When we think of cyberattacks, we tend to think in digital terms. It’s typically digital tools that gain access to digital systems that hackers then use to their assorted nefarious ends — whether that be ransom, blackmail or anarchic destruction. Often the data stolen is digital itself, the demands are presented digitally, and if assets of one kind or another change hands, they’re usually sent via digital methods as well. But what happens when truly terrifying malware bridges the digital/physical divide and threatens true physical (or even fatal) harm? Well, the world may be about to find out via Triton.
So what is Triton and how did we find it?
According to the MIT Technology Review, an Australian security consultant called Julian Gutmanis had been called to a non-standard breach locale in the summer of 2017 — a Saudi Arabian petrochemical plant. In the attack, hackers had deployed what became known as Triton, which let them take over the plant’s safety instrumented systems (basically mission-critical backup systems). “These physical controllers and their associated software are the last line of defense against life-threatening disasters. They are supposed to kick in if they detect dangerous conditions, returning processes to safe levels or shutting them down altogether by triggering things like shutoff valves and pressure-release mechanisms.”
Luckily, the malware’s presence triggered a safety response a couple of times before it could do its worst. After the second trigger, the company called in the cyber sleuths to see what was wrong.
Digital/physical divide no more
In some ways, this resembles the now internationally infamous Stuxnet attack targeting Iran’s nuclear centrifuges. Believed to be a joint American/Israeli cyberattack, it was the first confirmed time a remote, digital tool was used to wage physical war (against air-gapped computers, no less!). But instead of state-on-state nuclear deterrence, Triton is as-yet-to-be-determined hackers operating with patience and precision in frightening ways:
“Over the past couple of years, cybersecurity firms have been racing to deconstruct the malware—and to work out who’s behind it. Their research paints a worrying picture of a sophisticated cyberweapon built and deployed by a determined and patient hacking group whose identity has yet to be established with certainty.”MIT Technology Review
Based on what they produce at that plant, a worst case scenario could have been legitimately horrifying: a release of toxic hydrogen sulfide gas or physical explosions, thereby endangering not only plant workers, but the surrounding areas as well.
And what’s scarier is not just how bad it could have been at this plant, but rather how common attacks like this might become. “In attacking the plant, the hackers crossed a terrifying Rubicon. This was the first time the cybersecurity world had seen code deliberately designed to put lives at risk.”
These types of systems that the hackers targeted are used in all sorts of industrial applications, from transportation systems to water treatment facilities to nuclear power stations. And what’s more, many industrial facilities are increasingly bringing their mechanical operations online, which is great for monitoring and operational efficiency, but horrendous for cybersecurity.
An industrial internet of things necessarily leads to more digital weaknesses for hackers to poke and prod until they gain access.
Hackers with enough time, dedication and resources have proven themselves capable of truly awesome and terrifying results. The likelihood that any of our partners are this type of target is pretty slim, but it’s the knock-on effect you have to worry about. Malware inspired by Triton (or incorporating it) or similar digital tradecraft can filter down to malware used by more reckless/impatient hackers to disastrous effects (just look at NotPetya and how that trickled down from leaked NSA tools to a multinational corporate disaster).
It’s imperative that you stay on top of existential cyber threats or your business might not recover from such a devastating attack. Or if not yourselves, partner with a managed IT expert who can sort that out for you. Either way — you have to keep a close eye on the state of cyberattacks to protect yourself and your business.