Hackers shut down infrastructure safety system in attack: FireEye

Reuters News
Posted: Dec 14, 2017 10:06 AM

By Jim Finkle

(Reuters) - Hackers likely working for a nation-state recently penetrated the safety system of a critical infrastructure facility in an attack that caused operations to shut down, according to cyber security firm FireEye Inc, which said it investigated the incident.

FireEye declined to identify the victim or industry, citing client confidentiality. It said it went public to highlight the escalating threat from hackers who are developing increasingly sophisticated tools to disrupt or cause physical damage to critical infrastructure, which includes facilities such as energy, water, chemical and manufacturing plants.

The U.S. government and private cyber-security firms have issued public warnings over the past few years about attempts by hackers from nations including Iran, North Korea and Russia and other nations to attack the companies that run such plants in what they say are primarily reconnaissance operations.

"We want to make sure that the broader industry is aware that there are attackers with the capability and interest in targeting those types of systems, so they can take better precautions to defend against such attacks," said Dan Scali, a FireEye manager who led the investigation.

In the recent incident, hackers used sophisticated malware to take remote control of a workstation running a safety system from Schneider Electric SE, then sought to reprogram controllers used to monitor the plant for potential safety issues. During that incident, some of the controllers entered a fail safe mode, which caused related processes to shut down and caused the plant to identify the attack, FireEye said.

FireEye believes the attacker's actions inadvertently caused the shutdown while probing the system to learn how it worked, Scali said. The attackers were likely conducting reconnaissance to learn how they could modify safety systems so they would not operate in the event that the hackers intended to launch an attack that disrupted or damaged the plant, he said.

Reuters was unable to identify the victim or determine how the shutdown had affected its operations. Representatives with Schneider Electric could not immediately be reached for comment.

FireEye said it had not identified the hackers, but believed they were working on behalf of a nation state due to the sophistication of the campaign and its targeting of critical infrastructure.

The malware, which FireEye has dubbed Triton because it targets Schneider's Triconex plant safety systems, is only the third type of computer virus discovered to date that is capable of disrupting industrial processes.

The first, Stuxnet, was discovered in 2010 and is widely believed by security researchers to have been used by the United States and Israel to attack Iran’s nuclear program.

The second, known as Crash Override or Industroyer, was discovered last year by researchers who said it was likely used in a December 2016 attack that cut power in Ukraine.

FireEye said it had briefed the U.S. Department of Homeland Security on its findings. A DHS representative said he had no immediate comment on the matter.

(Reporting by Jim Finkle in Toronto; Editing by Susan Thomas)