Group behind TRITON industrial sabotage malware made more victims

Security researchers have uncovered additional attacks attributed to the group behind the TRITON malware framework, one of the few threats found to date that was specifically designed to sabotage industrial equipment. TRITON was first uncovered in 2017 after hitting the systems of a petrochemical plant in Saudi Arabia with the possible goal of causing an explosion. That attack failed because an error made by the attackers triggered an emergency shutdown of critical systems.

The TRITON malware is capable of reprogramming Triconex safety instrumented system (SIS) controllers made by Schneider Electric. These controllers are part of the last line of defense for avoiding critical failures and possible disasters in industrial facilities. They are designed to automatically shut down equipment and processes if they exceed safe operating parameters.

The vast majority of attacks observed so far against companies operating critical infrastructure have targeted IT assets, not industrial control systems (ICS), and their goal has primarily been cyberespionage. The few publicly documented cases of destructive ICS malware attacks include the Stuxnet worm that destroyed uranium enrichment centrifuges at Iran's Natanz nuclear plant, the BlackEnergy attack that caused power blackouts in Ukraine, and the failed TRITON attack.

TRITON gains access to operational systems through IT networks

To reach ICS systems, attackers need to first break into an organization's IT infrastructure and gain persistence just like any other advanced persistent threat (APT) actor. On Tuesday, FireEye released a new report that documents the techniques and tools used by the TRITON group in the early stages of its attacks. The report contains indicators of compromise, file hashes and other information collected by FireEye from incident responses related to TRITON activity, including from an intrusion detected at second critical infrastructure facility that hasn't been named.

"After establishing an initial foothold on the corporate network, the TRITON actor focused most of their effort on gaining access to the OT [Operational Technology] network," the FireEye researchers said in their report. "They did not exhibit activities commonly associated with espionage, such as using key loggers and screenshot grabbers, browsing files, and/or exfiltrating large amounts of information. Most of the attack tools they used were focused on network reconnaissance, lateral movement, and maintaining presence in the target environment."

The group used both public and custom backdoors, web shells and credential harvesting tools, with the goal of avoiding antivirus detection and remaining undiscovered. In fact, according to FireEye, the attackers were present in their victim's network for almost a year before gaining access to the SIS engineering workstation that allowed them to deploy the TRITON malware and reprogram controllers.

The programmable logic controllers (PLCs) that are used to control and monitor industrial processes are normally programmed from dedicated engineering workstations using specialized software provided by their manufacturer. In the case of Triconex safety controllers the software is called TriStation and it uses an undocumented proprietary protocol that the attackers reverse-engineered to create the TRITON malware.

ICS attack persistence can last years

"The targeted attack lifecycle of a sophisticated ICS attack is often measured in years," the FireEye researchers said. "Attackers require a long time to prepare for such an attack in order to learn about the target’s industrial processes and build custom tools. These attacks are also often carried out by nation states that may be interested in preparing for contingency operations rather than conducting an immediate attack (e.g., installing malware like TRITON and waiting for the right time to use it). During this time, the attacker must ensure continued access to the target environment or risk losing years of effort and potentially expensive custom ICS malware. This attack was no exception."

Some of the techniques employed by the TRITON group during intrusions include renaming files to mimic Windows update packages, using standard tools like RDP and PsExec to hide among typical administrative activities, planting web shells on Outlook Exchange servers by placing them inside legitimate files, using encrypted SSH-based tunnels, deleting tools and logs after using them to avoid leaving traces behind, modifying file timestamps and operating outside normal working hours to avoid being noticed.

The group has been active since at least 2014, when some of its tools have been created, but has managed to avoid detection for several years. This speaks to its sophistication and attention to operational security. The researchers believe that in addition to the two confirmed victims found so far there might be other organizations or ICS environments where the group has been or still is active.

Since all sophisticated ICS attacks observed to date began with a compromise of traditional Windows, Linux and other IT systems, organizations that own and operate industrial control equipment should improve their attack detection capabilities on systems that can serve as conduits to reach those critical assets.

"In an attempt to raise community awareness surrounding this actor’s capabilities and activities between 2014 and 2017—an effort compounded in importance by our discovery of the threat actor in a second critical infrastructure facility—we have shared a sampling of what we know about the group's TTPs and custom tooling," the researchers said. "We encourage ICS asset owners to leverage the detection rules and other information included in this report to hunt for related activity as we believe there is a good chance the threat actor was or is present in other target networks."