Researchers at the firm FireEye warn that TRITON, a type of malware that targets industrial control safety systems, has resurfaced at a facility in the Middle East.
The TRITON/TRISIS malware–which surfaced a year and a half ago and shut down an oil refinery in Saudi Arabia–has claimed its second known victim, hitting another critical-infrastructure facility in the Middle East, according to cybersecurity firm FireEye.
Researchers revealed in a blog post Wednesday that they’ve uncovered Triton intrustion activity–including never-before-seen custom tool sets–on an industrial control system at an undisclosed facility. They did not reveal the damage the malware caused, however.
Further, FireEye uncovered evidence to track the origin of the malware to a Russian government-owned technical research institute in Moscow, researchers said. They managed to do this by examining how the attackers may have gained access to critical components needed to build the TRITON attack framework. Previously, Russia was believed to be responsible for the malware, but it wasn’t conclusively known.
TRITON is a family of malicious software discovered in December 2017 designed specifically to target critical infrastructure systems, in particular Triconex Safety Instrument System (SIS) controllers manufactured by the firm Schneider Electric. Researchers at FireEye and also Dragos Security also have been tracking the malware, with the former calling it TRITON and the latter calling it TRISIS.
Another TRITON attack comes as no surprise, as security researchers expected as much. Last year the security firm Dragos reported that the group behind the malware–which the security firm tracks as XENOTIME–not only remains active, but also is widening its scope of potential attacks. At the time Dragos researchers said they had “moderate confidence” that the XENOTIME group was seeking access to systems and capabilities to carry out a future disruptive—or even destructive—attack.
It appears that they–or another group also using TRITON as an attack mode–have done just that, in a stealthy, carefully planned attack,which network administrators are still working to remedy, according to FireEye. Researchers gathered the information in their recent report on the attack from multiple TRITON-related incident responses carried out by FireEye Mandiant, WHICH DOES WHAT.
A persistent attack
In the most recent TRITON attack, the bad actors gained a foothold on the corporate network and then set about trying to access the operational technology (OT) network using a number of custom tools, researchers said.
Researchers believe the group behind the attack has been operating since as early as 2014, even though FireEye had “never before encountered any of the actor’s custom tools,” many of which date back several years before the initial attack compromise, researchers said. This means there could be other existing compromises that have yet to be detected.
“They did not exhibit activities commonly associated with espionage, such as using key loggers and screenshot grabbers, browsing files, and/or exfiltrating large amounts of information,” according to FireEye. “Most of the attack tools they used were focused on network reconnaissance, lateral movement, and maintaining presence in the target environment.”
Attackers used multiple techniques to hide their activities and presence on the network as well as deter any examination of their tools and activities. They renamed files to make them look legitimate and used standard network administration tools to mimic valid administrator activities. Dropped attack tools, execution logs, files staged for exfiltration and other files were deleted after they were finished with them, making forensic examination harder.
Persistence paid off. After nearly a year prowling the network in this way, attackers eventually made their way to the organization’s operational network. Once they gained access to an SIS engineering workstation, they focused their efforts on delivering and refining a backdoor payload using the TRITON attack framework while continuing to surreptitiously keep their activity on the down low, researchers said.
“They attempted to reduce the chance of being observed during higher-risk activities by interacting with target controllers during off-hour times,” according to FireEye. “This would ensure fewer workers were on site to react to potential alarms caused by controller manipulation.”
TRITON mystery remains
Though FireEyeresearchers did well to uncover this latest TRITON attack, even they admit that there are still many unanswered questions about this particular malware and how it operates.
“The TRITON intrusion is shrouded in mystery,” researchers said. “There has been some public discussion surrounding the TRITON framework and its impact at the target site, yet little to no information has been shared on the tactics, techniques, and procedures (TTPs) related to the intrusion lifecycle, or how the attack made it deep enough to impact the industrial processes.”
With so much unknown, it’s not easy for critical-infrastructure providers to defend against a potential attack, researchers said. At this point, FireEye is “strongly” encouraging industrial control system (ICS) asset owners to leverage the indicators, TTPs and detections included in its report on the latest incident “to improve their defenses and hunt for related activity in their networks,” researchers said.
The team also recommended using tools to stop attackers on Windows, Linux and other traditional IT systems before they reach the OT, pointins out a number of key advantages to this that increase as IT and OT systems continue to converge, researchers said.
“Attackers commonly leave a broad footprint in IT systems across most if not all the attack lifecycle,” according to FireEye. “It is ideal to stop an attacker as early in the attack lifecycle as possible. Once an attacker reaches the targeted ICS, the potential of a negative outcome and its severity for the target increase dramatically.”