Trisis has the security world spooked, stumped and searching for answers

At first, technicians at multinational energy giant Schneider Electric thought they were looking at the everyday software used to manage equipment inside nuclear and petroleum plants around the world. They had no idea that the code carried the most dangerous industrial malware on the planet.

More than four months have passed since a novel, highly sophisticated piece of malware forced an important oil and gas facility in the Middle East to suddenly shut down, but cybersecurity analysts still don’t know who wrote the code.

Since last August, multiple teams of researchers in the public and private sectors have been examining what the perpetrators planted inside a nondescript Saudi computer network. It’s a rare case involving a computer virus specially engineered to sabotage industrial control systems (ICS) — the gear that keeps factories and refineries running. Manipulating these systems can have a destructive impact far beyond the network.

Today, the incident’s magnitude and implications are becoming increasingly clear to the victim, to several foreign governments and to the private sector teams that led incident response. What they all found has been described to CyberScoop as the “next generation of cyberweaponry” — a tool so dangerous that its mere existence significantly intensifies the global digital arms race.

Clues unearthed from September to December suggest that an intricate but slightly misconfigured cyberattack caused the mysterious shutdown. The affected company and the teams investigating the incident still have not publicly revealed where it occurred.

One thing is clear about the code: Dubbed “Triton” or “Trisis,” the multi-stage malware framework is unlike anything the security research community has ever seen. It is considered to be just the fifth known variant of ICS-tailored malware. The most recent was “CrashOverride” in Ukraine in 2016, and perhaps the most famous was “Stuxnet” in Iran in 2010.

“Trisis’ impact is simple. It is the first piece of malware which can be used remotely to put civilian infrastructure into an unsafe state,” explained Sergio Caltagirone, director of threat intelligence with Maryland-based cybersecurity startup Dragos Inc. “When things like this happen, plants get shut down, people can get hurt.”

Not only has the case stumped some of the most talented people in cybersecurity forensics, but it also has highlighted the complications and conflicts inherent in investigations that are extremely important to governments but are ultimately controlled by private companies.