Plague of the Cyber RATs: How a toxic computer code delivered by 'Remote Access Trojans' is an invisible army able to take over a petrochemical plant and blow it to pieces

  • In August a team of hackers seized control of a Saudi Arabian petrochemical site
  • They used malicious software dubbed both 'Triton' and 'Trisis' by experts 
  • They inserted a ‘Remote Access Trojan’ (RAT) which allowed them to take control
  • Experts fear 'Triton' represents the next generation of the cyber revolution
  • Iran, Russia and North Korea are considered at the sharp end of the practice 

On a broiling day last August, managers of a huge petrochemical plant in Saudi Arabia discovered to their horror that it had been attacked. The consequences could have been catastrophic: the invaders had seized command of its computerised control-and-safety system, and had the power to damage it severely.

The attackers carried no guns, explosives, or conventional weapons. Yet they could have blown up the plant – its exact location remains a secret – from thousands of miles away, killing its workers, crippling the local economy and poisoning the surrounding region.

For they were computer hackers, and their weapon, dubbed both ‘Triton’ and ‘Trisis’ by security experts, was a piece of malware, a malicious software program.

In August a group of hackers attacked a huge petrochemical plant in Saudi Arabia (similar to the one pictured). The consequences could have been catastrophic: the invaders had seized command of its computerised control-and-safety system, and had the power to damage it severely

In August a group of hackers attacked a huge petrochemical plant in Saudi Arabia (similar to the one pictured). The consequences could have been catastrophic: the invaders had seized command of its computerised control-and-safety system, and had the power to damage it severely

‘The creators of this attack created a weapon that can kill people,’ said Brigadier General Danny Bren, the former commander of Israel’s cyber defence unit, who now advises major corporations.

‘With something like that, you can create great danger to an oil rig, a refinery, a power station. In effect, you have built a bomb.’

The hackers had got into the safety system’s firmware, its permanent foundations, and injected a ‘Remote Access Trojan’ (RAT) which allowed them to burrow into the computer system and issue instructions via a hidden, electronic ‘back door’.

The Triton malware was eventually detected only because it contained a tiny flaw that caused part of the system to crash. But its shadowy controllers, said Bren, are still out there, learning from their mistake. ‘Triton represents the next generation of the cyber revolution. It’s going to have a big effect.’

Inquiries by this newspaper in Britain, the US and Israel, a leading centre of cyber defence, suggest the threat of state-sponsored hacking is growing rapidly. Bren believes the sophistication of the Saudi attack suggests Triton was built by a state – possibly Saudi Arabia’s enemy, Iran.

Moreover, the dangers it poses to industry and critical infrastructure – ‘real world’ sabotage and possible loss of life – are not confined to the Middle East. The British power grid, factories and energy plants are also at risk. Experts say RATs may already have infiltrated UK networks.

The hackers had got into the safety system’s firmware, its permanent foundations, and injected a ‘Remote Access Trojan’ (RAT) which allowed them to burrow into the computer system and issue instructions via a hidden, electronic ‘back door’

In a recent speech in Belfast, Ciaran Martin, director of the £1.9 billion National Cyber Security Centre (NCSC), which was established 15 months ago as an offshoot of GCHQ, warned that Britain’s enemies are trying to ‘preposition on critical national infrastructure so they can act with menace against us in times of tension’.

Couched in technical language, his words attracted little attention, and no media coverage.

By ‘prepositioning’, he meant hacks such as Triton, hidden penetrations of UK systems by malware which can lie dormant for years. ‘The Triton attack, while rare, is likely to be an example of attempted prepositioning,’ an NCSC official confirmed. ‘A key part of the NCSC’s mission is to ensure the UK is not susceptible to such attacks.’

Martin referred again to ‘prepositioning’ on Radio 4’s Today last week, defining it as ‘getting a presence on a computer network’ which created ‘the potential to use it for destructive attacks in the future’.

 a new era of warfare… a destructive and deadly mix of conventional military might and malicious cyber attacks

Just what is meant by ‘destructive attacks’ – and the real danger it poses to Britain – is explained by Jeff Bardin, chief intelligence officer of US security firm Treadstone 71, which monitors state-sponsored hacking.

‘Triton is a combination of espionage and sabotage, and this kind of activity is widespread,’ he said. ‘It could lead to explosions, oil spills and other environmental disasters, and the problem is, we’re not geared up to look for it.

‘The UK is using the same hardware and software as everyone else. Your nuclear plants are probably safe, because their systems are built to a more secure standard. All other critical infrastructure is vulnerable.’

State-sponsored attacks with real-world consequences are not new. In 2010, the ‘Stuxnet’ attack, reportedly by Israel, crippled Iran’s nuclear programme by destroying the sensitive centrifuges it used to enrich uranium.

In 2012, a single employee clicking on an internet link triggered the collapse of Saudi oil giant Aramco’s entire IT network. The hack, which like Triton was blamed on Iran, wiped data from 35,000 computers, forcing the firm to revert to typewriters and faxes for five months. In December 2016, the Russian ‘Crash Override’ hack cut power to 100,000 Ukrainian homes.

Curse of the charming kittens 

A common way for hackers, such as Iran’s Charming Kittens, to penetrate the computer networks of targets is ‘social engineering’ – the use of fake social media profiles to ‘friend’ members of the opposite sex. 

Fake social media profiles have been used to steal contacts, emails and further data

Fake social media profiles have been used to steal contacts, emails and further data

They also use more elaborate methods. One recent victim, a prominent academic, was invited to join an online chat group with Valerie Jarrett, a former senior adviser to Barack Obama. This was merely a ploy to steal her password, and gain access to her contacts, emails and other data.

The consequences, says Eyal Sela of Israeli cyber security firm ClearSky, can be severe: not just loss of privacy, but the creation of a bridgehead in an ‘enemy’ network which could trigger a shutdown.

Advertisement

For years, interest in cyber security was mainly confined to specialists; now it is going mainstream, with a succession of key figures lining up to highlight the threat. At the end of last year, the NCSC revealed that the ‘WannaCry’ hack, which knocked out thousands of NHS computers last May and forced vital operations to be cancelled, was the work of North Korea.

The same state, which has a special department, Office 39, devoted to raising money through organised crime, was accused of last month’s £380 million digital heist from Japan’s Coincheck crypto- currency exchange, arguably the largest theft in history.

Last month, General Sir Nick Carter, Chief of the General Staff, warned that ‘cyber-warfare can be waged on the battlefield and to disrupt normal people’s lives’.

And last week Defence Secretary Gavin Williamson blamed Russia for June’s ‘NotPetya’ hack, which disabled computers in Ukraine before spreading across Europe, costing businesses £1.2 billion. Britain was embroiled in a ‘new era of warfare… a destructive and deadly mix of conventional military might and malicious cyber attacks’, Williamson said, accusing Russia of ‘ripping up the rulebook’.

In an email to this newspaper, the NCSC’s Ciaran Martin added: ‘The Government recognises the impact of cyber attacks as a major threat to the UK’s economic and national security. We defend ourselves as necessary, using whichever capability is most appropriate.’

So what has changed? One factor is mounting evidence of attempted ‘prepositioning’ by Russia. Another is Triton – described by one UK official as a ‘key data point’ not only for the NCSC, but for America’s FBI, Pentagon, Department of Homeland Security and several private cyber security companies, all of which have joined a consortium to investigate it.

It may be going too far to suggest there is an ‘axis of evil’ in the world of cyber warfare, say British and Israeli security sources, though it is not disputed that Russia and North Korea are at the sharp end of this practice.

These are the countries most likely referred to when Robert Hannigan, who stepped down as head of GCHQ last year, told the MoS: ‘Countries that mean us harm are co-operating with each other, sharing expertise, and using wider criminal groups. The overlap of crime and state actors is one of the most alarming developments of the past few years.’

He added: ‘The UK is better protected than most countries, but we are not invulnerable to these kinds of attacks. We have observed attempts by states to get into our national infrastructure for years.’

It is also clear that a third name must be added to the list of hostile nations: Iran.

Ciaran Martin, director of the £1.9 billion National Cyber Security Centre, which was established 15 months ago as a GCHQ offshoot, warned Britain’s enemies are trying to ‘preposition on critical national infrastructure so they can act with menace against us in times of tension’.

Ciaran Martin, director of the £1.9 billion National Cyber Security Centre, which was established 15 months ago as a GCHQ offshoot, warned Britain’s enemies are trying to ‘preposition on critical national infrastructure so they can act with menace against us in times of tension’.

Ironically, said Bardin, it was Stuxnet that led Iran to enhance its offensive capability: ‘If Stuxnet had happened to the US or UK, it would have been seen as an act of war. In Iran, it made them invest heavily in offensive cyber operations.’

He revealed that 18 per cent of Iranian university students are studying computer science – a cyber warfare talent pool.

The results are tracked in Tel Aviv by cyber security firm ClearSky, whose clients include major corporations in Israel, Asia, the Americas and Europe.

ClearSky analyst Eyal Sela showed the MoS some of the high-tech tools the firm uses to unmask hacking groups, by exposing their links and finding evidence of shared hostile source code.

Some of the ‘cells’ based in Iran have been given cute names, such as Charming Kittens, and their methods can look innocuous: attractive but bogus Facebook profiles – which are known in the trade as avatars – seeking to ‘friend’ members of the opposite sex who work for enemy targets.

State-sponsored attacks with real-world consequences are not new. In 2010, the ‘Stuxnet’ attack, reportedly by Israel, crippled Iran’s nuclear programme by destroying the sensitive centrifuges it used to enrich uranium

State-sponsored attacks with real-world consequences are not new. In 2010, the ‘Stuxnet’ attack, reportedly by Israel, crippled Iran’s nuclear programme by destroying the sensitive centrifuges it used to enrich uranium

Falling for this technique – known as ‘social engineering’ – can be dangerous. A Facebook chat with an avatar may lead to fake but convincing links from firms such as Google and Dropbox. If you click on them, Sela said, ‘hackers will steal your emails, all your contacts, and use this access to attack your circle’. Victims have included Iranian human rights groups. There may be more than information at stake, Sela said. If they create access to victims’ work internet accounts, ‘social engineering can be used to escalate to full-on company network shutdowns and even physical damage to installations such as that which might have occurred with Triton’.

Sela said another Iranian method – revealed here for the first time – is the establishment of a fake BBC News site in Persian, used to spread disinformation.

Another bogus Iranian website is known as British News – supposedly edited in London with a convincing British Lion logo. However, it contains malicious code: ‘If you click on its links, your computer will get infected.’

Thus, Triton is part of a wider campaign which has already induced the FBI to issue a criminal indictment for fraud, espionage and damaging computer networks against Iranian hacker Behzad Mesri, allegedly a member of Charming Kittens. It is, however, its most serious element.

In 2012, a single employee clicking on an internet link triggered the collapse of Saudi oil giant Aramco’s entire IT network. The hack, which like Triton was blamed on Iran, wiped data from 35,000 computers, forcing the firm to revert to typewriters and faxes for five months

In 2012, a single employee clicking on an internet link triggered the collapse of Saudi oil giant Aramco’s entire IT network. The hack, which like Triton was blamed on Iran, wiped data from 35,000 computers, forcing the firm to revert to typewriters and faxes for five months

Last month, at a cyber conference in Florida, Schneider Electric, the French multinational that makes the Triconex system that Triton infiltrated, presented the investigative consortium’s findings.

According to the firm, the attackers must have been state-sponsored because they had ‘unlimited resources, unlimited skills, and a lot of time’. They had gone to great lengths to find out how Triconex worked, and the malware came with features which rendered it unnoticeable, and to ‘throw off forensic experts’ if they suspected something might be wrong.

Schneider said Triton exploited a ‘zero-day vulnerability’ – a weakness in the Triconex firmware which was previously unknown. It promised it would be issuing a ‘patch’ this month to prevent similar attacks.

Preventing hacks is a central part of the NCSC’s mission. But doing so is not easy: as GCHQ’s Robert Hannigan points out, many sensitive targets are private sector companies, and ‘there is a limit to what government can and should do’.

For years, interest in cyber security was mainly confined to specialists; now it is going mainstream, with a succession of key figures lining up to highlight the threat

For years, interest in cyber security was mainly confined to specialists; now it is going mainstream, with a succession of key figures lining up to highlight the threat

Dr Gabi Siboni, a former colonel who heads both Tel Aviv’s Institute for National Security Studies (INSS) cyber security research programme and private consultancy firm G Bina, said that in Israel cyber security was designated as a key issue 16 years ago, when the government began trying to protect critical infrastructure.

It considered then that a hit on a utility whose loss might cut GDP by 10 per cent was a question of national security, Dr Siboni said. The rest of the world has taken a while to catch up.

Dr Siboni explained that Israel’s prime minister’s office ‘regulates’ cyber defence for a list of some 60 critical infrastructure organisations: ‘If we think an attack on your business would generate a risk to national security, you will be subject to rules – the equivalent of having to comply with environmental regulation.’

It may be going too far to suggest there is an ‘axis of evil’ in the world of cyber warfare, say British and Israeli security sources, though it is not disputed that Russia and North Korea are at the sharp end of this practice

It may be going too far to suggest there is an ‘axis of evil’ in the world of cyber warfare, say British and Israeli security sources, though it is not disputed that Russia and North Korea are at the sharp end of this practice

Cyber security meant rewriting the relationship between business and the state, he added. ‘Intelligence used to be the prerogative of the state. It’s not any more, because private cyber companies have more information than official agencies. The state needs their co-operation. At the same time, we have to figure out how we share information to defend ourselves, without compromising private data.’

Britain is already moving in the same direction. Under an EU directive, cyber security for critical installations is mandatory. But as Hannigan admits: ‘It’s only a basic level and we need to go much further. Defence of critical services depends on the weakest link getting stronger – and not every major company is there yet.’

Meanwhile, the threat is likely to deepen. ‘Fixing this takes political will, and business is always pushing back, because good cyber security adds costs,’ said Bardin. ‘Ultimately, something is going to blow up.’