Schneider Electric SE said in a customer advisory released on Thursday that the attack that in December that led to a halt in operations at an undisclosed industrial facility was caused by hackers exploiting a previously unknown vulnerability in its technology.
Schneider said in the notice that the vulnerability was in an older version of the Triconex firmware that allowed hackers to install a remote-access Trojan as “part of a complex malware infection scenario” and advised customers to follow previously recommended security protocols for Triconex.
Reports of the breach surfaced on December 14, when cybersecurity firms disclosed that hackers had breached one of Schneider’s Triconex safety systems and speculated that it was likely an attack by a nation-state.
The target of the attack has not been disclosed till now, however, Dragos, a cybersecurity firm has said it occurred in the Middle East. Others have speculated it was in Saudi Arabia.
The attack is the first of its kind to be reported to happen on this kind of system.
The system itself is used in nuclear facilities, oil and gas plants, mining, water treatment facilities, and other plants to safely shut down industrial processes when hazardous conditions are detected.
Previously, Schneider had said that the attack was not caused by a bug in the Triconex system.
Schneider is reportedly working on tools to identify and remove the malware, expected to be released in February. The Department of Homeland Security is also investigating the attack, according to Schneider.