Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

4/11/2019
12:45 AM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Triton/Trisis Attacks Another Victim

FireEye Mandiant incident responders reveal a new attack by the hacking group that previously targeted a petrochemical plant in Saudi Arabia in 2017.

KASPERSKY SECURITY ANALYST SUMMIT - Singapore - Yet another critical infrastructure organization was found infiltrated with the Triton/Trisis malware tools used in a 2017 attack that shut down the safety instrumentation system at a petrochemical plant in Saudi Arabia. 

FireEye Mandiant, here this week, revealed that it recently discovered the Triton/Trisis attack code installed at the second industrial organization and that it is currently working on an ongoing incident response investigation into the attack. Nathan Brubaker, senior manager of FireEye's cyber-physical intelligence team, said this represents the first publicly revealed attack by the Triton/Trisis group since the original incident two years ago.

FireEye analysts found a set of custom Triton/Trisis tools tied to the second victim organization while conducting research, and the attackers inside the victim's corporate IT network, Brubaker said. "Based on the tool overlap [with Triton/Trisis], we have very high confidence it's the same actor," he said.

Brubaker said unlike attack attempts like those that have been spotted by FireEye and other ICS security firms, this was a full-blown attack. He declined to discuss any details about the victim organization's identity or location, nor whether this new victim also had suffered an infection of its safety instrumentation system like the first victim did.

Triton/Trisis specifically targets Schneider Electric's SIS, the Triconex Emergency Shut Down (ESD) system. SISes provide emergency shutdown for plant processes to prevent physical threats when a plant process reaches an unsafe level. These systems are not typically under the domain of security teams but, rather, engineering teams; Triton/Trisis was the first known incident to affect the OT engineering department.

In the latest Triton/Trisis incident, the attackers had a foothold in the corporate network and were conducting reconnaissance and advancing deeper into the network in order to reach the industrial operations technology (OT) network, according to FireEye.

Brubaker said the group appears to have been operational since 2014 based on intel gathered from an analysis of the custom attack tools used on the victim and there may well be more as-yet unidentified victims and attacks.

"For quite a while we've been looking at this possibility" of more victims, FireEye's Brubaker said.

Just how widespread the Triton/Trisis attack campaign truly is has remained a mystery. Earlier this year, an incident responder involved in a Saudi Arabia case revealed that the first known attack was more extensive than had been reported publicly. That August 2017 attack wasn't the first incident at the plant: in June of 2017, an emergency plant-process shutdown system was knocked offline by the attackers but was misconstrued as a mechanical issue rather than a cyberattack, according to Julian Gutmanis, who was working out of a major oil and gas organization in Saudi Arabia at the time of the attacks.

Meanwhile, the Triton/Trisis attackers were able to remain in the plant's network undetected until the Schneider Triconex SIS went down after the attackers inadvertently powered it down.

Rob Lee, founder and CEO of ICS security firm Dragos - who earlier this year confirmed the attacker had been inside the first victim's network since 2014 - said FireEye's new report echoes his firm's tracking of Triton activity at other industrial facilities. Dragos has seen around 12 companies whose networks have been hit with by the attack group, which it calls XENOTIME, in early stages of the attack.

Dragos said the attackers have been active in various industries aside from oil and gas, including targeting ICS OEMs and manufacturers. "All available evidence at this time indicates that XENOTIME has not deployed either Triton/Trisis or any new ICS-disruptive malware in any environment," which jibes with FireEye's findings, said Dragos adversary hunter Joe Slowik.

Meanwhile, Schneider Electric said in a statement that it was "encouraged" that FireEye had not reported finding Triton/Trisis malware in the victim's industrial network.

"First, it is worth noting that FireEye does not claim to have found the Triton malware in the facility. Rather, they discovered the 'Triton actor' and some use of the 'Triton framework,'" the company said in a statement. "Additionally, by releasing the details behind the Triton attack framework, the OT cybersecurity industry now better understands the Triton actor's tradecraft. This will help all of us improve our tools and strategies to detect Triton-like attacks much earlier."

Tools

The Triton/Trisis attackers employed both their custom attack tools as well as open source and other attack tools, including Mimikatz and SecHack to steal credentials. Many of their custom tools mimicked the features of legitimate tools to evade detection.

"They would generally use public tools when they were not as concerned about getting caught and trying to poke around. If they were doing something really important - like about trying to get to an engineering workstation - they would switch to custom tools," Brubaker said. FireEye published a detailed technical report on Triton's attack tools and tactics.

While a complete picture of the Triton attackers' endgame remains unknown, their manipulation of safety systems in the industrial plant demonstrates their potential ability and intent to disrupt plant processes, ICS experts say. Gutmanis, who recently joined Dragos, said the first Triton/Trisis victim "got lucky" that no catastrophic physical damage occurred.

"While threat intel and incident response teams from FireEye are investigating the second Triton/Trisis incident, what we know for a fact is that the attackers selected the most safety-critical component of the ICS to achieve their goals: the safety instrumented system," said Eddie Habibi, CEO of PAS Global. "A bad actor can shut down a process by manipulating the configuration of a safety system. In fact, a plant is lucky if this is the approach an attacker takes: While the shutdown and loss of production is painful in such a situation, if the safety system is designed properly, there should be no safety impact or damage to equipment."

Related Content:

 

 

 Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Cloud Security Startup Lightspin Emerges From Stealth
Kelly Sheridan, Staff Editor, Dark Reading,  11/24/2020
Look Beyond the 'Big 5' in Cyberattacks
Robert Lemos, Contributing Writer,  11/25/2020
Why Vulnerable Code Is Shipped Knowingly
Chris Eng, Chief Research Officer, Veracode,  11/30/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: We are really excited about our new two tone authentication system!
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-4126
PUBLISHED: 2020-12-01
HCL iNotes is susceptible to a sensitive cookie exposure vulnerability. This can allow an unauthenticated remote attacker to capture the cookie by intercepting its transmission within an http session. Fixes are available in HCL Domino and iNotes versions 10.0.1 FP6 and 11.0.1 FP2 and later.
CVE-2020-4129
PUBLISHED: 2020-12-01
HCL Domino is susceptible to a lockout policy bypass vulnerability in the LDAP service. An unauthenticated attacker could use this vulnerability to mount a brute force attack against the LDAP service. Fixes are available in HCL Domino versions 9.0.1 FP10 IF6, 10.0.1 FP6 and 11.0.1 FP1 and later.
CVE-2020-9115
PUBLISHED: 2020-12-01
ManageOne versions 6.5.1.1.B010, 6.5.1.1.B020, 6.5.1.1.B030, 6.5.1.1.B040, ,6.5.1.1.B050, 8.0.0 and 8.0.1 have a command injection vulnerability. An attacker with high privileges may exploit this vulnerability through some operations on the plug-in component. Due to insufficient input validation of ...
CVE-2020-9116
PUBLISHED: 2020-12-01
Huawei FusionCompute versions 6.5.1 and 8.0.0 have a command injection vulnerability. An authenticated, remote attacker can craft specific request to exploit this vulnerability. Due to insufficient verification, this could be exploited to cause the attackers to obtain higher privilege.
CVE-2020-14193
PUBLISHED: 2020-11-30
Affected versions of Automation for Jira - Server allowed remote attackers to read and render files as mustache templates in files inside the WEB-INF/classes & <jira-installation>/jira/bin directories via a template injection vulnerability in Jira smart values using mustache partials. The ...