Trisis nation-state authored malware leaked onto internet

News by Rene Millman

Schneider Electric accidentally puts malware online that could shut down power plants. Nation state authored malware has been mistakenly put online that could enable hackers to compromise safety systems at power plants.

 

Nation state authored malware has been mistakenly put online that could enable hackers to compromise safety systems at power plants.

According to reports by Cyberscoop, it is claimed that multinational energy technology company Schneider Electric posted a file containing malware to VirusTotal.

The report said that Schneider Electric obtained the file in question, titled “Library.zip,” while gathering evidence on a data breach in the Middle East. The file contains the malware called Trisis or Triton. It is believed that the malware has already been used to shut down an an oil and gas facility in the Middle East last December.

According to Josh Mayfield, director at FireMon, by controlling the safety systems, Trisis will most likely be used to command the industrial control systems (ICS) to perform actions that could overwhelm a nuclear plant, oil and gas operation, or utility grid with Schneider Electric equipment.

“Not only does Trisis take over the ICS, but can give the cyber-security teams a false sense of security.  Trisis will be destroying the ICS, but controlling communication outward to lead someone to believe everything is alright,” he told SC Media UK.

The report by Cyberscoop said that while the upload of Library.zip was removed from VirusTotal in less than 24 hours, many copies of the file have made.

A Schneider Electric spokesperson told CyberScoop that "In line with industry protocol, a Schneider Electric employee posted a file to VirusTotal in the interest of enabling its security vendor members to analyse and respond to the new malware. Shortly afterwards, Schneider Electric received a request from a third party to take the file down, and promptly complied with that request”.

Sam Curry, chief security officer at Cybereason, told SC Media UK that researchers and practitioners alike need to be able to share files and material to advance their work and protect against new attacks, but sharing is a lot like opening Pandora's box.

“Once open, it's very hard to put things back into the box. Trisis is another example, really, of the new options available to nation states (and other actors) for ‘continuation of politics by other means,' to paraphrase Clauswitz on war,” he said.

Pascal Geenens, Radware EMEA security evangelist, told SC Media UK that Trisis is not a highly scalable attack as it cannot easily be replicated across victims without significant victim knowledge and additional work.

“The malware targets Schneider Electric's Triconex safety instrumented system (SIS) specifically. Each SIS is unique and to attack other SIS systems would require knowledge of those processes. The framework however allows attackers to leverage it to quickly create new attacks that target safety functions of an industrial process,” he said.

Geenens added that the risk he sees in making this public is that less versed and opportunistic hackers might try to take advantage of the information and code to create new attack and ransom campaigns. “However given the specific attack vector and need for considerable knowledge and investment to adapt the code to attack the specifics of the safety systems lower the risk and sensitivity of the information and the public knowledge for security researchers and engineers in ICS does outweigh the risk in my opinion,” he said.

Mayfield added that the  primary lesson they can learn from this mistake is to centrally manage the way you publish malware.

“You can unknowingly publish something that is the final piece of a cyber-criminal's puzzle; not intentionally, but still, you just helped them complete the last mile.  In short, don't do the following: Fire, Ready, Aim,” he said.

Chris Wysopal, CTO and co-founder, CA Veracode, commenting on the issue in an email to SC adds: “Unfortunately, breaches like this are becoming common place and part of the reason is businesses have viewed security as a detached from the development process. This results in a high prevalence of vulnerabilities, which in turn are used by hackers to exploit companies and steal data. Fixing this problem will require a major mind shift regarding the way we build software.  And I can give you a great analogy. Even the fastest, most impressive cars today come with safety features like seatbelts, ABS, traction control and advanced features like break assist and lane departure warning systems. It wasn't always this way. For a long time cars didn't have any safety features and people got hurt. So, we introduced safety standards.

“Today, people think of car safety features the same way they think of functional features like fuel injection or pistons – even though these safety features aren't required for the car to work. That's how we need to think about software. Security needs to become one way we measure the quality of software. And to do that, we need to give developers the tools they need to make more secure software. Even though developers and security professionals think this is a difficult process, we found that when given the right tools, developers make more secure code.  Our 2017 State of Software Security report found that when we gave developers tools to test for vulnerabilities early in their development process they had a 48 percent better fix rate than those who did not.”

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Upcoming Events