Cyber attack on Saudi plant designed to cause explosion

Details emerge of Triton attack against plant safety system which caused shutdown in August

Tags: Cyber crimeMandiant Corp (www.mandiant.com)Saudi ArabiaSchneider Electric
  • E-Mail
Cyber attack on Saudi plant designed to cause explosion An unnamed petrochemical plant in Saudi Arabia was targeted by the Triton or Trisis malware. (picture for illustrative purposes only).
By  Mark Sutton Published  March 17, 2018

A cyberattack against a petrochemical company in Saudi Arabia could have caused serious physical damage, according to news reports.

The attack, which was detected in August, appears to have been designed to cause safety controllers to stop working, which could have caused an explosion at the plant.

The attack apparently only failed due to a flaw in the coding of the malware, causing equipment to shut down instead.

The New York Times and security site Cyberscoop have reported new details on the attack, which targeted a plant against a petrochemical company in Saudi Arabia. Details have been emerging on the attack since November, but the full extent of the malware, dubbed ‘Triton' or Trisis' by researchers, is only just coming to light.

The reports also revealed that Saudi Arabia's National Industrialization Company, Tasnee, and the Sadara Chemical Company, were attacked in January 2017 using the ‘Shamoon' malware, in an unrelated series of attacks.

Security researchers did not disclose the target of the Triton attack, and while Saudi Aramco is said to have assisted in the investigation, the plant was not owned by Saudi Aramco or an Aramco branded operation.

The culprits for the attack were also not known or not disclosed, but sources said that the highly sophisticated - and expensive - attack was likely the work of nation state actors.

The attack was detected in August when machinery at the plant began randomly shutting down during working hours. The disruption eventually caused the complete shutdown of the plant.

The shutdowns were traced to a file, which was disguised as code from Schneider Electric, the technology partner for the plant.

Subsequent investigations, which expanded to include Schneider and Mandiant, a division of FireEye, discovered a highly complex multi-part malware in the file, which was affecting industrial control systems at the plant.

The malware appears to be designed to force a malfunction in the ‘Triconex' Safety Instrumented System (SIS), a popular logic controller made by Schneider Electric, Cyberscoop reported. The SIS is used to control industrial equipment, and it is believed that the malware was intended to cause machinery to operate outside of normal parameters until it suffered serious damage.

Failsafe systems at the plant detected the anomalous operations and shut down the plant. Researchers believe that the writers of the malware made a mistake in configuration of the code causing the attack to fail.

Triton would appear to be similar in modus operandi to the Stuxnet attack against Iranian nuclear research plants in 2010. Stuxnet caused centrifuges used in nuclear fuel processing to operate outside of normal parameters until they broke down.

How the malware found its way onto the system has not been disclosed. Researchers have stressed that while the attack may appear to be similar to Stuxnet, Triton is far more complex.

The malware was specifically targeting the safety override systems, in an overt attempt to cause catastrophic damage, researchers said.

Developing the malware would have required deep expertise in the Triconex system and extensive testing of the malware. The time and resources deployed to develop the malware were extensive, and the component malware appears to have been custom-coded, with many of the coding indicators never having been seen before or used by any known hacking group.

Investigators say they are concerned that the Triconex controllers are used in about 18,000 plants around the world, including nuclear and water treatment facilities, oil and gas refineries, and chemical plants. Triconex was supposed to be isolated from remote configuration, and although researchers believe the attack was not an inside job, they have not revealed how the system was infiltrated.

Add a Comment

Your display name This field is mandatory

Your e-mail address This field is mandatory (Your e-mail address won't be published)

Security code