Cyber security firm responds to ICS Attack framework dubbed Triton

Cyber crooks use Triton malware to compromise critical infrastructure

Cyber security firm Mandiant recently responded to an incident that saw cyber crooks deploy a new ICS attack framework dubbed Triton.

According to the company, the cyber criminals tapped into the framework to cause "operational disruption" at a critical infrastructure organisation.

The company, which is owned by FireEye, detected an unnamed attacker who deployed malware in a bid to "manipulate" industrial safety systems.

These systems play an integral role in the affected organisation, providing emergency shutdown capabilities for industrial processes.

"We assess with moderate confidence that the attacker was developing the capability to cause physical damage and inadvertently shutdown operations," said the security firm.

"This malware, which we call TRITON, is an attack framework built to interact with Triconex Safety Instrumented System (SIS) controllers."

At this moment in time, the company hasn't identified an individual tied to the attack. It's more likely to be associated with a nation.

"We have not attributed the incident to a threat actor, though we believe the activity is consistent with a nation state preparing for an attack," explained researchers.

Triton is among the most dangerous malware on the web, and follows in the footsteps of Stuxnet. "Triton is one of a limited number of publicly identified malicious software families targeted at industrial control systems (ICS)," said the firm.

"It follows Stuxnet which was used against Iran in 2010 and Industroyer which we believe was deployed by Sandworm Team against Ukraine in 2016.

"Triton is consistent with these attacks, in that it could prevent safety mechanisms from executing their intended function, resulting in a physical consequence."

When analysing the attack, researchers found that the attacker got into an SIS engineering workstation, where it deployed the Triton attack framework. The attacker wanted to reporgram SIS controllers.

"During the incident, some SIS controllers entered a failed safe state, which automatically shutdown the industrial process and prompted the asset owner to initiate an investigation," wrote the researchers.

"The investigation found that the SIS controllers initiated a safe shutdown when application code between redundant processing units failed a validation check -- resulting in an MP diagnostic failure message.

"We assess with moderate confidence that the attacker inadvertently shutdown operations while developing the ability to cause physical damage."