Hackers halt plant operations in watershed cyber attack

FireEye disclosed an attack targeted at Triconex industrial safety technology from Schneider Electric.

FireEye disclosed an attack targeted at Triconex industrial safety technology from Schneider Electric.

Hackers likely working for a nation-state recently invaded the safety system of a critical infrastructure facility, in a watershed attack that halted plant operations, according to cyber investigators and the firm whose software was targeted.

FireEye disclosed the incident yesterday, saying the attack targeted Triconex industrial safety technology from Schneider Electric.

Schneider confirmed the incident had occurred and that it had issued a security alert to users of Triconex, which cyber experts said is widely used in the energy industry, including at nuclear facilities, and oil and gas plants.

FireEye and Schneider declined to identify the victim, industry or location of the attack. Cyber security company Dragos said the hackers targeted an organisation in the Middle East, while a second firm, CyberX, said it believed the victim was in Saudi Arabia.

It marks the first report of a safety system breach at an industrial plant by hackers, who have, in recent years, placed increasing attention on breaking into utilities, factories and other types of critical infrastructure, cyber experts said.

Compromising a safety system could let hackers shut them down in advance of attacking other parts of an industrial plant, potentially preventing operators from identifying and halting destructive attacks, they said.

"This is a watershed," said Sergio Caltagirone, head of threat intelligence with Dragos. "Others will eventually catch up and try to copy this kind of attack."

In the incident, hackers used sophisticated malware to take remote control of a workstation running a Schneider Electric Triconex safety shutdown system, then sought to reprogram controllers used to identify safety issues. Some controllers entered a fail-safe mode, which caused related processes to shut down and caused the plant to identify the attack, FireEye said.

FireEye added it believes the attackers' actions inadvertently caused the shutdown while probing the system to learn how it worked, said Dan Scali, who led FireEye's investigation.

The attackers were likely conducting reconnaissance to learn how they could modify safety systems so they would not operate in the event the hackers intended to launch an attack that disrupted or damaged the plant, he said.

Public warnings

The US government and private cyber security firms have issued public warnings over the past few years about attempts by hackers from nations, including Iran, North Korea, Russia and others, to attack companies that run critical infrastructure plants in what they say are primarily reconnaissance operations.

CyberX VP Phil Neray said his firm found evidence that the malware was deployed in Saudi Arabia, which could suggest Iran may be behind the attack.

Security researchers widely believe Iran was responsible for a series of attacks on Saudi Arabian networks in 2012 and 2017, using a virus known as Shamoon.

Schneider provided Reuters with a customer security alert, dated Wednesday, which said it was working with the US Department of Homeland Security to investigate the attack.

"While evidence suggests this was an isolated incident and not due to a vulnerability in the Triconex system or its program code, we continue to investigate whether there are additional attack vectors," the alert said.

Department of Homeland Security spokesman Scott McConnell said the agency was looking into the matter "to assess the potential impact on critical infrastructure".

The malware, which FireEye has dubbed Triton, is only the third type of computer virus discovered to date that is capable of disrupting industrial processes.

The first, Stuxnet, was discovered in 2010 and is widely believed by security researchers to have been used by the US and Israel to attack Iran's nuclear programme.

The second, known as Crash Override or Industroyer, was discovered last year by researchers, who said it was likely used in a December 2016 attack that cut power in Ukraine.