December 14, 2017
A hacker used a new type of malware targeting industrial control systems against a critical infrastructure organization in an attack that resulted in operations shutting down, according to cybersecurity experts.
Cybersecurity firm FireEye, which has dubbed the malware “Triton,” said Thursday that its subsidiary, Mandiant, recently responded to an incident at an unidentified critical infrastructure organization where an attacker, likely sponsored by a nation state, had deployed the malware and inadvertently caused operations to shut down.
The malware specifically targets Triconex safety instrumented systems (SIS), a product that is manufactured by Schneider Electric, a European energy management firm that has global operations.
Malware targeting industrial control systems is particularly rare. Since the “Stuxnet” virus was used against Iranian nuclear power plants in 2010, there have been fewer than five known families.
FireEye provided few details on the victim, but assessed with moderate confidence that the hacker was operating on behalf of a nation state, citing the significant resources needed to carry out the attack and the lack of financial motivation. The researchers believe the hacker’s main goal was to cause physical damage.
“We have not attributed the incident to a threat actor, though we believe the activity is consistent with a nation state preparing for an attack,” FireEye said.
“The targeting of critical infrastructure to disrupt, degrade, or destroy systems is consistent with numerous attack and reconnaissance activities carried out globally by Russian, Iranian, North Korean, U.S., and Israeli nation state actors,” FireEye added. “Intrusions of this nature do not necessarily indicate an immediate intent to disrupt targeted systems, and may be preparation for a contingency.”