A highly capable malware reportedly used in a failed plot to blow up a Saudi petrochemical plant has now been linked to a second compromised facility.
FireEye researchers say the unnamed “critical infrastructure” facility was the latest victim of the powerful Triton malware, the umbrella term for a series of malicious custom components used to launch directed attacks. Triton, previously linked to the Russian government, is designed to burrow into a target’s networks and sabotage their industrial control systems, often used in power plants and oil refineries to control the operations of the facility.
Roy Rashti, Cyber-Security Expert at BitDam:
“This isn’t the first, and probably won’t be the last time we encounter sophisticated attacks that aim to sabotage critical infrastructures.
For a targeted attack like this to succeed several key phases, typically coordinated by highly experienced individuals, must take place. Among these phases is the initial delivery mechanism, the code that drops the payload and the payload itself. While some organisations have mechanisms in place to defend against each of these phases in an attack many do not; leaving infrastructure vulnerable to disruption and destruction.
The only way to protect against such advanced and ‘personalised‘ attacks is to have a robust protection solution that will be able to detect such an attack in at least one of the attack phases. However, the most effective solution and means of protection is to prevent the attack from entering the organisation or infrastructure in the first place by identifying it pre-delivery.”
Israel Barak, CISO at Cybereason:
“Threat actors moving deliberately and stealthy for months if not years have one goal in mind and that’s not getting caught. This latest attack isn’t likely being carried out by amateurs. In general, risks to critical infrastructure such as industrial control systems can actually be minimized and managed. However, threats against this industry, in particular, will never be completely eradicated. Cybereason’s 2018 ICS honeypot enabled us to observe threat actors attacking networks in this industry and what we learned is invaluable. Overall, threats to critical infrastructure is something that security products and practitioners are very good at combating. By paying attention to hygiene and best practices, companies running ICS can greatly reduce their risk despite the threats they face.
However, most countries are still vulnerable to cyber-attacks on critical infrastructure because the systems are generally old and poorly patched. Power grids are interconnected and thus vulnerable to cascading failures. If an attacker knows which substation to take offline or cause a surge in, they can take down significant portions of the grid without conducting a large number of intrusions. Beyond power generation, there are significant localised effects a hacker can create by going after sewage/water treatment, industrial chemical production, or the transportation system. Again, diligence, persistence and improved security hygiene can greatly reduce risks.”