Triton, A New Malware, Threatens the Security of Industrial IoT

It’s no secret that Internet of Things (IoT) developers need to take security more seriously. And a new threat shines a light on exactly why more measures need to be taken sooner rather than later.

Triton is a malicious software capable of disabling industrial safety systems and causing catastrophic damage. It was first found in the Middle East a few years ago. But now the hackers behind it are expanding their targets to North America and other countries.

Crossing the Rubicon

In the summer of 2017, a Saudia Arabian petrochemical plant was repeatedly experiencing outages. Initially, the plant’s owners attributed it to a mechanical glitch. But after the second one, they called in Australian cybersecurity consultant Julian Gutmanis to investigate. What he found was alarming, to put it mildly.

A new malware was present which allowed hackers to take over the plant’s physical controllers and their associated software. Usually, these systems are the last line of defense against life-threatening disasters; when a dangerous condition is detected, they either return processes to normal levels or shut them down completely.

The new malware, now called Triton, specifically targeted the Triconex safety controller model made by Schneider Electric. It enabled its creators to remotely take over these safety systems. Fortunately, before any catastrophic consequences were realized, a flaw in the hacker’s code gave them away. Otherwise, it could have let the hackers either release a toxic hydrogen sulfide gas in the surrounding area or cause explosions.

The event marked a new line crossed by cybersecurity hackers—it was the first time security investigators had seen code specifically created to hurt people. As Gutmanis explains, “It was about as bad as it could get. We knew that we couldn’t rely on the integrity of the safety systems.”

It gets worse. These safety instrumented systems aren’t only utilized in petrochemical plants; they’re also used in nuclear power stations, transportation systems, water treatment facilities… essentially all infrastructure used to make modern society run the way it does. And with the advent of the industrial Internet of things (IIoT), this equipment is only being employed more with each day.

As if things weren’t bad enough, Dragos, the firm which Gutmanis works at, claims it has found evidence that the hackers behind Triton are researching potential targets in areas such as North America. The hacking group is also working on improving Triton so it can compromise more types of safety instrumented systems.

Deconstructing the Deadly Malware

Since the events of 2017, cybersecurity groups around the world have been racing to reverse engineer Triton and figure out who’s behind it. While the hacking group’s identity hasn’t been established yet, it’s clear that they are patient, calculated, and can create sophisticated cyberweaponry.

It appears the hackers first infiltrated the Saudi Arabian petrochemical company’s IT network back in 2014. They then most likely found a way into the plant’s network through a poorly configured firewall. After this, they gained access to the engineering workstation either through interception of employee credentials or an unpatched flaw in its code.

From there, the hackers were able to learn everything about the system, form the make and model of its parts to the current version of firmware it was using. While all of this is undoubtedly impressive, the hackers likely took things a step further by acquiring and testing their malware on a Schneider machine identical to the plant’s equipment. This allowed them to not only mimic established protocols but discover a previously unknown vulnerability in the Triconex firmware.

When all was said and done, the intruders could have made the safety systems disable themselves whenever they wanted and then used other malicious software to trigger a disaster. To put things in perspective, the world’s worst industrial disaster occurred in Bhopal, India during the end of 1984. A cloud composed of toxic fumes was released which ended up killing thousands and injuring even more.

This event was chalked up to poor maintenance and human error. But today, we face intruders who may cause this on purpose.

Unprecedented Potential for Damage

In the past, the cybersecurity world has dealt with threats that have shut down huge portions of power grids and even destroyed equipment in nuclear power plants. But as we previously mentioned, Triton crosses a new line.

“Targeting safety systems just seemed to be off limits morally and really hard to do technically,” says Joe Slowik, a former US Navy information warfare office and current employee at Dragos. Bradford Hegrat, an industrial cybersecurity consultant and Accenture, agrees: “Even with Stuxnet and other malware, there was never a blatant, flat-out intent to hurt people.”

Cybersecurity experts see no coincidence between Triton’s arrival and the fact that hackers from countries such as North Korea, Russia, and Iran have been working on improving their abilities to probe critical infrastructure networks. Initially, Triton was believed to be the work of Iran due to the country’s animosity towards Saudi Arabia.

But FireEye, one of the cybersecurity firms called in to investigate, found an IP address in the code that is registered to Moscow’s Central Scientific Research Institute of Chemistry and Mechanics. FireEye even found evidence that pointed toward a specific professor at the institute.

Unfortunately, pinning down the culprit of a cybersecurity danger is hardly ever straightforward. And the evidence that FireEye has obtained has been deemed to not be enough to point a finger confidently.

Many researchers and cybersecurity experts are hard at work on elucidating the origins of Triton. Which is good, because Gutmanis notes that the Saudi Arabian petrochemical plant had superior security to many of its American counterparts: “I’ve been into a lot of plants in the US that were nowhere near as mature as this organization was.”

A Need for More Secure IoT

With the ability to deliver unparalleled efficiency through sensors and connectivity, it’s no wonder that IoT has expanded beyond its usual circles in the San Francisco development community and into nearly every industrial sector of America. According to the ARC Group, which tracks the IIoT market, businesses are expected to spend $42 billion this year on IIoT equipment.

But if substantial issues like Triton aren’t dealt with adequately, the immense potential of IIoT could easily turn sour. Clearly, drastic measures must be taken.

What do you make of this recent development in IIoT cybersecurity? How can we ensure a safe future going forward? And how can we thwart the next moves of the hackers behind Triton? Let us know your thoughts in the comments.