Wednesday, March 06, 2019

With Malice Aforethought

"Malice aforethought" - the intention to cause death or grievous harm that transforms unlawful killing into outright murder.

Enter Triton, "the world's most murderous malware." It's out and it's spreading. From the MIT Tech Review:

As an experienced cyber first responder, Julian Gutmanis had been called plenty of times before to help companies deal with the fallout from cyberattacks. But when the Australian security consultant was summoned to a petrochemical plant in Saudi Arabia in the summer of 2017, what he found made his blood run cold. 
The hackers had deployed malicious software, or malware, that let them take over the plant’s safety instrumented systems. These physical controllers and their associated software are the last line of defense against life-threatening disasters. They are supposed to kick in if they detect dangerous conditions, returning processes to safe levels or shutting them down altogether by triggering things like shutoff valves and pressure-release mechanisms. 
The malware made it possible to take over these systems remotely. Had the intruders disabled or tampered with them, and then used other software to make equipment at the plant malfunction, the consequences could have been catastrophic. Fortunately, a flaw in the code gave the hackers away before they could do any harm. It triggered a response from a safety system in June 2017, which brought the plant to a halt. Then in August, several more systems were tripped, causing another shutdown.
...In a worst-case scenario, the rogue code could have led to the release of toxic hydrogen sulfide gas or caused explosions, putting lives at risk both at the facility and in the surrounding area. 
Gutmanis recalls that dealing with the malware at the petrochemical plant, which had been restarted after the second incident, was a nerve-racking experience. “We knew that we couldn’t rely on the integrity of the safety systems,” he says. “It was about as bad as it could get.” 
In attacking the plant, the hackers crossed a terrifying Rubicon. This was the first time the cybersecurity world had seen code deliberately designed to put lives at risk. Safety instrumented systems aren’t just found in petrochemical plants; they’re also the last line of defense in everything from transportation systems to water treatment facilities to nuclear power stations.
Who is behind Triton? What are they after? How far are they prepared to go? Who knows?
Over the past couple of years, cybersecurity firms have been racing to deconstruct the malware—and to work out who’s behind it. Their research paints a worrying picture of a sophisticated cyberweapon built and deployed by a determined and patient hacking group whose identity has yet to be established with certainty. 
The hackers appear to have been inside the petrochemical company’s corporate IT network since 2014. From there, they eventually found a way into the plant’s own network, most likely through a hole in a poorly configured digital firewall that was supposed to stop unauthorized access. They then got into an engineering workstation, either by exploiting an unpatched flaw in its Windows code or by intercepting an employee’s login credentials.
It could be a state actor - Russia, Iran, North Korea, take your pick - or a non-state actor - terrorists, organized crime, some punks with bad attitudes. Triton is surely an instrument of war and the reality of warfare in the 21st century is that nation states are losing their monopoly on violence as weapons of mass destruction are now reaching just about every rung of the non-state actors. That can make the motivation of the attacker difficult to discern and, without knowing that, it makes identification and prevention even harder.

At the moment the Russian government is the prime suspect but no one can say for sure.
Experts at places like the US’s Idaho National Laboratory are urging companies to revisit all their operations in the light of Triton and other cyber-physical threats, and to radically reduce, or eliminate, the digital pathways hackers could use to get to critical processes. 
Businesses may chafe at the costs of doing that, but Triton is a reminder that the risks are increasing. Gutmanis thinks more attacks using the world’s most murderous malware are all but inevitable. “While this was the first,” he says, “I’d be surprised if it turns out to be the last.”


Toby said...

Let's no leave the US and allies out of this equation.

"Massive US-planned cyberattack against Iran went well beyond Stuxnet"

The Mound of Sound said...

I searched the blog and found two posts on Stuxnet from 2010. Stuxnet sent Iranian centrifuges spinning out of control. Triton targets the safety mechanisms that respond to Stuxnet-type malware, preventing them from meltdown.

Anonymous said...

I’m glad someone’s already suggested the u.s.
To leave them out of the suspects list (if not at the top of it) is a glaring omission.

The Mound of Sound said...

I doubt they would risk doing something like Triton to the Saudis, their best Arab buddies.

Toby said...

I have no doubt whatsoever that the US would place a control worm in an ally's nuclear or chemical facility as a security tool. The worm would just sit there for years as long as the facility was being used in a manor that did not generate a threat to the US at which point the worm would be activated.

As to Saudi Arabia specifically, even American hardliners understand that the 9/11 attack was perpetrated by renegade Saudis.