Report: Hacker group behind Trisis Malware expanding Activity in Middle East

The nation-backed hacker group behind the TRITON/TRISIS malware attack is increasing its nefarious activity, putting critical infrastructure systems in danger of future cyber attacks, according to Dragos Security.

The group, which the security firm tracks as XENOTIME, not only remains active, but also appears to be widening its scope of potential attacks, Dragos said in a blog posted Thursday. Dragos researchers said they had “moderate confidence” that the XENOTIME group was seeking access to systems and capabilities to carry out a future disruptive—or even destructive—attack.

TRISIS is a family of malicious software discovered in December 2017 that was designed specifically to target critical infrastructure systems, in particular Triconex Safety Instrument System (SIS) controllers manufactured by the firm Schneider Electric. Researchers at FireEye also tracked the malware, calling it TRITON.

[Also read: Report: Major attack on critical infrastructure expected due to increased risk from IoT]

At least one target in the Middle East was affected by TRISIS, which first manifested as an attacker that gained remote access to an SIS engineering workstation. The TRITON malware–which is capable of communicating using TriStation, a proprietary protocol used by SIS controllers that is not publicly documented–was deployed and used to reprogram the SIS controllers. During the incident, some SIS controllers “entered a failed safe state.” That shut down the industrial process and got the attention of the asset owner, who launched an investigation. The failure was due to a security feature on the SIS controllers, which detected that application code used on redundant processing units failed a validation check and initiated a safe shutdown of the SIS.

Iran Centrifuge
Iran is believed to be behind expanded cyber activity in the Middle East and has an interest in disruptive attacks, Dragos Security said in a new report.

Critical infrastructure at risk

TRISIS is one of only a handful of malware frameworks purpose-built to target industrial control system (ICS) platforms, according to Dragos. The first and most infamous of these types of malware is the Stuxnet worm, which was used to cripple Iranian Uranium enrichment activities at the country’s Natanz facility in 2009 and 2010.

[Also read: Everybody reboot! VPNFilter Malware infects 500k Routers]

TRISIS was troubling because it showed growing sophistication in these types of attacks, which could portend what future threats loom for critical infrastructure, according to Dragos. “Because the TRISIS malware framework was highly tailored, it would have required specific knowledge of the Triconex’s infrastructure and processes within a specific plant,” according to the blog post. “This means it’s not easy to scale—however, the malware provides a blueprint of how to target safety instrumented systems. This tradecraft is thus scalable and available to others even if the malware itself changes.”

The malware also showed that XENOTIME had malicious intent to cause “significant damage and loss of human life,” something that hadn’t been seen in previous disruptive attacks such as the the 2016 CRASHOVERRIDE malware that caused a power loss in Ukraine, according to the blog post.

So far XENOTIME’s primary targets have been the Middle East–XENOTIME is believed to be based in Iran, though no one has publicly confirmed this–but Dragos expects future attacks will have more of a global and technological impact. “Intelligence suggests the group has been active since at least 2014 and is presently operating in multiple facilities targeting safety systems beyond Triconex,” according to the post.

Refining its skills

The group also is expected to be a lot less clumsy in future attacks than it was with TRISIS, according to Dragos. During that attack, an apparent misconfiguration prevented the attack from executing properly, the firm said.

“As XENOTIME matures, it is less likely that the group will make this mistake in the future,” according to Dragos. The group also is expected to aim higher with future attacks future attacks that go beyond compromising safety systems, which have “little value outside of disrupting operations.”

“XENOTIME is easily the most dangerous threat activity publicly known,” Dragos warned. “It is the only activity group intentionally compromising and disrupting industrial safety instrumented systems, which can lead to scenarios involving loss of life and environmental damage.”

Indeed, attacks on critical infrastructure system are among the most feared due to the impact they can have–both financially and physically. Not only can systems be compromised or irrevocably damaged, people also can be harmed if systems such as gas pipelines or electrical facilities explode or catch fire due to equipment malfunctions that could occur in such an attack. Such attacks also could cause scenarios such as oil spills or for harmful chemicals or toxins to be released in the air.

If XENOTIME indeed is based in Iran, Dragos’ assessment also demonstrates the increased threat from that nation, which is widely known to be boosting its state-sponsored cyberthreat profile next to well-known bad actors like China and Russia.

Iran already has successfully executed several known major cyber attacks against the United States, with two notable ones occurring in 2012 and 2014. And with President Trump’s exit of the Iran nuclear deal, more attacks against critical infrastructure in the United States are expected in retaliation, according to a recent report by Recorded Future.

The warning by Dragos is just the latest concerning industrial control system threats. Also this week, researchers at Cisco said that a new variant of malicious software dubbed “VPNFilter,” which affects broadband routers in small and home office networks is a variant of the BlackEnergy industrial control system malware.  Features discovered in the malware allow attackers to steal website credentials and monitor Modbus SCADA protocols, which are specific to industrial environments, Cisco said. The VPNFilter malware could also be used for large scale and coordinated attacks on critical infrastructure.  A recent spike in VPNFilter infections in Ukraine prompted Cisco to come forward with its findings early, fearing an attack there.

Leave a Comment

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.