Uncategorized

Security researchers have uncovered another nasty piece of malware designed specifically to target industrial control systems (ICS) with a potential to cause health and life-threatening accidents.

Dubbed Triton, also known as Trisis, the ICS malware has been designed to target Triconex Safety Instrumented System (SIS) controllers made by Schneider Electric—an autonomous control system that independently monitors the performance of critical systems and takes immediate actions automatically, if a dangerous state is detected.

Researchers from the Mandiant division of security firm FireEye published a report on Thursday, suggesting state-sponsored attackers used the Triton malware to cause physical damage to an organization.

Neither the targeted organization name has been disclosed by the researchers nor they have linked the attack to any known nation-state hacking group.

According to separate research conducted by ICS cybersecurity firm Dragos, which calls this malware “TRISIS,” the attack was launched against an industrial organization in the Middle East. Triton leverages the proprietary TriStation protocol, which is an engineering and maintenance tool used by Triconex SIS products and is not publicly documented, suggesting that the attackers reverse engineered it when creating their malware.

“The attacker gained remote access to an SIS engineering workstation and deployed the TRITON attack framework to reprogram the SIS controllers,” FireEye researchers said.

The hackers deployed Triton on an SIS engineering workstation running Windows operating system by masquerading it as the legitimate Triconex Trilog application.

The current version of TRITON malware that researchers analyzed was built with many features, “including the ability to read and write programs, read and write individual functions and query the state of the SIS controller.”

“During the incident, some SIS controllers entered a failed safe state, which automatically shut down the industrial process and prompted the asset owner to initiate an investigation,” the researchers said.

Using TRITON, an attacker can typically reprogram the SIS logic to falsely shut down a process that is actuality in a safe state. Though such scenario would not cause any physical damage, organizations can face financial losses due to process downtime. Besides this, attackers can also cause severe life-threatening damages by reprogramming the SIS logic to allow unsafe conditions to persist or by intentionally manipulating the processes to achieve unsafe state first.

“The attacker deployed TRITON shortly after gaining access to the SIS system, indicating that they had pre-built and tested the tool which would require access to hardware and software that is not widely available.”

Researchers believe Triton is emerging as a severe threat to critical infrastructures, just like Stuxnet, IronGate, and Industroyer, because of its capabilities to cause physical damage or shut down operations.

On Friday, 13 July 2018, Spearhead Networks, an ICT security consulting firm and winner of the Ghana Information Technology and Telecom (GITTA) awards (IT Security Provider of The Year 2016 & Cybersecurity Company of The Year 2017) partnered with two other young cybersecurity consulting firms under a business synergy programme, to fight cybercrime.

The firms, which include Information Security Architects and Netwatch Technologies, have been known in the offensive security industry to be very good at what they do as security researchers and cyber risk solution providers.

Speaking to the press at La Palm Royal Beach where the event took place, the Chief Executive Officer of Spearhead Networks, Mr Ernest Offei Darko Mensah, revealed that one of the biggest challenges facing the industry is capacity building which goes beyond mere awareness training for staff and delves deeper into assisting corporate and public institutions govern their cyber risk exposure and ultimately building a resilient plan to assist corporates manage their cyber infrastructure.

He further noted in an opening presentation that business synergy is purposely to harness the strengths of the three companies involved to assist in enhancing the delivery of singular and disjointed products into a seamless cyber-resilient service package ensuring clients do not only buy products but get the benefit of partnering a cyber-knowledge bank to augment their cyber security effort.

Speaking on behalf of Information Security Architects Ltd (ISA), Mr. Desmond Israel, lead consultant, made a point that the recent ITU Global Cybersecurity Index placed Ghana very high among its African peers for her effort at instituting the needed legal, regulatory and policy framework but not so much a pride in capacity building and technical measures.

He said further that information security service providers cannot claim to offer solutions when they themselves do not, perhaps, follow and research into the trends of the cyber landscapes.

“ISA is proud to be part of this bigger dream and is ready under its responsible disclosure programme to help more firms understand their cyber risk exposures and also provide the needed technology solutions and training. We can defend our cyber space if we have insight and that is the bedrock of cybersecurity resilience,” he said.

In a presentation on the cybersecurity landscape, Adam Nurudini, a cybersecurity researcher from Netwatch Technologies and recent Blackhat Conference attendee, said attacks will get worse and predicted that by 2021 security breaches will increase. Making a point through his demonstrations using hacking tools, Nurudini said that more users will fall for attacks and more government portals will be attacked.

He called for the right engagement with stakeholders and proposed a roundtable with relevant heads to enlighten them about some of these real-time exposures.

The business synergy programme under which the Cybersecurity Resilience Service Team (CRST) was conceived brought together 27 participants from all three companies and was taken through cybersecurity business development training which included presentation skills and branding for cybersecurity security service by Mr. Clement Danternii, a business development practitioner. Participants expressed their excitement about the initiative. The next implementation phase involves engagement and delivery.FacebookTwitterEmail