The Triton malware was first identified 16 months ago by researchers from Fireeye: it targets Triconex control systems from Schneider Electric, and was linked by Fireeye to the Central Scientific Research Institute of Chemistry and Mechanics in Moscow.
Now, Fireeye has published a report on a second instance of Triton being used in the field, this time to attack the safety instrumented systems (SIS) that use software and hardware to prevent power plants, refineries, and other large installations from exploding, venting toxic material, catching fire, etc.
The second example reveals that Triton attacks have been in the works since at least 2014, and surfaced an extensive toolsuite that gives more insight into how Triton's operators function.
The really frightening this about this is SIS targeting: that's the kind of thing that doesn't just shut down plants -- it renders them permanently inoperable, and possibly kills some or all of the people in them and near them.
The SIS attacks are a logical progression on Stuxnet and the Russian "sandworm attacks" that got out of control and did $10B damage in 2018.
We now know the first incident wasn’t isolated. There are others. That is especially disconcerting given the danger associated with this threat, which we still know very little about. Though we’ve traced this back to the Russian institute we’re at a loss for explaining the motive here or whether even this is tied to some other country who might be contracting out with the institute.
We are releasing the tools and other information on this actor in the hopes that others will find them and we will all get a better handle on this emerging and disconcerting threat actor. We understand there’s some risk that the actor may go to ground. That may have already happened. After we released the blog on attribution in this case, the institute took operational security measures. They took down some of the information on their website and changed their WHOIS.
Hopefully, this is a first step in a global hunt for this actor that leads to some answers.
Mysterious safety-tampering malware infects a second critical infrastructure site [Dan Goodin/Ars Technica]
Wired security reporter Andy Greenberg's latest book is Sandworm (previously), a true-life technothriller that tells the stories of the cybersecurity experts who analyzed and attributed as series of ghastly cyberwar attacks that brought down parts of the Ukrainian power grid, and then escaped the attackers' control and spread all over the world.
For years, I've followed Andy Greenberg's excellent reporting on "Sandworm," a set of infrastructure-targeted cyberattacks against Ukraine widely presumed to be of Russian origin, some of which escaped their targeted zone and damaged systems around the world.
Wired has published another long excerpt from Sandworm, reporter Andy Greenberg's (previously) forthcoming book on the advanced Russian hacking team who took the US-Israeli Stuxnet program to the next level, attacking Ukrainian power infrastructure, literally blowing up key components of the country's power grid by attacking the embedded code in their microcontrollers.
The notion of two people sleeping in the same bed always inspires romantic visions of love and intimacy. However, most quickly realize that the romance of sleeping together is often quickly replaced by the realities of the act. One partner snores. The other talks in their sleep. One grinds their teeth. The other hogs the […]
Add Internet of Things to the shortlist of those actually benefiting from the effects of the COVID-19 pandemic. You might not realize it, but the organizing principle that is bringing more automation to the world is actually proving to be a major asset as human beings are forced to stay home and away from the […]
We’ve all had those nights where we’re working on a laptop or scrolling through our phone before glancing at the time to find it’s actually a lot later than we thought. Most nights, you’d be fast asleep or at least dead tired at midnight or 1 or 3 a.m. But after staring at a screen, […]