The Triton malware was first identified 16 months ago by researchers from Fireeye: it targets Triconex control systems from Schneider Electric, and was linked by Fireeye to the Central Scientific Research Institute of Chemistry and Mechanics in Moscow.
Now, Fireeye has published a report on a second instance of Triton being used in the field, this time to attack the safety instrumented systems (SIS) that use software and hardware to prevent power plants, refineries, and other large installations from exploding, venting toxic material, catching fire, etc.
The second example reveals that Triton attacks have been in the works since at least 2014, and surfaced an extensive toolsuite that gives more insight into how Triton's operators function.
The really frightening this about this is SIS targeting: that's the kind of thing that doesn't just shut down plants -- it renders them permanently inoperable, and possibly kills some or all of the people in them and near them.
The SIS attacks are a logical progression on Stuxnet and the Russian "sandworm attacks" that got out of control and did $10B damage in 2018.
We now know the first incident wasn’t isolated. There are others. That is especially disconcerting given the danger associated with this threat, which we still know very little about. Though we’ve traced this back to the Russian institute we’re at a loss for explaining the motive here or whether even this is tied to some other country who might be contracting out with the institute.
We are releasing the tools and other information on this actor in the hopes that others will find them and we will all get a better handle on this emerging and disconcerting threat actor. We understand there’s some risk that the actor may go to ground. That may have already happened. After we released the blog on attribution in this case, the institute took operational security measures. They took down some of the information on their website and changed their WHOIS.
Hopefully, this is a first step in a global hunt for this actor that leads to some answers.
Mysterious safety-tampering malware infects a second critical infrastructure site [Dan Goodin/Ars Technica]
Wired security reporter Andy Greenberg's latest book is Sandworm (previously), a true-life technothriller that tells the stories of the cybersecurity experts who analyzed and attributed as series of ghastly cyberwar attacks that brought down parts of the Ukrainian power grid, and then escaped the attackers' control and spread all over the world.
For years, I've followed Andy Greenberg's excellent reporting on "Sandworm," a set of infrastructure-targeted cyberattacks against Ukraine widely presumed to be of Russian origin, some of which escaped their targeted zone and damaged systems around the world.
Wired has published another long excerpt from Sandworm, reporter Andy Greenberg's (previously) forthcoming book on the advanced Russian hacking team who took the US-Israeli Stuxnet program to the next level, attacking Ukrainian power infrastructure, literally blowing up key components of the country's power grid by attacking the embedded code in their microcontrollers.
We’ve all got a perfect website in our minds. In the past, the problem has been the barrier of language – specifically, the computer languages used to create those glittering, animation-filled pages you flock to. Now, Mac users have an alternative. Blocs 3 is a website builder that can provide an easy visual interface for […]
You can do all the pre-workout stretching in the world, but that doesn’t mean you’ll escape stiff muscles and nagging pain after a particularly grueling gym session. When those knots and their accompanying aches and soreness start barking, your options usually boil down to either a deep tissue massage or just grinning and bearing it. […]