Hackers who may have been working on behalf of a nation recently caused an operational outage at a critical-infrastructure site, researchers said Thursday. The attackers did so by using a novel piece of malware to target the system that prevents health- and life-threatening accidents.

The malware was most likely designed to cause physical damage inside the unnamed site, researchers from the Mandiant division of security firm FireEye said in a report. It worked by targeting a safety instrumented system, which the targeted facility and many other critical infrastructure sites use to prevent unsafe conditions from arising. The malware has been alternately named Triton and Trisis, because it targeted the Triconex product line made by Schneider Electric.

"Mandiant recently responded to an incident at a critical infrastructure organization where an attacker deployed malware designed to manipulate industrial safety systems," Mandiant researchers wrote. "The targeted systems provided emergency shutdown capability for industrial processes. We assess with moderate confidence that the attacker was developing the capability to cause physical damage and inadvertently shutdown operations."

The accidental outage was likely the result of the Triconex SIS, or "safety instrumented system." The SIS shut down operations when it experienced an error that occurred as the hackers were performing reconnaissance on the facility. Although the hackers were likely seeking the ability to cause physical damage inside the facility, the November shutdown was likely not deliberate.

New paradigm

FireEye's report is the latest to chronicle an unsettling escalation in hacks on industrial control systems used in power plants, gas refineries, and other types of critical infrastructure. In December of 2015 and again in December of last year, hackers breached security inside Ukrainian electric facilities and used their unauthorized access to cause power outages during one of the coldest months in Eastern Europe. A decade ago, hackers reportedly working on behalf of the US and Israel deployed the Stuxnet worm to sabotage Uranium enrichment centrifuges in Iran.

Triton wouldn't work on another critical infrastructure facility without being rewritten. Still, it represents a new paradigm in industrial control hacking that's likely to be copied in future breaches.

"Although the attack is not highly scalable, the tradecraft displayed is now available as a blueprint to other adversaries looking to target SIS and represents an escalation in the type of attacks seen to date as it is specifically designed to target the safety function of the process," researchers with Dragos, who also analyzed the malware, wrote. Elsewhere, the researchers continued: "While Trisis appears to be focused, ICS owners and operators should view this event as an expansion of ICS asset targeting to previously untargeted SIS equipment."

FireEye provided more detail on the infection, writing:

The attacker gained remote access to an SIS engineering workstation and deployed the TRITON attack framework to reprogram the SIS controllers. During the incident, some SIS controllers entered a failed safe state, which automatically shutdown the industrial process and prompted the asset owner to initiate an investigation. The investigation found that the SIS controllers initiated a safe shutdown when application code between redundant processing units failed a validation check—resulting in an MP diagnostic failure message. We assess with moderate confidence that the attacker inadvertently shutdown operations while developing the ability to cause physical damage for the following reasons: Modifying the SIS could prevent it from functioning correctly, increasing the likelihood of a failure that would result in physical consequences.

TRITON was used to modify application memory on SIS controllers in the environment, which could have led to a failed validation check.

The failure occurred during the time period when TRITON was used.

It is not likely that existing or external conditions, in isolation, caused a fault during the time of the incident.

The report continued:

Once on the SIS network, the attacker used their pre-built TRITON attack framework to interact with the SIS controllers using the TriStation protocol. The attacker could have caused a process shutdown by issuing a halt command or intentionally uploading flawed code to the SIS controller to cause it to fail. Instead, the attacker made several attempts over a period of time to develop and deliver functioning control logic for the SIS controllers in this target environment. While these attempts appear to have failed due to one of the attack scripts’ conditional checks, the attacker persisted with their efforts. This suggests the attacker was intent on causing a specific outcome beyond a process shutdown.

FireEye went on to assess with moderate confidence that the hackers were sponsored by an unnamed country. The researchers based that assessment on the targeting of critical infrastructure, the persistence of the attackers, the lack of a financial reward, and the technical resources needed to make the malware work. Researchers at antivirus provider Symantec also provided a brief analysis here.