Sixteen months ago researchers came out with an important finding which pointed towards a considerable rise in the number of attacks targeting oil refineries, gas stations and other types of critical infrastructure. The main aim of the attackers who may be working on behalf of a nation or an organization is to paralyze the nation by inflicting damage to the critical infrastructure blocks. In a similar case of a malware attack, a highly capable and powerful malware, Triton reportedly used in a failed plot to blow up a Saudi petrochemical plant has now been associated with a second compromised facility, according to a report by TechCrunch.
There have been cases of many malware attacks in the past but this latest development acquires all the more importance because an advanced piece of malware was used to target the unidentified site’s safety processes.
According to the researchers at FireEye, the unnamed “Critical Infrastructure” was the latest victim of the malicious Triton malware that uses custom components to launch directed attacks. The researchers at FireEye who linked Triton to Russia say that they have uncovered an additional intrusion that used the same malicious framework to target a new infrastructure site. The main aim of the attackers was to focus on the operational technology of the facility, thus sabotaging their industrial control systems. As we all know that by compromising these control systems can lead to significant disruption and even destruction.
The researchers further go on to elaborate that the attackers waited for almost a year after compromising the site’s network to formulate their strategy and launch a deeper attack, taking time to learn what the network looked like and how to move from one system to another. The main goal of the hackers was to gain access to SIS controllers and strategically limit other activities to limit the chances of being discovered.
This is not the first time Triton is on the prowl. In the August 2017 attack in which Triton was deployed, the Saudi Arabia facility would have been destroyed had it not been for a bug in the code.
“These attacks are also often carried out by nation states that may be interested in preparing for contingency operations rather than conducting an immediate attack,” says the report.
Speaking to TechCrunch, Nathan Brubaker, senior manager, analysis at FireEye said, “We assess the group was attempting to build the capability to cause physical damage at the facility when they accidentally caused a process shutdown that led to the Mandiant investigation.”
FireEye declined to comment on the type of facility or its location.