Skip to main content
  1. Home
  2. Computing
  3. News

Sophisticated ‘Triton’ malware shuts down industrial plant in hacker attack

By
Cybersecurity experts at FireEye have issued a warning after a recent hacker attack caused “operational disruption to critical infrastructure” at an unnamed industrial plant. The hackers introduced a malware program that FireEye is calling “Triton” into the security system, likely in preparation for a larger attack.
Recommended Videos

This was not someone in a basement, either. “The targeting of critical infrastructure as well as the attacker’s persistence, lack of any clear monetary goal and the technical resources necessary to create the attack framework suggest a well-resourced nation state actor,” they concluded.

Related

The location of the plant or the nature of its operations was not disclosed, although Reuters reports that the security company Dragos said it was a plant in the Middle East, while another firm, CyberX, believed the target was in Saudi Arabia.

A security alert was issued for users of Triconex, a safety program that’s widely used in energy facilities such as nuclear plants and oil refineries. The nature of the breach has raised concerns among cybersecurity analysts. “This is a watershed,” said Sergio Caltagirone of Dragos. “Others will eventually catch up and try to copy this kind of attack.”

Cybersecurity firm Symantec says the Triton program has been around since August, and it targets a specific type of safety instrumental system (SIS) and reprograms them. The malware could cause the SIS to shut down plant operations or, with a sophisticated enough attack, nullify the SIS and allow an unsafe condition to escalate, leading to a widespread industrial accident.

In this particular case, when Triton attempted to reprogram the SIS controllers, some instead entered a safe shutdown mode, which halted plant operations and alerted the operators about the rogue software. FireEye believes the hackers accidentally triggered the shutdown while probing the plant’s security systems.

“The targeting of critical infrastructure to disrupt, degrade, or destroy systems is consistent with numerous attack and reconnaissance activities carried out globally by Russian, Iranian, North Korean, U.S., and Israeli nation-state actors,” FireEye said in its report.

The security company noted that the attacker could have easily shut down the plant, but instead continued with repeated attempts to gain control of the SIS. “This suggests the attacker was intent on causing a specific outcome beyond a process shutdown,” they said.

Triton is the third malware program analysts have encountered that’s able to interrupt industrial production. Stuxnet, discovered in 2010, is widely credited with helping to disrupt Iran’s nuclear program. The virus Industroyer was used in 2016 to cause widespread power outages in Ukraine.

Editors’ Recommendations

Topics
Mark Austin
Mark Austin
Former Digital Trends Contributor
Mark’s first encounter with high-tech was a TRS-80. He spent 20 years working for Nintendo and Xbox as a writer and…
Hackers sink to new low by stealing Discord accounts in ransomware attacks
a faceless hacker in a black hoodie in front of a computer screen with lines of code on it

As if ransomware wasn’t terrifying enough already, hackers are now trying to hold your Discord account hostage, as well as your files. Thankfully, you can grab your Discord back if you act quickly enough.
This new ransomware campaign was recently discovered by leading cybersecurity firm Cyble, and it’s a particularly nasty one. A wave of similar attacks is emerging, including AXLocker, Octocrypt, and Alice. Ransomware encrypts files on the infected computer before demanding that you pay to decrypt your files to regain access.

Something uniquely cruel about AXLocker is that it also copies your Discord token and sends it to the hacker's server, giving them an opportunity to access and steal your Discord account. The malware is sneaky and leaves file names and extensions intact as it encrypts files so you might not notice anything is wrong until you see the ransom note.

Read more
Hackers are infiltrating news websites to spread malware
A black fedora rests on top of newspapers infected with spreading green lines..

Some alarming news broke today that hundreds of U.S. news websites are unwittingly playing a big role in a new malware campaign that's disguised as a Chrome browser update. This is quite a devious attack method since it's considered an important security practice to update your browser as soon as possible.

The way hackers are delivering the malware is also clever. It’s coming via an advertising network that also supplies video content to newspaper websites across the nation. It’s difficult to identify and shut down this attack because it is applied intermittently. According to a tweet by the security research team Threat Insight, the JavaScript code is being changed back and forth from the normal harmless ad delivery script to the one that includes the hacker code that shows a false update alert.

Read more
Nullmixer is a nasty, new Windows malware dropper
Windows shows a malware warning on a Dell laptop.

Nullmixer is a nasty, new malware dropper that gives us another reason to avoid questionable Windows downloads. Your computer can become infected with malware after downloading and running the dropper, which is disguised as illegal, cracked software or some other app that might prompt you to ignore warnings from your antivirus software.

The horrific thing about Nullmixer is how thoroughly your computer can be hacked by this app. According to the computer security and antivirus company Kaspersky, several families of malware are installed, amounting to dozens of apps that get busy stealing credentials and data, hacking into crypto wallets, and showing black-hat advertising. Every type of malware will begin running on an infected PC, crippling performance and plaguing its owner.

Read more