Mandiant, a FireEye company, recently responded to an incident at a critical infrastructure organization where an attacker deployed malware designed to manipulate industrial safety systems, according to FireEye's blog.
"The targeted systems provided emergency shutdown capability for industrial processes," the company writes in the publication. "We assess with moderate confidence that the attacker was developing the capability to cause physical damage and inadvertently shut down operations. This malware, which we call TRITON, is an attack framework built to interact with Triconex Safety Instrumented System (SIS) controllers. We have not attributed the incident to a threat actor, though we believe the activity is consistent with a nation-state preparing for an attack.
"TRITON is one of a limited number of publicly identified malicious software families targeted at industrial control systems (ICS). It follows Stuxnet which was used against Iran in 2010 and Industroyer which we believe was deployed by Sandworm Team against Ukraine in 2016. TRITON is consistent with these attacks, in that it could prevent safety mechanisms from executing their intended function, resulting in a physical consequence.
"The attacker gained remote access to an SIS engineering workstation and deployed the TRITON attack framework to reprogram the SIS controllers. During the incident, some SIS controllers entered a failed safe state, which automatically shut down the industrial process and prompted the asset owner to initiate an investigation. The investigation found that the SIS controllers initiated a safe shutdown when application code between redundant processing units failed a validation check -- resulting in an MP diagnostic failure message.
"The attacker deployed TRITON shortly after gaining access to the SIS system, indicating that they had pre-built and tested the tool which would require access to hardware and software that is not widely available. TRITON is also designed to communicate using the proprietary TriStation protocol which is not publicly documented suggesting the adversary independently reverse engineered this protocol." (TriStation protocol is a brand of Schneider Electric).
In addition to FireEye, the Dragos and Symantec companies have also published reports on this issue. According to Dragos, the malware has been deployed against at least one victim, which was identified in the Middle East. Currently, there is no intelligence to support that there are victims outside of the Middle East.