At the S4 security conference on Thursday, researchers from the industrial control company Schneider Electric, whose equipment Triton targeted, presented deep analysis of the malware—only the third recorded cyberattack against industrial equipment. Hackers were initially able to introduce malware into the plant because of flaws in its security procedures that allowed access to some of its stations, as well as its safety control network.
The Schneider researchers shared two crucial pieces of information about what came next in the intrusion, though: The attack on the Schneider customer in part exploited a previously unknown, or zero day, vulnerability in Schneider's Triconex Tricon safety system firmware. And the hackers deployed a remote access trojan in the second stage of their exploitation, a first for malware that targets industrial control systems.
The researchers say that the malware targets the Triconex firmware vulnerability, manipulates the system to steadily increase its ability to make changes and issue commands, and then deposits the RAT, which awaits further remote instructions from the attackers.
