetti, Davide (26 February 2019). "Oil & Gas Cybersecurity and Process Safety Converge". Security Boulevard. Archived from the original on 29 January 2023. Retrieved 11 October 2019.
^ ^a ^b ^c ^d Gibbs, Samuel (15 December 2017). "Triton: hackers take out safety systems in watershed attack on energy plant". The Guardian. Retrieved 2019-10-12.
^ ^a ^b ^c ^d ^e Giles, Martin (5 March 2019). "Triton is the world's most murderous malware, and it's spreading". Technology Review.
^ Sobczak, Blake (7 March 2019). "The inside story of the world's most dangerous malware". E&E News.
^ "Cos'è Triton, il malware che può causare incidenti catastrofici". Wired Italia (in Italian). 2019-03-08. Retrieved 2023-06-30.

[1] Franzetti, Davide (26 February 2019). "Oil & Gas Cybersecurity and Process Safety Converge". Security Boulevard. Archived from the original on 29 January 2023. Retrieved 11 October 2019.

[Guardian-2] Gibbs, Samuel (15 December 2017). "Triton: hackers take out safety systems in watershed attack on energy plant". The Guardian. Retrieved 2019-10-12.

[:0-3] Giles, Martin (5 March 2019). "Triton is the world's most murderous malware, and it's spreading". Technology Review.

[4] Sobczak, Blake (7 March 2019). "The inside story of the world's most dangerous malware". E&E News.

[5] "Cos'è Triton, il malware che può causare incidenti catastrofici". Wired Italia (in Italian). 2019-03-08. Retrieved 2023-06-30.

[1]

[2]

[3]

[4]

[5]

Background

Impact

See also

References