Slashdot Mirror
Mysterious Safety-Tampering Malware Infects Second Critical Infrastructure Site (arstechnica.com)
An anonymous reader quotes a report from Ars Technica: Sixteen months ago, researchers reported an unsettling escalation in hacks targeting power plants, gas refineries, and other types of critical infrastructure. Attackers who may have been working on behalf of a nation caused an operational outage at a critical-infrastructure site after deliberately targeting a system that prevented health- and life-threatening accidents. What was unprecedented in this attack -- and of considerable concern to some researchers and critical infrastructure operators -- was the use of an advanced piece of malware that targeted the unidentified site's safety processes. The malware was named Triton and Trisis, because it targeted the Triconex product line made by Schneider Electric. Its development was ultimately linked to a Russian government-backed research institute.
Now, researchers at FireEye -- the same security firm that discovered Triton and its ties to Russia -- say they have uncovered an additional intrusion that used the same malicious software framework against a different critical infrastructure site. As was the case in the first intrusion, the attackers focused most of their resources on the facility's OT, or operational technology, which are systems for monitoring and managing physical processes and devices. The discovery has unearthed a new set of never-before-seen custom tools that shows the attackers have been operational since as early as 2014. The existence of these tools, and the attackers' demonstrated interest in operational security, lead FireEye researchers to believe there may be other sites beyond the two already known where the Triton attackers were or still are present. "After establishing an initial foothold on the corporate network, the Triton actor focused most of their effort on gaining access to the OT network," FireEye researchers wrote in a report published Wednesday. "They did not exhibit activities commonly associated with espionage, such as using key loggers and screenshot grabbers, browsing files, and/or exfiltrating large amounts of information. Most of the attack tools they used were focused on network reconnaissance, lateral movement, and maintaining presence in the target environment."
Now, researchers at FireEye -- the same security firm that discovered Triton and its ties to Russia -- say they have uncovered an additional intrusion that used the same malicious software framework against a different critical infrastructure site. As was the case in the first intrusion, the attackers focused most of their resources on the facility's OT, or operational technology, which are systems for monitoring and managing physical processes and devices. The discovery has unearthed a new set of never-before-seen custom tools that shows the attackers have been operational since as early as 2014. The existence of these tools, and the attackers' demonstrated interest in operational security, lead FireEye researchers to believe there may be other sites beyond the two already known where the Triton attackers were or still are present. "After establishing an initial foothold on the corporate network, the Triton actor focused most of their effort on gaining access to the OT network," FireEye researchers wrote in a report published Wednesday. "They did not exhibit activities commonly associated with espionage, such as using key loggers and screenshot grabbers, browsing files, and/or exfiltrating large amounts of information. Most of the attack tools they used were focused on network reconnaissance, lateral movement, and maintaining presence in the target environment."
Well, I work with critical systems and we kind of do it like this: all the real-time and critical (security-wise) stuff is done in VHDL, then it communicates with embedded systems whose software is updatable. Then those in turn communicate with data-centralization and control/command PCs. If the top or top-2 layers go down, the hardware keeps running and goes in security modes, meaning nothing blows up and things just keep going or stop (depending on the VHDL which is NOT updatable by software).
Non-Linux Penguins ?