Hackers likely working for a nation-state recently
penetrated the safety system of a critical infrastructure facility in an
attack that caused operations to shut down, according to cyber security
firm FireEye Inc, which said it investigated the incident.
FILE
PHOTO: The FireEye logo is seen outside the company's offices in
Milpitas, California, U.S. December 29, 2014. REUTERS/Beck
Diefenbach/File Photo
FireEye declined
to identify the victim or industry, citing client confidentiality.
It
said it went public to highlight the escalating threat from hackers who
are developing increasingly sophisticated tools to disrupt or cause
physical damage to critical infrastructure, which includes facilities
such as energy, water, chemical and manufacturing plants.
The
U.S. government and private cyber-security firms have issued public
warnings over the past few years about attempts by hackers from nations
including Iran, North Korea and Russia and other nations to attack the
companies that run such plants in what they say are primarily
reconnaissance operations.
“We want to make sure that the
broader industry is aware that there are attackers with the capability
and interest in targeting those types of systems, so they can take
better precautions to defend against such attacks,” said Dan Scali, a
FireEye manager who led the investigation.
In
the recent incident, hackers used sophisticated malware to take remote
control of a workstation running a safety system from Schneider Electric
SE, then sought to reprogram controllers used to monitor the plant for
potential safety issues. During that incident, some of the controllers
entered a fail safe mode, which caused related processes to shut down
and caused the plant to identify the attack, FireEye said.
FireEye
believes the attacker’s actions inadvertently caused the shutdown while
probing the system to learn how it worked, Scali said. The attackers
were likely conducting reconnaissance to learn how they could modify
safety systems so they would not operate in the event that the hackers
intended to launch an attack that disrupted or damaged the plant, he
said.
Reuters was unable to identify the victim or determine how
the shutdown had affected its operations. Representatives with
Schneider Electric could not immediately be reached for comment.
FireEye
said it had not identified the hackers, but believed they were working
on behalf of a nation state due to the sophistication of the campaign
and its targeting of critical infrastructure.
The malware, which
FireEye has dubbed Triton because it targets Schneider’s Triconex plant
safety systems, is only the third type of computer virus discovered to
date that is capable of disrupting industrial processes.
The
first, Stuxnet, was discovered in 2010 and is widely believed by
security researchers to have been used by the United States and Israel
to attack Iran’s nuclear program.
The second, known as
Crash Override or Industroyer, was discovered last year by researchers
who said it was likely used in a December 2016 attack that cut power in
Ukraine.
FireEye said it had briefed the U.S. Department of
Homeland Security on its findings. A DHS representative said he had no
immediate comment on the matter.
No comments:
Post a Comment