A powerful malware, dubbed Triton or Trisis, which allows hackers to gain remote access to energy facilities’ safety systems, has reportedly been accidentally leaked online for anyone to download. The malware is considered by some experts to be a next-generation cyberweapon and has already been used in December 2017 to shut down an oil and gas facility in the Middle East.
According to research from multiple cybersecurity firms including FireEye, Dragos, Symantec and Trend Micro, the malware is likely created by a nation-state and targets safety systems of industrial control systems (ICS). Triton specifically targets the safety instrument system (SIS) produced by Schneider Electric’s Triconex.
Triton can reportedly allow hackers to dismantle safety systems that can lead to the breakdown of machinery or even cause explosions. Quoting three anonymous sources, Cyberscoop reported that the malware’s framework was inadvertently posted to VirusTotal inadvertently by Schneider Electric. The malware has reportedly been publicly available since 22 December and could even have been downloaded by anyone.
How does such dangerous malware accidentally leak online? Someone was either extremely careless, or there was nothing accidental about this at all.
Successful attacks against critical infrastructure operators may very well prove devastating in the event of an actual global military conflict. Malware like Triton and others are not just used for gaining access to systems, but are military-grade tools developed by nation states.
In February 2015, Outpost24 identified two additional security issues in Honeywell XLWeb: a directory traversal flaw (CVE-2015-0984), and a default, unchangeable account. An attacker can authenticate on the FTP server using the default account, traverse the working directory by leveraging the path traversal bug, and upload a shell that allows them to execute OS commands, researchers said.
Honeywell addressed the directory traversal by March 10, and ICS-CERT published an advisory on March 17. Outpost24 published a blog post containing additional details on this attack on April 22.
John Stock, technology program director at Outpost24, revealed during a talk at the Infosecurity Europe 2015 conference that only one company had patched the vulnerability he and Martin Jartelius, CSO of Outpost24, reported to Honeywell this year. The number has since increased to three (as of June 8), but that still shows a low patching rate considering that tens of systems are accessible on the Internet.
This is what makes critical infrastructure protection increasingly difficult: end-users are weary about installing vendor security updates for fear it may break mission critical functionality. Either that, or the people with the requisite expertise are no longer working at the company and there is nobody available who is fully capable of applying the update and mitigating any potential issues arising from the patch.
According to a new report by Dell Security, cyber attacks on supervisory control and data acquisition (SCADA) systems doubled last year–and they’ve increased 600% since 2012. As alarming as those statistics are, another key finding is even more troubling–physically disruptive attacks are becoming increasingly common. In fact, 25% of all cyber incidents last year were a specific type of attack that can flood SCADA systems and shut down mechanical devices, potentially disrupting physical operations. These attacks are expected to worsen over the next few months and years–and the US is the third most targeted country in the world. The Department of Homeland Security’s Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) similarly found that critical infrastructure attacks are up, the energy industry is the most heavily targeted sector of all (32% of attacks) and “denial-of-service” attacks have become a favorite of attackers.
There are three reasons why sophisticated attacks are occurring more frequently: hacktivists, hackers with ties to foreign governments and organized crime. Electric utilities are a prime target for all three of these groups, whose motivations range from political activism and geopolitics to profiteering, and we should expect these attacks to worsen over the next few years.
This is the space to watch: SCADA attacks are increasing in frequency and at some time in the future we will reach a tipping point. Stuxnet was just the beginning.