US Department of Homeland Security alert Malware Targeting Industrial Safety Systems

Network security companies FireEye and Dragos reported last week that the new malware, Triton, and Trisis, shut down some Middle East agencies by damaging the widely used Schneider Electric Triconex safety controller in key infrastructure. It is reported that Cyber Cyber company CyberX speculated on the basis of speculation that the behind-the-scenes blackmailing of this cyber attack may be planned by Iran and its target is an important agency suspected of being in Saudi Arabia. The National Security and Communications Integration Center (NCCIC) of the Department of Homeland Security (DHS) released an analysis of malware for the industrial security system on Monday.

the US Department of Homeland Security ( DHS ) researchers have found another new malware in the investigation in the near future Hatman, aimed against the state industrial control system ( ICS launched attacks). Subsequently, the National Network Security and Communications Integration Center ( NCCIC ) provided mitigation and YARA rules in a malware analysis released this Monday to reduce the loss of national industrial control systems. 

Surveys show that HatMan malware written in Python is primarily targeted at Schneider Electric’s Triconex Safety Instrumented System (SIS) controllers and is designed to monitor processes and restore them to a safe state or perform safety shutdowns when potentially dangerous situations are identified. In addition, HatMan communicates with SIS controllers via proprietary TriStation protocols and allows attackers to manipulate devices by adding new ladder logic. However, as the hacker terminated the operation after triggering the SIS controller to start the “Safe Shutdown” feature, FireEye experts speculated that the attacker could inadvertently trigger the controller during the detection phase, with the ultimate goal being to simply inflict high SIS physical damage Interested.

Schneider Electric’s Triconex Safety Monitoring System (SIS) controller is designed to provide continuous safety interlocking and protection, process monitoring and safe parking where necessary, for safety and critical units in nuclear, oil refining, petrochemical, chemical and other process industries.

It is noteworthy that NCCIC pointed out in its report that the malware mainly has two components: one is to interact with the safety controller after the damaged PC is running, and the other is to run directly on the controller. The researchers said that although HatMan itself did not do any dangerous actions and the downgraded infrastructure security system did not directly manipulate the entire control process, it could be extremely harmful if flawed security systems were infected with malware. In addition, it is safe to say that although HatMan may become an important tool for monitoring ICS in the future, it may only be used to affect industrial processes or other dangerous operations. All in all, the building of different components in malware means that an attacker needs to be very familiar with the ICS environment, especially with Triconex controllers, and it needs a longer development cycle to refine this sophisticated attack.

Schneider Electric has investigated the incident. Officials said there is currently no evidence that the malware exploits any loopholes in the product. However, security experts advise customers not to easily place the device in “Program” mode because an attacker could potentially send the payload via malware when the controller is set to “Program” mode.

Emily S. Miller, director of the National Security Agency, said: “Attackers have the ability to access critical infrastructure security instrumentation and are likely to make potential changes to device firmware, so this reminder gives key owners and operators critical infrastructure The warning. ”

Source: Securityweek