Some hackers, probably in the pay of a country, penetrated the security system of a critical infrastructure in a perfectly planned attack that caused the closure of the facilities. This action, carried out recently, took place according to the story of Mandiant, a company specializing in advanced cybersecurity threats belonging to the computer security company FireEye.
The investigation they have carried out has revealed that the attackers used this sophisticated malicious program to take remote control of a workstation running Windows and operated with a security system belonging to the company Schneider Electric SE
Electricity or gas supplies are some of the objectives
The malware, existing since August of this year according to Symantec, which has also detected and is investigating, was posing as a legitimate application. Once inside, it injected code that modifies the behavior of the security instrumented systems, known by the acronym SIS, with “an alternative logic”, to later reprogram drivers that are used to look for possible safety problems in the plant.
What happened after this incident is that some of the controllers that were being manipulated entered a fail-safe mode. This caused that the processes related to them finished, the industrial process went out, initiating a safe closing , and the plant noticed the attack. In other cases, the Triton attack could give the hackers control of the facilities so they could cause physical damage. That is the goal of its design, according to the researchers.
Although FireEye has not wanted to identify the victim of the attack, Symantec says that, “according to reports, Triton has been used against at least one organization in the Middle East.”
The motivations of these attacks
FireEye has not connected this activity with any actor that we are currently tracking; however, we evaluate with moderate confidence that the actor is sponsored by a nation-state. The orientation of the critical infrastructure, as well as the persistence of the attacker, the lack of a clear monetary objective and the technical resources necessary to create the attack framework suggest an actor of a nation-state with sufficient resources.
These suspicions are based on the computer security company on the basis that the attacker acted against security systems, which would suggest an interest in causing “a high impact attack with physical consequences” , something that is not proper in the common the hackers
Taking into account, moreover, that in order to design the malware and plan the action, access is required to hardware and software that are not widely available, that the communication protocol they use is not publicly documented, “which suggests that the adversary has designed Independently this protocol “, and that the selection of critical infrastructure” is consistent with numerous attack and recognition activities carried out globally by Russians, Iranians, North Koreans, Americans and Israelis”.
In the past, one of the few malwares with these characteristics, Stuxnet , had as its most likely target Iran’s high-value infrastructures according to analysts and media.