SECURITY
SECURITY
SECURITY
New malware attack causes real-world damage
Security researchers have uncovered a new attempted hack using Triton malware, which targets industrial equipment in an effort to cause physical damage to its targets.
Triton was first detected in 2017 when it was used to target the operations of a critical-infrastructure organization in the Middle East. A later report, which attributed Triton to Russia, noted that the malware targeted equipment sold by Schneider Electric SE that’s used in oil and gas facilities.
Triton is unique in that its attackers apparently aren’t interested in causing network damage or stealing data but instead in causing actual damage to equipment. That can include catastrophic failures that in a worst-case scenario could result in the loss of life as well.
The new attempted hack using Triton was detected by researchers at FireEye Inc. who said that they had uncovered an additional intrusion using the same malicious software against a different critical infrastructure site.
As with the previous case, the attack was primarily focused on the unnamed facility’s operational technology, that is systems that are used to manage and monitor physical processes and devices.
“They did not exhibit activities commonly associated with espionage, such as using key loggers and screenshot grabbers, browsing files, and/or exfiltrating large amounts of information,” the researchers said. “Most of the attack tools they used were focused on network reconnaissance, lateral movement and maintaining presence in the target environment.”
Noting the complexity of Triton attacks, it was found that the attackers used both public and custom backdoors along with web shells and credential harvesting tools to avoiding antivirus detection and remain undiscovered.
Remarkably, the attackers were found to have been present in the targeted system for almost a year before gaining access to their final target, an engineering workstation where they attempted to deploy the Triton malware itself.
“This is very targeted malware that can have a significant impact,” Tim Erlin, vice president of product management and strategy at Tripwire Inc., told SiliconANGLE. “We’re not talking about the usual ransomware here. Triton is designed specifically to attack control systems.”
And those are highly specialized systems, he added. “Installing your standard anti-malware software isn’t the right solution,” he said. “The safety system engineers and vendors are the right source for defensive techniques.”
Photo: WClarke/Wikimedia Commons
A message from John Furrier, co-founder of SiliconANGLE:
Support our mission to keep content open and free by engaging with theCUBE community. Join theCUBE’s Alumni Trust Network, where technology leaders connect, share intelligence and create opportunities.
- 15M+ viewers of theCUBE videos, powering conversations across AI, cloud, cybersecurity and more
- 11.4k+ theCUBE alumni — Connect with more than 11,400 tech and business leaders shaping the future through a unique trusted-based network.
About SiliconANGLE Media
SiliconANGLE Media is a recognized leader in digital media innovation, uniting breakthrough technology, strategic insights and real-time audience engagement. As the parent company of SiliconANGLE, theCUBE Network, theCUBE Research, CUBE365, theCUBE AI and theCUBE SuperStudios — with flagship locations in Silicon Valley and the New York Stock Exchange — SiliconANGLE Media operates at the intersection of media, technology and AI.
Founded by tech visionaries John Furrier and Dave Vellante, SiliconANGLE Media has built a dynamic ecosystem of industry-leading digital media brands that reach 15+ million elite tech professionals. Our new proprietary theCUBE AI Video Cloud is breaking ground in audience interaction, leveraging theCUBEai.com neural network to help technology companies make data-driven decisions and stay at the forefront of industry conversations.
