The Triton Malware Attack
Completely unsolved cybercrime cases are relatively rare. Normally when an attack ensues, one of the most important proceedings is to trace it back to the attacker. This is especially important when looking into dangerous malware. However, the Triton Malware attack of 2017 is one of the most dangerous cases of malware ever seen, and it has gone completely unsolved.
What are SIS?
In order to understand this malware, we first have to understand Safety Instrumented Systems (SIS). These systems are hardware and software controls put in place to prevent system malfunctions that can lead to disaster. These systems are specifically distributed to chemical, nuclear, electrical, or mechanical plants as safety precautions. They aren’t used day to day, but they are always ready in case an unsafe process occurs, and the entire plant needs to shut down. They are created to detect dangerous conditions in the plant and immediately begin a process to return to safe levels or complete shutdown to prevent catastrophic levels of damage.
Triton’s Attack
Triton malware targeted the SIS systems at a Saudi Arabian oil refinery in 2017. Their SIS, called Triconex, was attacked by Triton with the goal of remote takeover. Thankfully another safety system noticed the change in code of Triconex and began a shut down before the attack was complete. Just a couple of months later the same thing happened again. Only after the second shutdown were investigators called to look into the internal systems of the plant.
The What If...
The scariest part of this attack is what could have happened had the attackers succeeded. Triton was meant to shut down the plant’s SIS, effectively getting rid of its last line of defense. If the attackers also planned to take over the mechanical systems of the plant, which was most likely their next step, then they would have been able to run unsafe processes and cause a lot of damage. The worst-case scenario is that toxic hydrogen sulfide gas would be released and would result in massive explosions within the plant. These explosions would also affect surrounding areas, filling the air with toxic chemicals.
Thankfully the plant was shut down before this could happen. However, when investigators were eventually called in, they didn’t have much success beyond diagnosing the attack. In recent years the only progress that has been made on the case is that cybersecurity firms have been able to trace the hacker's activity in the system all the way back to 2014. Meaning that the hackers had been in the plants systems for years before finding a way to target the SIS. Since that finding, a cybersecurity firm, FireEye, has been able to track down the location of where the first attack originated. At first many people thought Triton had come from Iran due to their political clashes with Saudi Arabia. FireEye did a thorough search into all the petrochemical company’s networks and found a file that has been left behind during the development of the malware. The file contained an IP address registered to the Central Scientific Research Institute of Chemistry and Mechanics at Moscow. The institute is government owned and focuses on industrial infrastructure and safety. That being said, no solid evidence has been found apart from the IP address and no arrests have ever been made.
Why Was Triton So Important?
To understand the true gravity of this attack, we have to break down the intentions of the hackers. Their goal was to knock out the safety systems of a petrochemical plant. The result would have been loss of life at an extreme capacity. This is one of the few cases where a cyberattack’s goal was such extreme physical harm. Another example would include Stuxnet, which we have previously discussed. An attack of this magnitude was a huge development in the cyber world as it showed us what really happens when cybercrime goes unchecked. Although Triton is still unsolved, it taught us the importance of paying attention to unlikely targets. Industrial companies focus a lot of energy on the safety of their equipment and processes, but Triton was a wakeup call. Now, more than ever it is important to ensure the safety of software applications. Even years later, we can look back on Triton as a reminder that risks are everywhere and to avoid them, we have to pay attention to threats at every level.