Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

4/11/2019
12:45 AM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Triton/Trisis Attacks Another Victim

FireEye Mandiant incident responders reveal a new attack by the hacking group that previously targeted a petrochemical plant in Saudi Arabia in 2017.

KASPERSKY SECURITY ANALYST SUMMIT - Singapore - Yet another critical infrastructure organization was found infiltrated with the Triton/Trisis malware tools used in a 2017 attack that shut down the safety instrumentation system at a petrochemical plant in Saudi Arabia. 

FireEye Mandiant, here this week, revealed that it recently discovered the Triton/Trisis attack code installed at the second industrial organization and that it is currently working on an ongoing incident response investigation into the attack. Nathan Brubaker, senior manager of FireEye's cyber-physical intelligence team, said this represents the first publicly revealed attack by the Triton/Trisis group since the original incident two years ago.

FireEye analysts found a set of custom Triton/Trisis tools tied to the second victim organization while conducting research, and the attackers inside the victim's corporate IT network, Brubaker said. "Based on the tool overlap [with Triton/Trisis], we have very high confidence it's the same actor," he said.

Brubaker said unlike attack attempts like those that have been spotted by FireEye and other ICS security firms, this was a full-blown attack. He declined to discuss any details about the victim organization's identity or location, nor whether this new victim also had suffered an infection of its safety instrumentation system like the first victim did.

Triton/Trisis specifically targets Schneider Electric's SIS, the Triconex Emergency Shut Down (ESD) system. SISes provide emergency shutdown for plant processes to prevent physical threats when a plant process reaches an unsafe level. These systems are not typically under the domain of security teams but, rather, engineering teams; Triton/Trisis was the first known incident to affect the OT engineering department.

In the latest Triton/Trisis incident, the attackers had a foothold in the corporate network and were conducting reconnaissance and advancing deeper into the network in order to reach the industrial operations technology (OT) network, according to FireEye.

Brubaker said the group appears to have been operational since 2014 based on intel gathered from an analysis of the custom attack tools used on the victim and there may well be more as-yet unidentified victims and attacks.

"For quite a while we've been looking at this possibility" of more victims, FireEye's Brubaker said.

Just how widespread the Triton/Trisis attack campaign truly is has remained a mystery. Earlier this year, an incident responder involved in a Saudi Arabia case revealed that the first known attack was more extensive than had been reported publicly. That August 2017 attack wasn't the first incident at the plant: in June of 2017, an emergency plant-process shutdown system was knocked offline by the attackers but was misconstrued as a mechanical issue rather than a cyberattack, according to Julian Gutmanis, who was working out of a major oil and gas organization in Saudi Arabia at the time of the attacks.

Meanwhile, the Triton/Trisis attackers were able to remain in the plant's network undetected until the Schneider Triconex SIS went down after the attackers inadvertently powered it down.

Rob Lee, founder and CEO of ICS security firm Dragos - who earlier this year confirmed the attacker had been inside the first victim's network since 2014 - said FireEye's new report echoes his firm's tracking of Triton activity at other industrial facilities. Dragos has seen around 12 companies whose networks have been hit with by the attack group, which it calls XENOTIME, in early stages of the attack.

Dragos said the attackers have been active in various industries aside from oil and gas, including targeting ICS OEMs and manufacturers. "All available evidence at this time indicates that XENOTIME has not deployed either Triton/Trisis or any new ICS-disruptive malware in any environment," which jibes with FireEye's findings, said Dragos adversary hunter Joe Slowik.

Meanwhile, Schneider Electric said in a statement that it was "encouraged" that FireEye had not reported finding Triton/Trisis malware in the victim's industrial network.

"First, it is worth noting that FireEye does not claim to have found the Triton malware in the facility. Rather, they discovered the 'Triton actor' and some use of the 'Triton framework,'" the company said in a statement. "Additionally, by releasing the details behind the Triton attack framework, the OT cybersecurity industry now better understands the Triton actor's tradecraft. This will help all of us improve our tools and strategies to detect Triton-like attacks much earlier."

Tools

The Triton/Trisis attackers employed both their custom attack tools as well as open source and other attack tools, including Mimikatz and SecHack to steal credentials. Many of their custom tools mimicked the features of legitimate tools to evade detection.

"They would generally use public tools when they were not as concerned about getting caught and trying to poke around. If they were doing something really important - like about trying to get to an engineering workstation - they would switch to custom tools," Brubaker said. FireEye published a detailed technical report on Triton's attack tools and tactics.

While a complete picture of the Triton attackers' endgame remains unknown, their manipulation of safety systems in the industrial plant demonstrates their potential ability and intent to disrupt plant processes, ICS experts say. Gutmanis, who recently joined Dragos, said the first Triton/Trisis victim "got lucky" that no catastrophic physical damage occurred.

"While threat intel and incident response teams from FireEye are investigating the second Triton/Trisis incident, what we know for a fact is that the attackers selected the most safety-critical component of the ICS to achieve their goals: the safety instrumented system," said Eddie Habibi, CEO of PAS Global. "A bad actor can shut down a process by manipulating the configuration of a safety system. In fact, a plant is lucky if this is the approach an attacker takes: While the shutdown and loss of production is painful in such a situation, if the safety system is designed properly, there should be no safety impact or damage to equipment."

Related Content:

 

 

 Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Data Leak Week: Billions of Sensitive Files Exposed Online
Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/10/2019
Lessons from the NSA: Know Your Assets
Robert Lemos, Contributing Writer,  12/12/2019
4 Tips to Run Fast in the Face of Digital Transformation
Shane Buckley, President & Chief Operating Officer, Gigamon,  12/9/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-19797
PUBLISHED: 2019-12-15
read_colordef in read.c in Xfig fig2dev 3.2.7b has an out-of-bounds write.
CVE-2019-5252
PUBLISHED: 2019-12-14
There is an improper authentication vulnerability in Huawei smartphones (Y9, Honor 8X, Honor 9 Lite, Honor 9i, Y6 Pro). The applock does not perform a sufficient authentication in a rare condition. Successful exploit could allow the attacker to use the application locked by applock in an instant.
CVE-2019-5235
PUBLISHED: 2019-12-14
Some Huawei smart phones have a null pointer dereference vulnerability. An attacker crafts specific packets and sends to the affected product to exploit this vulnerability. Successful exploitation may cause the affected phone to be abnormal.
CVE-2019-5264
PUBLISHED: 2019-12-13
There is an information disclosure vulnerability in certain Huawei smartphones (Mate 10;Mate 10 Pro;Honor V10;Changxiang 7S;P-smart;Changxiang 8 Plus;Y9 2018;Honor 9 Lite;Honor 9i;Mate 9). The software does not properly handle certain information of applications locked by applock in a rare condition...
CVE-2019-5277
PUBLISHED: 2019-12-13
Huawei CloudUSM-EUA V600R006C10;V600R019C00 have an information leak vulnerability. Due to improper configuration, the attacker may cause information leak by successful exploitation.