
The Triton malware is murderous and spreading - jchrisa
https://www.technologyreview.com/s/613054/cybersecurity-critical-infrastructure-triton-malware/
======
blancheneige
From [https://www.fireeye.com/blog/threat-
research/2017/12/attacke...](https://www.fireeye.com/blog/threat-
research/2017/12/attackers-deploy-new-ics-attack-framework-triton.html)

>The targeting of critical infrastructure to disrupt, degrade, or destroy
systems is consistent with numerous attack and reconnaissance activities
carried out globally by Russian, Iranian, North Korean, U.S., and Israeli
nation state actors. Intrusions of this nature do not necessarily indicate an
immediate intent to disrupt targeted systems, and may be preparation for a
contingency.

This reeks of Stuxnet 2.0

~~~
lifeisstillgood
" We have your critical infrastructure by the balls, you have ours. We would
both be MAD to trigger anything"

Is that the planned situation here?

------
jerf
At some point, we're going to start seeing an internet connection not just in
terms of the benefits, but in terms of the liabilities too. I really would
have thought that by 2019 we'd be there with industrial control systems, but
apparently not.

One wonders if the governments of the world wouldn't be well advised to go
ahead and hack their a couple bits of their own critical infrastructure a
couple of times and horribly break it, just to make the point, before a bad
actor hacks all the infrastructure. That visibly has huge costs, but it's not
clear that the hidden costs of just blithely letting people keep hooking up
critical stuff to the Internet isn't orders of magnitude higher.

And by no means could such a result be called a "Black Swan", because that
it's going to occur is perfectly predictable. It's only a question of when.

~~~
outworlder
An air gap won't even save you. See also: Stuxnet.

~~~
j16sdiz
It decrease the attack surface. Delay the attacker getting feedback from the
system. Attacks take longer and more likely to be uncovered.

~~~
MFLoon
Are attacks on air gapped systems more likely to be uncovered though? Having
it isolated makes auditing/alerting harder too, and could instill an
overconfidence in the security of said system.

~~~
SolarNet
On the other hand it's easier to spot irregularities, the auditing is simpler
because there isn't any variance.

------
snowwindwaves
Redundant Safety PLCs run the same program in parallel in lockstep and if they
get different results then this triggers an error. I think Triconex in
particular requires 2 out of 3 controllers to agree.

It is odd that the attacker tried to modify the program in the PLC configured
this way. They should have known it would cause a noticeable disturbance.

The Schneider Quantum PLC literally runs a pentium 166 or 200 and there is a
steady string of firmware and operating system (VxWorks) updates. We had one
from 2006 that would simply stop communicating if it was plugged in to a cisco
switch from 2016.

A zero day in VxWorks which is the operating system for a large swath of
controllers would be pretty bad.

~~~
mjevans
I don't want to call anything without dedicated gates and hard traces a 'PLC'.

You have a computer there; something that isn't continuously integrating
results via hardware but is rather emulating that in software.

The future probably has more of those systems than what I think of when I hear
PLC, and maybe that industry has loosened the terms since I was in college,
but it's important to call tools what they are so that their shortcomings are
obvious.

~~~
cmroanirgo
As you know PLC is just s programmable logic controller. All computers are, by
definition, that. Perhaps you're referring to the 'gated logic' programs that
exist? To me they're just like the old punch cards, but with the purpose of
controlling a contactor -- they're very simple systems indeed.

However, it's also not hard to incorporate hardware watchdogs into industrial
systems that check for proper running software (& vice versa). I've done them.

It might be time (if it doesn't already exist) for the industrial networks to
upgrade to newer security practices though... (eg code signing, encrypted
networks, changes to fs, ...)

~~~
snowwindwaves
I haven't worked with it yet but Schneider's M580 PLC I believe even supports
authentication!

It is crazy that a Quantum or M340 PLC on an ethernet network basically has
unauthenticated DMA. any device on the network can read or write to any
addressed memory using the dead simple modbus protocol, and there is some more
complicated protocol for reading and writing unaddressed memory.

I don't think Allen Bradley is any better as I don't recall ever having to
specify any credentials or any other means of restricting which clients could
connect and write to the PLC.

~~~
gmueckl
All de facto modbus implementations that I am familiar with use virtualized
register banks that map to higher level parameter accesses including input
validation. So the shenanigans you should be able to do with then are somewhat
limited. But there is no authentication at all. This was designed at a time
when notion of having a bad actor mess with an control system was not even
invented yet.

------
minikites
[https://twitter.com/SarahTaber_bww/status/110525655715412787...](https://twitter.com/SarahTaber_bww/status/1105256557154127872)

>I don't I've quite articulated why I'm so critical of the tech industry. Tech
isn't just software anymore. They're coming for ag, food, & manufacturing- &
they're bringing a negligent attitudes towards risk & safety that they learned
in the cushy world of apps.

And this malware is affecting industries with a strong incentive for safety,
think about what that might imply about every other industry.

~~~
bsder
> I don't I've quite articulated why I'm so critical of the tech industry.
> Tech isn't just software anymore.

She is picking the wrong target. Tech would do security if directed to do
security. _Business management_ doesn't care about security.

Until someone has to _pay big money_ or _do jail time_ for lack of security,
this will not change.

~~~
anigbrowl
Hierarchical management structures are part of the problem. Managers generally
treat technicians as flunkies and don't value their opinions, and most
technicians aren't willing to get yelled at or fired, so corporate systems
select for the lowest common denominator instead of the highest common factor.
It's not going to change under our existing system because capitalists don't
give a shit about consumers or employees, and 99% of managers just want to get
into the winners' circle.

------
tivert
> [The malware contained] an IP address that had been used to launch
> operations linked to the malware.

> That address was registered to the Central Scientific Research Institute of
> Chemistry and Mechanics in Moscow, a government-owned organization with
> divisions that focus on critical infrastructure and industrial safety.

Ironic, sounds like they also have the job of _subverting_ critical
infrastructure and industrial safety.

~~~
hanniabu
I suppose the best way to improve critical infrastructure is to create an
emergency that makes improvement a priority lol

------
hedora
This is definitely not the first time malicious software was implanted in
industrial control safety systems. Here is an example from the Cold War (it
caused the largest non-nuclear man-made explosion in history):

[https://www.zdnet.com/article/us-software-blew-up-russian-
ga...](https://www.zdnet.com/article/us-software-blew-up-russian-gas-
pipeline/)

The actual sabotage involved adding an integer overflow to valve control
software, and making sure it took months to hit (so testing would miss it).

------
ggm
I think people need to keep in mind, that "disconnect it from the Internet, it
shouldn't have been on the internet" doesn't fix this. If the injection works
from USB devices, then the typical field engineer is not going to scrub their
USB before downloading the field upgrade. Almost everything worldwide now uses
USB as a field-upgrade path. Maybe as a cost cutting and simplification method
this was ok, but the risk side? way way above the benefit (in my opinion)

What mitigates this (if anything does) is signed code on media you have to
work harder to program. Rather than a USB device, this should be some form of
media which doesn't present as a bootable device to a BIOS/UEFI. The field
unit should have signature checks over images based on PKI. This is what a lot
of things do, but somehow it seems not the ones which matter here?

Field upgrade by kermit or xymodem would be better than this, in that narrow
regard. -The risk of an unexpected packet hitting the code path is lower if
the code upgrade is reading a byte stream for a hash/sig check, compared to
mounting a USB device, loading drivers, enabling HID mode ...

I deliberately avoided working in engineering contexts where the risk was
above my comfort factor. It ruled out industrial process control, health,
civil engineering and a host of fascinating fields, but I was just too worried
about the liability side and my own competency to work in these areas.

I did not foresee (inter)net technology becoming so critical it exposed all of
these risks, in my core competency. I still feel inadequate to these risks, 37
years later.

------
Causality1
Industrial operations are going to have to start giving a damn. A lot of them
just don't right now. Most of the ones I've been in are an amalgamation of
devices and software spanning the last thirty years. The number of xp boxes
still controlling vital systems while being connected to the internet is
insane.

------
turnlund577
> "...likely through a hole in a poorly configured digital > firewall that was
> supposed to stop unauthorized access. .."

'Every' penetration tester I talk to says that this is what they find all the
time: actual 'reality' within networks does not align with assumed network
policies or topology.

But, I don't talk to that many. Is this really the case? We put great care to
have network architectures and policies that define network segmentation,
isolation, and other strategies to harden and protect the network. But those
policies are not implemented properly, or over time their technical
enforcement isn't guaranteed?

~~~
debatem1
Yeah, I don't think I've ever seen an 'airgapped' network that was actually
airgapped.

About half the time no discernable effort was ever put into airgapping and it
was only ever a paper goal. Most of the rest of the time it started out
configured reasonably but either drifted out as business needs changed ("Chloe
get me a port!" is a pretty common joke) or someone just didn't realize it was
special and configured it badly.

The rest of the time you just stack up edge cases: bad management credentials,
forgotten management interfaces, canned router or switch exploits, broken
q-in-q implementations, etc. The list is endless. And all that's without
getting someone authorized to carry you onto the airgapped network, which
happens facepalmingly often.

------
tareqak
Instead of having Internet connectivity 24/7 for IoT devices or critical
infrastructure, why not have a small window for things like updates and so on,
but be physically air-gapped the rest of the time? The window doesn't have to
be at the exact same time either: if you need 20 minutes to download and apply
updates once a week, then you can start that 20 minute interval at anytime on
whichever day. The air-gapping could also be done using analog means or
another network that isn't connected to the Internet.

The best solution would be to be air-gapped 24/7, but in cases where that is
not possible, there are other viable and more secure approaches than being
online 24/7.

------
MrXOR
Made in Russia?

[https://www.fireeye.com/blog/threat-
research/2018/10/triton-...](https://www.fireeye.com/blog/threat-
research/2018/10/triton-attribution-russian-government-owned-lab-most-likely-
built-tools.html)

------
hi41
What causes some of the finest hackers to come from Russia? Is it attributable
to their education system? Comparatively, I don’t see as many hackers coming
from any other country? I don’t mean it in a bad way. Just curious.

~~~
jnwatson
Excellent mathematics in secondary schooling and lots of folks with degrees
but not high paying jobs is my guess.

------
password1
I know that this is tinfoil-hat territory, but isn't the problem of Boeing 737
MAX recent crashes related to software issues? It would be scary. I'm
referring to this article: [https://www.businessinsider.com/boeing-737-max-
receive-updat...](https://www.businessinsider.com/boeing-737-max-receive-
updated-control-software-2019-3?IR=T)

~~~
0815test
You're right to be scared of course - a software bug in a safety-critical
system is a bug in a safety-critical system, no matter if it happens in a
plane or in some piece of critical infrastructure. And yes, they have now
patched _this_ flaw, but most likely it's still a pile of old F0RTRAN code or
something like that, that they're now stuck dealing with in some way. The
notion that these sorts of systems are somehow less prone to having serious
bugs in them is being revealed as a dangerous delusion.

~~~
jakeinspace
No software is perfect, but the aerospace industry has standards as far as
software validation/verification that mean airplane software is in general
less bug-ridden than comparably complex low-level software written for less
risk-averse industries. Hard to say if that applies to any particular chemical
or energy plant as well.

------
sonnyblarney
Mobile platform apps run in considerably stricter environments than do desktop
apps.

I'm wondering why MS has not come out with a similar kind of Windows, wherein
every app is effectively sandboxed.

~~~
flukus
> Mobile platform apps run in considerably stricter environments than do
> desktop apps.

Mobile phones (android) are full of malware, most only get patched for a
couple of years at best and these are often late and infrequent. Stricter !=
safer.

> I'm wondering why MS has not come out with a similar kind of Windows,
> wherein every app is effectively sandboxed.

That would be windows 10 and the app store included, but it looks like it's
limitations led to failure.

~~~
sonnyblarney
Stricture definitely means safer. Android apps written in Java cannot wipe the
device or run amok and do whatever. The opportunity for malware is
considerably reduced if the API attack surface is limited.

Security measures on Win10 are superficial in the sense that any app compiled
to the platform can essentially do whatever.

It would I think something quite more fundamental than the app store or
signatures, effectively a totally new OS architecture.

------
josteink
> In attacking the plant, the hackers crossed a terrifying Rubicon. This was
> the first time the cybersecurity world had seen code deliberately designed
> to put lives at risk.

This is no regular malware. This is war.

~~~
iak8god
I don't know enough about the production of nuclear centrifuges to say for
sure, but it seems probable that the damage intentionally inflicted by
Stuxnet[1] may very well have put some lives at risk. Triton looks more like
another step down this path than like a watershed moment.

Mike Hayden, 2012 [2]:

> We have entered into a new phase of conflict in which we use a cyberweapon
> to create physical destruction, and in this case, physical destruction in
> someone else's critical infrastructure.

Still, an alarming development.

[1]
[https://en.wikipedia.org/wiki/Stuxnet](https://en.wikipedia.org/wiki/Stuxnet)

[2] [https://www.cbsnews.com/news/stuxnet-computer-worm-opens-
new...](https://www.cbsnews.com/news/stuxnet-computer-worm-opens-new-era-of-
warfare-04-06-2012/)

~~~
floatrock
Don't forget about Crimean power outages before the Russian annexation. And
the cyber breadcrumbs we've found in our dams and power stations. Oh, and I
hear Venezuela is coming out of a 4-day blackout right as we're ramping up all
our aid/regime-change talk...

About a year ago there was a major transformer that blew in downtown SF,
knocking most of the fidi offline. I didn't think much of it -- stuff breaks,
and this was pre-PG&E fiasco -- but then I heard the same thing happened in
NYC and another major city (maybe Seattle?) that same morning. Things break
regularly, and there's always some 3-city combined probability function, but
it still made me glance over my metaphorical shoulder.

Ideally we'll still be too scared to use nukes in the next hot war. Everything
else that makes modern life bearable is fair game, though.

[edit]: LA was the third city, and all failures were traced to physical
faults/aging infrastructure: [https://www.snopes.com/fact-check/power-outages-
la-sf-nyc](https://www.snopes.com/fact-check/power-outages-la-sf-nyc) Like I
said, there always is a combined probability function, but point is we're
gonna be doing a lot more glancing over our metaphorical shoulders the more we
see stories like this.

~~~
jazzyjackson
If I wanted to blow a transformer over the internet, I'd pick one that would
be regarded as aging, too.

