The Triton Cyber Weapon
In August of 2017, a private Saudi Arabian petrochemical company was hit by a cyber attack which was designed, according to investigators, to sabotage the firm’s equipment and trigger a plant-wide explosion . This was by no means a run-of-the-mill cyber breach. Instead, it was one of the very few instances where a cyberweapon, known as Triton, had been specifically engineered to sabotage industrial control systems (ICS) . Perhaps the most well-known example of this type of attack was the Stuxnet virus discovered in 2011, which targeted nuclear centrifuges in Natanz, Iran .
For Saudi Arabia, a cyber attack against the petrochemical industry is not unprecedented. In January of 2017, hackers using the “Shamoon” virus wiped the hard drives of multiple Saudi petrochemical companies – replacing them with the image of 3-year-old Syrian refugee Alan Kurdi, whose photo was widely circulated after he drowned in 2015 . Adam Meyers, Vice President of cybersecurity firm CrowdStrike, asserted that the Iranian government was most likely behind the incident, as they had likely been in 2012 when a similar attack occurred . For a targeted strike with clear political motivations, nation-state involvement was logically consistent.
So: if cyber attacks are nothing new for Saudi Arabia, why does this latest one matter the most?
1. This is one of the first targeted cyber attacks against industrial control systems.
Industrial control systems are responsible for monitoring – and safeguarding – both infrastructure and the people who manage it. As security researchers uncovered, the Triton malware found on Saudi Arabian computers was designed to destroy this very technology – in this case, Triconex “controllers” produced by Schneider Electric, used for everything from system monitoring to emergency management . So, by using custom code libraries to gain remote control over these devices, the hackers were able to issue commands from anywhere in the world, wreaking havoc without the plant’s knowledge. From data manipulation to total plant shutdown, a wide range of options were on the table .
Cyberweapons used against industrial control systems are few and far between, and so any example of this kind is an important case study: we can learn about attack techniques, software and hardware vulnerabilities, attacker incentives, and more. In the case of Triton, the use of remote Internet control is critical. Stuxnet controlled Iranian centrifuges automatically once inside their systems, which meant the cyber weapon had to be well thought-out beforehand .
With remote Internet control, however, hackers do not have to plan their moves out; they can react in real-time and change their intentions as they go along. Further, this is evidence that cyber weapons can very easily hide within systems for extended periods of time, just waiting to strike.
2. The attack was intended to cause casualties.
When ICS safety mechanisms do not work, lives at stake. This was made clearer than ever when the hackers attempted to blow up the entire Saudi Arabian petrochemical facility. Rather than sending halt commands that would shut down the system, they tried loading their own destructive “payloads” onto the controllers themselves. It was, in the words of FireEye security researchers, an attempt at a “high-impact attack with physical consequences” . Such an attack is unparalleled.
Cyber weapons have been used before (albeit rarely) for causing physical damage to industrial and IT systems. However, they have never been used to cause bodily harm -- that is, until now. This attack is, therefore, a clear warning to us all: cyberweapons, despite being digital, can have direct impacts on human safety. Considering this fact alongside Triton’s remote control capabilities, this should concern national security strategists worldwide. We must ask ourselves: what happens when you can blow up a plant from anywhere in the world, with only the click of a button? And what happens when such an attack is extremely difficult to attribute?
3. There are more than 18,000 of the safety systems exactly like the one affected, in over 80 countries around the world.
The Triconex safety system, built by Schneider Electric, is one of the most popular safety systems in the world . This cyber attack exemplified the major security vulnerabilities that exist within the Triconex systems, and compel us to think about how many industrial plants around the world could be targeted in exactly the same way. Since Triconex is employed in a broad spectrum of industry, from paper mills and petrochemical facilities to nuclear energy plants, no single industry is unassailable.
Furthermore, it is worth noting that Schneider Electric is a multinational Fortune 500 company with annual revenues of nearly €25 billion . Triton proves that yet again, reliance on a single company for the same services around the world comes with extraordinary cybersecurity risks.
4. Civilian infrastructure was targeted, as part of a broader campaign to impede the Saudi Arabian oil market.
The Saudi Arabian oil market is dominated by the national oil company Saudi Aramco; for this reason, it is of particular interest that this specific civilian facility was targeted. Whatever the relationship between this petrochemical plant and Saudi Aramco, it is clear that this attack is part of a larger campaign to disrupt and damage Saudi Arabia’s most important industry, one that is inextricably tied to the Saudi Arabian government. Indeed, OPEC estimates that the oil and gas sector accounts for about 50 percent of Saudi’s gross domestic product .
According to Kaspersky Labs, in 2017, over 60% of Saudi Arabian institutions were hit with malware attacks. This data came out of a Kaspersky Workshop that was organized by the Saudi Ministry of Interior’s National Cyber Security Center in Riyadh. With so many cyber attacks on both public and private Saudi networks, it makes sense the government is worried. With the upcoming initial public offering of Saudi Aramco – estimated to be worth over $1.5 trillion – there is a lot more at stake. If Saudi Arabia cannot prove to potential investors that its petrochemical apparatus is secure, the IPO will inevitably suffer: hence why Saudi Aramco was so quick to distance itself from this attack .
This cyberweapon, used to target civilian infrastructure and harm both the Saudi Arabian economy and the individuals at the plant, is a watershed moment. We now see how global reliance on single pieces of technology can undermine the security of physical machines, multinational corporations, and global economic systems. The vulnerabilities are both huge in scale and multidimensional in their effects. If this does not serve as a wake-up call for more robust cybersecurity practices and protocols in industry, what will?
Justin Sherman is an Interact Fellow studying Computer Science and Political Science at Duke University, focused on cybersecurity, warfare, and governance. Justin is a Cyber Researcher at a Department of Defense-backed, industry-intelligence-academia group at North Carolina State University focused on cyber and national security.
Inés Jordan-Zoob is an Alice M. Baldwin Scholar studying Political Science and Art History at Duke University, focused on foreign policy, counterterrorism, cybersecurity, warfare and the intersection of art and politics. She has worked at a Department of Defense-backed laboratory focused on conflict simulation and spent last summer in Israel exploring technology investment in the cybersecurity field.
 Perlroth, N., & Krauss, C. (2018, March 15). A Cyberattack in Saudi Arabia Had a Deadly Goal. Experts Fear Another Try. Retrieved from https://www.nytimes.com/2018/03/15/technology/saudi-arabia-hacks-cyberattacks.html.
 Bing, C. (2018, January 16). Trisis Has the Security World Spooked, Stumped and Searching for Answers. Retrieved from https://www.cyberscoop.com/trisis-ics-malware-saudi-arabia/.
 Franceschi-Bicchierai, L. (2016, November 16). The History of Stuxnet: The World’s First True Cyberweapon. Retrieved from https://www.vice.com/en_au/article/ex95m4/the-history-of-stuxnet-the-worlds-first-true-cyberweapon.
 Kingsley, P. (2016, September 2). The Death of Alan Kurdi: One Year On, Compassion Towards Refugees Fades. Retrieved from https://www.theguardian.com/world/2016/sep/01/alan-kurdi-death-one-year-on-compassion-towards-refugees-fades.
 Reuters. (2017, January 23). Saudi Arabia Warns on Cyber Defense as Shamoon Resurfaces. Retrieved from https://www.reuters.com/article/us-saudi-cyber/saudi-arabia-warns-on-cyber-defense-as-shamoon-resurfaces-idUSKBN1571ZR.
 Synek, G. (2018, March 15). Saudi Arabian Petroleum Plant Hit with Malware that Tried to Cause an Explosion. Retrieved from https://www.techspot.com/news/73730-saudi-arabian-petroleum-plant-hit-malware-tried-cause.html.
 Johnson, B., et al. (2017, December 14). Attackers Deploy New ICS Attack Framework “TRITON” and Cause Operational Disruption to Critical Infrastructure. Retrieved from https://www.fireeye.com/blog/threat-research/2017/12/attackers-deploy-new-ics-attack-framework-triton.html.
 Schneider Electric. Triconex History. Retrieved from https://www.schneider-electric.com/en/brands/triconex/triconex-history.jsp.
 Schneider Electric. (2018, February 15). Financial Results. Retrieved from https://www.schneider-electric.com/en/about-us/investor-relations/financial-results.jsp.
 Organization of the Petroleum Exporting Countries. Saudi Arabia Facts and Figures. http://www.opec.org/opec_web/en/about_us/169.htm
 Paganini, P. (2017, October 1). 60% of Institutions in Saudi Arabia Hit by Malware-Based Attacks. http://securityaffairs.co/wordpress/63640/hacking/saudi-arabia-cyber-attacks.html