At first, technicians at multinational energy giant Schneider Electric thought they were looking at the everyday software used to manage equipment inside nuclear and petroleum plants around the world. They had no idea that the code carried the most dangerous industrial malware on the planet.
More than four months have passed since a novel, highly sophisticated piece of malware forced an important oil and gas facility in the Middle East to suddenly shut down, but cybersecurity analysts still don’t know who wrote the code.
Since last August, multiple teams of researchers in the public and private sectors have been examining what the perpetrators planted inside a nondescript Saudi computer network.
It’s a rare case involving a computer virus specially engineered to sabotage industrial control systems (ICS) — the gear that keeps factories and refineries running. Manipulating these systems can have a destructive impact far beyond the network.
Today, the incident’s magnitude and implications are becoming increasingly clear to the victim, to several foreign governments and to the private sector teams that led incident response.
What they all found has been described to CyberScoop as the “next generation of cyberweaponry” — a tool so dangerous that its mere existence significantly intensifies the global digital arms race.
Clues unearthed from September to December suggest that an intricate but slightly misconfigured cyberattack caused the mysterious shutdown. The affected company and the teams investigating the incident still have not publicly revealed where it occurred.
One thing is clear about the code: Dubbed “Triton” or “Trisis,” the multi-stage malware framework is unlike anything the security research community has ever seen. It is considered to be just the fifth known variant of ICS-tailored malware. The most recent was “CrashOverride” in Ukraine in 2016, and perhaps the most famous was “Stuxnet” in Iran in 2010.
“Trisis’ impact is simple. It is the first piece of malware which can be used remotely to put civilian infrastructure into an unsafe state,” explained Sergio Caltagirone, director of threat intelligence with Maryland-based cybersecurity startup Dragos Inc. “When things like this happen, plants get shut down, people can get hurt.”
Not only has the case stumped some of the most talented people in cybersecurity forensics, but it also has highlighted the complications and conflicts inherent in investigations that are extremely important to governments but are ultimately controlled by private companies.
While the story behind Trisis is still unfolding — experts on multiple continents are still poring over the malware — CyberScoop has learned more details about what occurred in the last half of 2017.
The following account is based on multiple conversations with seven sources with knowledge of the investigation into Trisis. All sources who spoke on the condition of anonymity did so in order to freely discuss sensitive information.
The First Forensics
In late August, employees of an oil and gas plant located in Saudi Arabia quickly noticed when some of its industrial equipment randomly shut down during regular business hours. The quirks eventually forced the entire facility to halt operations, causing immediate financial losses.
The affected company began to inspect workstations connected to some of the faulty industrial equipment. Before long, technicians found an odd computer file named “trilog.exe.” It appeared to come from Schneider Electric, which served as a technology supplier for the facility.
Continuing to believe the issue might be due to a software problem, the victim called on Schneider.
Around the same time, the victim also notified Saudi Aramco, the world’s largest oil and gas company, which in turn provided its own team of engineers to inspect computers in late August.
While Aramco was not responsible for the facility’s day-to-day operations, the corporation has a stake in the victim’s business. Having dealt with the massively destructive Shamoon attack five years prior, Aramco understood the suspicious file would require a thorough inspection.
Sources who spoke with CyberScoop described general details about the victim organization, including its relationship to Aramco, but all declined to provide a company name.