FireEye links Russia-owned lab to Trisis developers

A Russian-owned research institute very likely helped build tools used by an infamous hacking group that caused a petrochemical plant in Saudi Arabia to shut down last year, cybersecurity company FireEye said Tuesday. A series of clues implicates the Central Scientific Research Institute of Chemistry and Mechanics (CNIIHM), a Moscow-based lab, in developing tools used by the group known as Xenotime or TEMP.Veles, according to FireEye. The group is known for malware, dubbed Triton or Trisis, designed to disrupt control-system software that allows industrial plants to safely shut down. FireEye has tied the testing of malware used by TEMP.Veles to CNIIHM, specifically someone who has been identified as a professor at the institute. Further, an IP address registered to CNIIHM has been employed by Triton’s operators for multiple purposes, “including monitoring open-source coverage of Triton, network reconnaissance, and malicious activity in support of the Triton intrusion,” FireEye said in a blog post. […]

The post FireEye links Russia-owned lab to Trisis developers appeared first on Cyberscoop.

Continue reading FireEye links Russia-owned lab to Trisis developers

Lawmakers advance bill to codify DHS cyber center for industrial plants

The House Homeland Security Committee on Wednesday advanced legislation that would establish a Department of Homeland Security cybersecurity center as the lead agency for handling threats to industrial control systems, like those underpinning the energy sector. The bill would make clear that DHS’s National Cybersecurity and Communications Integration Center (NCCIC) is the hub for mitigating ICS vulnerabilities and provide the private sector with a “permanent place for assistance to address cybersecurity risk,” Rep. Don Bacon, R-N.E., who introduced the bill, said at a markup. “We know we are vulnerable…to these cyberattacks on our energy grid, and the time is now to start building that resiliency in our energy grid,” Bacon stated. With DHS and the Department of Energy both concerning themselves with ICS, “there’s some ambiguity [on] who does what” on the issue, Bacon told CyberScoop after the hearing. “The NCCIC has been doing a lot of this,” he explained. […]

The post Lawmakers advance bill to codify DHS cyber center for industrial plants appeared first on Cyberscoop.

Continue reading Lawmakers advance bill to codify DHS cyber center for industrial plants

U.S. industry experts call for vigilance after Trisis group goes global

U.S. critical infrastructure operators should be on high alert — with a close eye on network anomalies — following the revelation that a hacking group that caused a Saudi industrial plant to shut down last year is targeting facilities outside of the Middle East, industry experts told CyberScoop. “Detecting these types of advanced, stealthy threats requires extraordinary visibility into your OT [operational technology] network,” said Marty Edwards, former head of the Department of Homeland Security’s Industrial Control Systems (ICS) CERT. “Unfortunately, not all U.S. critical infrastructure asset owners are at that level of maturity.” The hacking group’s expanded operations mean that U.S. infrastructure operators “should no longer remain complacent in thinking that this is just an issue somewhere else in the world,” Edwards added. The developers of the Trisis malware, which is designed to ravage the control systems that allow plants to safely shut down, have attacked multiple U.S. companies, […]

The post U.S. industry experts call for vigilance after Trisis group goes global appeared first on Cyberscoop.

Continue reading U.S. industry experts call for vigilance after Trisis group goes global

Trisis masterminds have hacked U.S. industrial firms, new research claims

A group known for infecting a Saudi petrochemical plant with highly sophisticated industrial control malware has targeted the same type of systems inside the United States, according to new research by ICS-focused cybersecurity startup Dragos. The group behind the malware, which Dragos refers to as “Xenotime,” has expanded their operations to include attacks on multiple undisclosed U.S. companies. The malware shows similarities to what’s commonly known as Trisis, which was used in an attack last year in Saudi Arabia. While Trisis exploited one particular industrial control system, researchers say a new variant impacts a variety of safety instrumented systems. Safety instrumented systems, or SIS for short, are hardware and software controls that protect large-scale industrial processes and equipment typically found in nuclear, petrochemical or manufacturing plants. There are few companies who create and manage SIS systems, including but not limited to St. Louis-based Emerson, New Jersey-based Honeywell, and Tokyo-based Yokogawa. Dragos has […]

The post Trisis masterminds have hacked U.S. industrial firms, new research claims appeared first on Cyberscoop.

Continue reading Trisis masterminds have hacked U.S. industrial firms, new research claims

Department of Energy strategy aims to make power systems more resilient to hacking

Citing an increase in criminal and nation-state hackers targeting the energy sector, the Department of Energy has released a five-year strategy to cut down on the risk of power-supply disruptions resulting from cyber incidents. “Despite improving defenses, it has become increasingly difficult for energy companies to keep up with growing and aggressive cyberattacks,” the document states. The department is trying to change that dynamic through a strategy to boost threat-sharing with the private sector, curb supply-chain risk, and accelerate research and development to make energy systems more resilient to hacking. The strategy will serve as a roadmap for the new Office of Cybersecurity, Energy Security, and Emergency Response, for which President Donald Trump’s fiscal 2019 budget requests $96 million. “Today, any cyber incident has the potential to disrupt energy services, damage highly specialized equipment, and threaten human health and safety,” Bruce Walker, an assistant secretary of Energy, wrote in the […]

The post Department of Energy strategy aims to make power systems more resilient to hacking appeared first on Cyberscoop.

Continue reading Department of Energy strategy aims to make power systems more resilient to hacking

New vuln discovered in Schneider Electric software, patches already issued

A significant vulnerability in Schneider Electric software used at manufacturing and energy facilities could allow hackers to execute arbitrary code and,”in a worst-case scenario, disrupt or cripple plant operations,” cybersecurity firm Tenable announced Wednesday. According to the Maryland-based company, an attacker without credentials could use the vulnerability to compromise Schneider Electric software used to develop – and build applications for – the human machine interfaces (HMIs) and supervisory control and data acquisition (SCADA) systems that drive industrial automation. After compromising a machine, a hacker could move laterally within an organization’s network to carry out other attacks, according to Tenable. Schneider Electric issued patches for the software – versions of InduSoft Web Studio and InTouch Machine Edition – and urged affected customers to swiftly apply them lest an attacker use the vulnerability to “remotely execute code with high privileges.” “This Schneider Electric vulnerability is particularly concerning because of the potential access it grants […]

The post New vuln discovered in Schneider Electric software, patches already issued appeared first on Cyberscoop.

Continue reading New vuln discovered in Schneider Electric software, patches already issued

Schneider Electric: Trisis leveraged zero-day flaw, used a RAT

Multinational energy technology company Schneider Electric revealed new details Thursday about a historic breach where hackers were able to halt operations at an energy plant in the Middle East by deploying highly sophisticated malware. The latest revelations, which were publicly announced at an industrial control systems cybersecurity conference, show that Trisis leveraged a zero-day vulnerability in Schneider Electric’s Triconex Tricon safety-controller firmware. The vulnerability allowed for privilege escalation, which would allow hackers to manipulate emergency shutdown systems during a targeted attack. In addition, there was a remote access trojan (RAT) within Trisis, providing attackers with a wide array of options, including the ability to turn off industrial equipment or sabotage the safety controllers in order to create unsafe conditions. The RAT is the first designed to specifically impact safety-instrumented systems, allowing for someone to access the highest privileges available on a targeted machine. In this case, the RAT was injected directly into […]

The post Schneider Electric: Trisis leveraged zero-day flaw, used a RAT appeared first on Cyberscoop.

Continue reading Schneider Electric: Trisis leveraged zero-day flaw, used a RAT

Trisis has mistakenly been released on the open internet

An elite, government authored cyberweapon has been sitting online in public view for nearly anyone to copy since Dec. 22 because multinational energy technology company Schneider Electric mistakenly posted a sensitive computer file to VirusTotal, three sources familiar with the matter told CyberScoop. Schneider Electric obtained the file in question, titled “Library.zip,” after collecting evidence during a data breach investigation in the Middle East that focused on an incident at an oil and gas refinery. Library.zip holds the backbone of a dangerous malware framework known as “Trisis” or “Triton,” according to research by U.S. cybersecurity companies Dragos Inc. and FireEye. The upload to VirusTotal, a public malware repository, provided the remaining puzzle piece needed for someone to reconstruct Trisis from publicly available artifacts. After being posted to VirusTotal, Library.zip proliferated — it was picked up and re-uploaded to various platforms, including GitHub and VirusTotal. Experts say the unique malware was carefully designed to manipulate […]

The post Trisis has mistakenly been released on the open internet appeared first on Cyberscoop.

Continue reading Trisis has mistakenly been released on the open internet

Trisis has the security world spooked, stumped and searching for answers

At first, technicians at multinational energy giant Schneider Electric thought they were looking at the everyday software used to manage equipment inside nuclear and petroleum plants around the world. They had no idea that the code carried the most dangerous industrial malware on the planet. More than four months have passed since a novel, highly sophisticated piece of malware forced an important oil and gas facility in the Middle East to suddenly shut down, but cybersecurity analysts still don’t know who wrote the code. Since last August, multiple teams of researchers in the public and private sectors have been examining what the perpetrators planted inside a nondescript Saudi computer network. It’s a rare case involving a computer virus specially engineered to sabotage industrial control systems (ICS) — the gear that keeps factories and refineries running. Manipulating these systems can have a destructive impact far beyond the network. Today, the incident’s magnitude and implications are […]

The post Trisis has the security world spooked, stumped and searching for answers appeared first on Cyberscoop.

Continue reading Trisis has the security world spooked, stumped and searching for answers