Attackers behind Triconex – aka Triton – sought greater damage to equipment & people
This cyberattack in Saudi Arabia initially hit the news last December but more details have emerged. The attack, called Triconex, or Triton, demonstrated new levels of intent to carry out harm, not only to plant equipment but also people at the petrochemical plant in Saudi Arabia. The operation fortunately didn’t fully succeed and no one was harmed, but only because the malware itself malfunctioned due to an error the attackers had made in the code.
Nation state likely behind the attack
Cyberattacks are increasing in quantity and sophistication and Triconex shows a level of advanced technique that points to a nation state being behind it. As experts analyze the possibilities, they’ve considered the usual suspects of nations that have enough expertise to carry out such an attack. China, Russia, Israel and the US fit this list from a qualification standpoint, but none seem to have justifiable motivation either because they are engaged in mutual energy deals with Saudi Arabia or in cooperative efforts against another nation. That nation is Iran, currently the lead suspect. Iran denies involvement but its hacking programs have become more advanced in recent years and they could have worked with another country such as North Korea. Tensions between Iran and Saudi Arabia have been increasing in recent years, including spilling over into the realm of cyber space.
Triconex equipment targeted in the attack
An especially alarming aspect of the attack is that it struck Schneider’s Triconex controllers, which ensure safe and regulated functions such as temperatures, voltage, and pressure. Triconex controllers are used in about 18,000 industrial sites globally, spanning many industries including electric and power plants, oil and gas refineries, chemical and nuclear plants and water treatment facilities. The Triconex system was previously viewed as one that required physical presence to access, known as a “lock and key operation.” But investigators discovered an unexplained digital file at an engineering workstation that on the surface appeared to be a valid part of the Schneider controllers but in fact was intended to sabotage the machines. Before this, the Triconex systems had not been the victim of a remote attack.
Because the use of Triconex equipment is so pervasive around the world, concern is justified that attackers could repeat their actions in thousands of industrial locations around the world. Their goal this time was to cause an explosion, take human life, and wreak devastation on equipment. It’s only thanks to fortunate mis-intention on the hackers’ part that this damage didn’t happen. But given that the attackers have almost certainly fixed their code error by now, the world at large is still in peril from these kinds of attacks and ICS vulnerabilities remain abroad and in the U.S.
Shamoon and other attacks previously hit Saudi Arabia
This isn’t the first time nefarious attacks have targeted plants in Saudi Arabia. An attack in January 2017 at the National Industrialization Company (aka Tasnee) experienced their computer hard drives being destroyed and their data wiped out. All that remained was an image of the young Syrian child, Alan Kurdi, who drowned off Turkey’s coast when his family fled Syria’s war. It took the company months to recover. The virus is called Shamoon and it had appeared five years earlier at another Saudi company, destroying tens of thousands of computers and that time showing an image of a burning American flag. Iran was suspected as responsible for the attack, as well as others against businesses, including US banks and airlines. Many groups continue investigating attacks on vulnerable industrial control systems, such as FireEye’s Mandiant division, Symantec, the FBI, NSA, DHS and the Pentagon’s Defense Advanced Research Projects Agency. As their research continues, more details come to light.
Schneider Electric performs and shares its own investigation results
Schneider Electric has also conducted its own investigation of the attack on its own equipment. They’ve posted a video on YouTube of their findings (link below), transparently sharing useful information about the attack itself, how it was discovered, and much more.
Schneider Electric partners with Virsec on application security, as referenced in their video.