Cyber attack on Saudi chemical plant could have caused explosion
19 March 2018
A cyber attack against a petrochemical company in Saudi Arabia could have caused serious physical damage, according to news reports. The attack, which was detected last August, appears to have been designed to shut down safety controllers, which could have caused an explosion at the plant. In the event, the attack failed due to a flaw in the coding of the malware.
Security sites Cyberscoop and CyberArk have reported new details on the attack, which targeted a petrochemical plant in Saudi Arabia. Details have been emerging on the attack since November, but the full extent of the malware, dubbed ‘Triton' or Trisis' by researchers, is only just coming to light.
The reports also revealed that Saudi Arabia's National Industrialization Company, Tasnee, and the Sadara Chemical Company, were attacked in January 2017 using the ‘Shamoon' malware, in an unrelated series of attacks.
Security researchers did not disclose the target of the Triton attack, and while Saudi Aramco is said to have assisted in the investigation, the plant was not owned by Saudi Aramco or an Aramco branded operation.
The culprits for the attack were also not known or not disclosed, but sources said that the highly sophisticated - and expensive - attack was likely the work of nation state actors.
The attack was detected in August when machinery at the plant began randomly shutting down during working hours. The disruption eventually caused the complete shutdown of the plant.
The shutdowns were traced to a file, which was disguised as code from Schneider Electric, the technology partner for the plant.
Subsequent investigations, which expanded to include Schneider and Mandiant, a division of FireEye, discovered a highly complex multi-part malware in the file, which was affecting industrial control systems at the plant.
The malware appears to be designed to force a malfunction in the ‘Triconex' Safety Instrumented System (SIS), a popular logic controller made by Schneider Electric, Cyberscoop reported. The SIS is used to control industrial equipment, and it is believed that the malware was intended to cause machinery to operate outside of normal parameters until it suffered serious damage.
Failsafe systems at the plant detected the anomalous operations and shut down the plant. Researchers believe that the writers of the malware made a mistake in configuration of the code causing the attack to fail.
Triton would appear to be similar in modus operandi to the Stuxnet attack against Iranian nuclear research plants in 2010. Stuxnet caused centrifuges used in nuclear fuel processing to operate outside of normal parameters until they broke down.
How the malware found its way onto the system has not been disclosed. Researchers have stressed that while the attack may appear to be similar to Stuxnet, Triton is far more complex.
The malware was specifically targeting the safety override systems, in an overt attempt to cause catastrophic damage, researchers said.
Developing the malware would have required deep expertise in the Triconex system and extensive testing of the malware. The time and resources deployed to develop the malware were extensive, and the component malware appears to have been custom-coded, with many of the coding indicators never having been seen before or used by any known hacking group.
Triconex controllers are used in about 18,000 plants around the world, including nuclear and water treatment facilities, oil and gas refineries, and chemical plants. It is supposed to be isolated from remote configuration, and although researchers believe the attack was not an inside job, they have not revealed how the system was infiltrated.