Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

4/11/2019
12:45 AM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Triton/Trisis Attacks Another Victim

FireEye Mandiant incident responders reveal a new attack by the hacking group that previously targeted a petrochemical plant in Saudi Arabia in 2017.

KASPERSKY SECURITY ANALYST SUMMIT - Singapore - Yet another critical infrastructure organization was found infiltrated with the Triton/Trisis malware tools used in a 2017 attack that shut down the safety instrumentation system at a petrochemical plant in Saudi Arabia. 

FireEye Mandiant, here this week, revealed that it recently discovered the Triton/Trisis attack code installed at the second industrial organization and that it is currently working on an ongoing incident response investigation into the attack. Nathan Brubaker, senior manager of FireEye's cyber-physical intelligence team, said this represents the first publicly revealed attack by the Triton/Trisis group since the original incident two years ago.

FireEye analysts found a set of custom Triton/Trisis tools tied to the second victim organization while conducting research, and the attackers inside the victim's corporate IT network, Brubaker said. "Based on the tool overlap [with Triton/Trisis], we have very high confidence it's the same actor," he said.

Brubaker said unlike attack attempts like those that have been spotted by FireEye and other ICS security firms, this was a full-blown attack. He declined to discuss any details about the victim organization's identity or location, nor whether this new victim also had suffered an infection of its safety instrumentation system like the first victim did.

Triton/Trisis specifically targets Schneider Electric's SIS, the Triconex Emergency Shut Down (ESD) system. SISes provide emergency shutdown for plant processes to prevent physical threats when a plant process reaches an unsafe level. These systems are not typically under the domain of security teams but, rather, engineering teams; Triton/Trisis was the first known incident to affect the OT engineering department.

In the latest Triton/Trisis incident, the attackers had a foothold in the corporate network and were conducting reconnaissance and advancing deeper into the network in order to reach the industrial operations technology (OT) network, according to FireEye.

Brubaker said the group appears to have been operational since 2014 based on intel gathered from an analysis of the custom attack tools used on the victim and there may well be more as-yet unidentified victims and attacks.

"For quite a while we've been looking at this possibility" of more victims, FireEye's Brubaker said.

Just how widespread the Triton/Trisis attack campaign truly is has remained a mystery. Earlier this year, an incident responder involved in a Saudi Arabia case revealed that the first known attack was more extensive than had been reported publicly. That August 2017 attack wasn't the first incident at the plant: in June of 2017, an emergency plant-process shutdown system was knocked offline by the attackers but was misconstrued as a mechanical issue rather than a cyberattack, according to Julian Gutmanis, who was working out of a major oil and gas organization in Saudi Arabia at the time of the attacks.

Meanwhile, the Triton/Trisis attackers were able to remain in the plant's network undetected until the Schneider Triconex SIS went down after the attackers inadvertently powered it down.

Rob Lee, founder and CEO of ICS security firm Dragos - who earlier this year confirmed the attacker had been inside the first victim's network since 2014 - said FireEye's new report echoes his firm's tracking of Triton activity at other industrial facilities. Dragos has seen around 12 companies whose networks have been hit with by the attack group, which it calls XENOTIME, in early stages of the attack.

Dragos said the attackers have been active in various industries aside from oil and gas, including targeting ICS OEMs and manufacturers. "All available evidence at this time indicates that XENOTIME has not deployed either Triton/Trisis or any new ICS-disruptive malware in any environment," which jibes with FireEye's findings, said Dragos adversary hunter Joe Slowik.

Meanwhile, Schneider Electric said in a statement that it was "encouraged" that FireEye had not reported finding Triton/Trisis malware in the victim's industrial network.

"First, it is worth noting that FireEye does not claim to have found the Triton malware in the facility. Rather, they discovered the 'Triton actor' and some use of the 'Triton framework,'" the company said in a statement. "Additionally, by releasing the details behind the Triton attack framework, the OT cybersecurity industry now better understands the Triton actor's tradecraft. This will help all of us improve our tools and strategies to detect Triton-like attacks much earlier."

Tools

The Triton/Trisis attackers employed both their custom attack tools as well as open source and other attack tools, including Mimikatz and SecHack to steal credentials. Many of their custom tools mimicked the features of legitimate tools to evade detection.

"They would generally use public tools when they were not as concerned about getting caught and trying to poke around. If they were doing something really important - like about trying to get to an engineering workstation - they would switch to custom tools," Brubaker said. FireEye published a detailed technical report on Triton's attack tools and tactics.

While a complete picture of the Triton attackers' endgame remains unknown, their manipulation of safety systems in the industrial plant demonstrates their potential ability and intent to disrupt plant processes, ICS experts say. Gutmanis, who recently joined Dragos, said the first Triton/Trisis victim "got lucky" that no catastrophic physical damage occurred.

"While threat intel and incident response teams from FireEye are investigating the second Triton/Trisis incident, what we know for a fact is that the attackers selected the most safety-critical component of the ICS to achieve their goals: the safety instrumented system," said Eddie Habibi, CEO of PAS Global. "A bad actor can shut down a process by manipulating the configuration of a safety system. In fact, a plant is lucky if this is the approach an attacker takes: While the shutdown and loss of production is painful in such a situation, if the safety system is designed properly, there should be no safety impact or damage to equipment."

Related Content:

 

 

 Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
7 Truths About BEC Scams
Ericka Chickowski, Contributing Writer,  6/13/2019
DNS Firewalls Could Prevent Billions in Losses to Cybercrime
Curtis Franklin Jr., Senior Editor at Dark Reading,  6/13/2019
Can Your Patching Strategy Keep Up with the Demands of Open Source?
Tim Mackey, Principal Security Strategist, CyRC, at Synopsys,  6/18/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-2729
PUBLISHED: 2019-06-19
Vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware (subcomponent: Web Services). Supported versions that are affected are 10.3.6.0.0, 12.1.3.0.0 and 12.2.1.3.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise ...
CVE-2019-3737
PUBLISHED: 2019-06-19
Dell EMC Avamar ADMe Web Interface 1.0.50 and 1.0.51 are affected by an LFI vulnerability which may allow a malicious user to download arbitrary files from the affected system by sending a specially crafted request to the Web Interface application.
CVE-2019-3787
PUBLISHED: 2019-06-19
Cloud Foundry UAA, versions prior to 73.0.0, falls back to appending ?unknown.org? to a user's email address when one is not provided and the user name does not contain an @ character. This domain is held by a private company, which leads to attack vectors including password recovery emails sent to ...
CVE-2019-12900
PUBLISHED: 2019-06-19
BZ2_decompress in decompress.c in bzip2 through 1.0.6 has an out-of-bounds write when there are many selectors.
CVE-2019-12893
PUBLISHED: 2019-06-19
Alternate Pic View 2.600 has a User Mode Write AV starting at PicViewer!PerfgrapFinalize+0x00000000000a8868.