A highly capable malware reportedly used in a failed attempt to blow up a Saudi petrochemical plant has now been linked to a second compromised facility.
Researchers at the US-based security research firm, FireEye say the unnamed ‘critical infrastructure’ facility was the latest victim of the powerful Triton malware, the umbrella term for a series of malicious custom components used to launch directed attacks.
Triton is designed to burrow into a target’s networks and sabotage their industrial control systems, often used in power plants and oil refineries to control the operations of the facility. By compromising these controls, a successful attack can cause significant disruption — even destruction.
According to the security company’s latest findings released last week, the hackers waited almost a year after their initial compromise of the facility’s network before they launched a deeper assault, taking the time to prioritize learning what the network looked like and how to pivot from one system to another. The hackers’ goal was to quietly gain access to the facility’s safety instrumented system, an autonomous monitor that ensures physical systems do not operate outside of their normal operational state.
These critical systems are strictly segmented from the rest of the network to prevent any damage in the event of a cyberattack. But the hackers were able to gain access to the critical safety system, and focused on finding a way to effectively deploy Triton’s payloads to carry out their mission without causing the systems to enter into a safe fail-over state.
FireEye did not clarify the type of facility or its location — or even the year of the attack, but said it had the potential to cause physical damage.