Triton: A malware that may very well be the new Stuxnet

Anyone who has worked in the InfoSec community is well acquainted with the various nation-state sponsored cyberattacks in the Middle East and North Africa region (MENA) region. Most notable of these would be the Stuxnet attack, which went after Iranian nuclear facilities and endangered numerous lives. Stuxnet was, based on evidence and motive, most likely a joint clandestine operation between the United States and Israel that sought to cripple Iran’s nuclear program. (The countries insisted Iran was building nukes, although Iran denied the allegations). The ramifications of Stuxnet on global security are still being felt today as it opened up the floodgates for a new style of cyberwarfare. This is very apparent with the recent discovery of the Triton malware, which was discussed extensively in a blog post by the cybersecurity researchers at FireEye. Uncovered by FireEye’s Mandiant team, Triton was found attacking Triconex Safety Instrumented System controllers in the Middle East sold by Schneider Electric.

These controllers are found in numerous industrial contexts and there is a significant danger behind the malware’s usage in these contexts. The malware is capable of reading and writing programs, reading and writing functions, and much more (apparently the sample found showed a whole host of processes unused during the studied attack). As FireEye researchers point out, Triton has an “emergency shutdown capability for industrial processes” that would lead to physical damage with the goal of crippling the production and possibly harming any workers in the facility. This, along with the location of the attacks, makes Triton eerily similar to Stuxnet.

FireEye researchers made the connection as well, stating in their report that:

Triton is one of a limited number of publicly identified malicious software families targeted at industrial control systems (ICS). It follows Stuxnet, which was used against Iran in 2010 and Industroyer which we believe was deployed by Sandworm Team against Ukraine in 2016. Triton is consistent with these attacks, in that it could prevent safety mechanisms from executing their intended function, resulting in a physical consequence.

There has been no attribution, at least officially, by researchers as to who the threat actors are specifically. The only thing that FireEye could say with a fair amount of certainty was that a nation-state is behind Triton based on their research (which I highly recommend that you read for yourself). If this truly is the next Stuxnet, nations in the MENA region must brace themselves for a potential cyberattack boom in numerous key industries. This was just the beginning.

Photo credit: Pixabay