Schneider Electric: Trisis leveraged zero-day flaw, used a RAT

Schneider Electric had remained largely silent about an August incident where Trisis shut down operations at a Saudi energy plant.
Schneider Electric will help reset plant systems that may be potentially affected by Trisis. (Getty)

Multinational energy technology company Schneider Electric revealed new details Thursday about a historic breach where hackers were able to halt operations at an energy plant in the Middle East by deploying highly sophisticated malware.

The latest revelations, which were publicly announced at an industrial control systems cybersecurity conference, show that Trisis leveraged a zero-day vulnerability in Schneider Electric’s Triconex Tricon safety-controller firmware. The vulnerability allowed for privilege escalation, which would allow hackers to manipulate emergency shutdown systems during a targeted attack.

In addition, there was a remote access trojan (RAT) within Trisis, providing attackers with a wide array of options, including the ability to turn off industrial equipment or sabotage the safety controllers in order to create unsafe conditions.

The RAT is the first designed to specifically impact safety-instrumented systems, allowing for someone to access the highest privileges available on a targeted machine. In this case, the RAT was injected directly into the computer’s memory, making it more difficult to capture and analyze.


According to the company, Trisis intended to manipulate the memory of safety controllers, which are normally relied upon to regulate the speed at which certain machinery moves. This type of machinery is common in nuclear power plants, gas and oil facilities, and paper mills.

Information on the breach first surfaced in December, but further reporting by CyberScoop found that various investigations had been taking place since Trisis was found in August at a plant partially owned by oil giant Saudi Aramco.

Schneider Electric had remained largely silent about the incident since at least September. Paul Forney, global cybersecurity architect for Schneider Electric’s product security office in North America, told an audience at the conference, known as S4x18, that a firmware update is in the works.

Forney told DarkReading that the company plans to send technicians to partner plants in order to “re-burn and re-flash” the firmware.

“We need to adapt our procedures and development processes to adapt to this new reality, and we are actively doing that now,” Andrew Kling, director of cyber security and software practices for Schneider Electric, told DarkReading.


Various groups continue to study Trisis. Cybersecurity firms FireEye and Dragos Inc., as well as U.S. government agencies, including the Department of Homeland Security and NSA, are still breaking down the malware, CyberScoop previously reported.

Latest Podcasts