Russian-linked malware found in second Saudi facility
12 April 2019
Malware linked to an attempt to sabotage a Saudi petrochemical plant in 2017 has been discovered in a second facility in that country, according to cybersecurity consultantcy FireEye. Researchers found evidence of the malware in an unnamed critical infrastructure facility.
The malware, dubbed ‘Triton’ and traced to a Russian research laboratory, targets industrial control systems by gaining access and maintaining persistence inside IT and OT networks. According to FireEye, campaigns such as this can require months or even years of planning to successfully install, hide and preserve.
The group used a host of different techniques to infect the facility with the malware, but the intention of the attack – either sabotage or destruction – is still unclear. FireEye is urging industrial control system (ICS) managers to use the information in its report to identify whether the Triton group is present in their own facilities.
In a blog post, the cybersecurity group said: “This attack was no exception. The actor was present in the target networks for almost a year before gaining access to the Safety Instrumented System (SIS) engineering workstation. Throughout that period, they appeared to prioritise operational security”.
It is thought that the Triton hackers may have been operating since as early as 2014. Despite being several years old, some of the tools used by the group have not been encountered before which researchers suggest could be an indication that other facilities have been compromised without detection.
The malware's origins were a mystery when FireEye first discovered Triton in 2017. However, following further research in 2018, FireEye assessed with "high confidence" that the Central Scientific Research Institute of Chemistry and Mechanics (CNIIHM), a Russian government-owned technical research institution located in Moscow, was involved in the attacks.
Despite the sophistication of the attack, the 2017 attempt on the Saudi petrochemical plant failed due to a bug in the malware’s code.