Former member of hacktivist group Anonymous, Mike ‘sting3r’ Jones discusses a new cyber threat to Big Oil and how the sector might combat it.
2017 brought a new threat to the industrial landscape and a new weapon.
The weapon was Triton malware also known as “Trisis”.
This malware took advantage of the safety instrumented system of a Saudi Arabian petrochemical plant.
The triconex Tricon possessed vulnerabilities within the bounds of a memory buffer allowing attacker to remotely exploit specifically with HatMan malware.
The dawn of this type of malware created a huge shift in risk and brought to light a new psychology among hackers – to create an attack which could both damage systems as well as potentially harm humans.
This is a good sign that cyberwar is not only here but active and a physical menace.
The advancement of this malware and the methodology of attack is a strong ioc (indicator of compromise) for state sponsored Russian hackers and has been linked to government sector in science and engineering in Moscow.
In my years of security research and threat intelligence I can say with confidence this attack and malware has been under research and development of groups like “Sofacy” since 2016.
There has been strong chatter from this group looking for specific controllers and any information available to exploit these locations and cause damage.
Going back to predictions for 2019 cyberwar and iot are on that list.
The “Triton” style code and devastating outcomes are going to continue especially in the industrial sector.
The mass effects of damaging plants, drilling sites and pipelines could cause not only maximum financial loss but also infrastructure uncertainty and panic.
Cyber-terrorism is a threat to keep in mind while defending infrastructure of any kind.
The process to defend against this attack requires a strong knowledge of your own assets, network hygiene, user awareness and a threat intelligence capability.
These groups work the same as traditional terrorist cells. They communicate both among themselves as well as with individuals that have been identified as having intimate knowledge of the devices or systems they are targeting.
Educate your users, defend against social attacks and protect your networks. Stay safe!