KASPERSKY SECURITY ANALYST SUMMIT - Singapore - Yet another critical infrastructure organization was found infiltrated with the Triton/Trisis malware tools used in a 2017 attack that shut down the safety instrumentation system at a petrochemical plant in Saudi Arabia.
FireEye Mandiant, here this week, revealed that it recently discovered the Triton/Trisis attack code installed at the second industrial organization and that it is currently working on an ongoing incident response investigation into the attack. Nathan Brubaker, senior manager of FireEye's cyber-physical intelligence team, said this represents the first publicly revealed attack by the Triton/Trisis group since the original incident two years ago.
FireEye analysts found a set of custom Triton/Trisis tools tied to the second victim organization while conducting research, and the attackers inside the victim's corporate IT network, Brubaker said. "Based on the tool overlap [with Triton/Trisis], we have very high confidence it's the same actor," he said.
Brubaker said unlike attack attempts like those that have been spotted by FireEye and other ICS security firms, this was a full-blown attack. He declined to discuss any details about the victim organization's identity or location, nor whether this new victim also had suffered an infection of its safety instrumentation system like the first victim did.
Triton/Trisis specifically targets Schneider Electric's SIS, the Triconex Emergency Shut Down (ESD) system. SISes provide emergency shutdown for plant processes to prevent physical threats when a plant process reaches an unsafe level. These systems are not typically under the domain of security teams but, rather, engineering teams; Triton/Trisis was the first known incident to affect the OT engineering department.
In the latest Triton/Trisis incident, the attackers had a foothold in the corporate network and were conducting reconnaissance and advancing deeper into the network in order to reach the industrial operations technology (OT) network, according to FireEye.
Brubaker said the group appears to have been operational since 2014 based on intel gathered from an analysis of the custom attack tools used on the victim and there may well be more as-yet unidentified victims and attacks.
"For quite a while we've been looking at this possibility" of more victims, FireEye's Brubaker said.
Just how widespread the Triton/Trisis attack campaign truly is has remained a mystery. Earlier this year, an incident responder involved in a Saudi Arabia case revealed that the first known attack was more extensive than had been reported publicly. That August 2017 attack wasn't the first incident at the plant: in June of 2017, an emergency plant-process shutdown system was knocked offline by the attackers but was misconstrued as a mechanical issue rather than a cyberattack, according to Julian Gutmanis, who was working out of a major oil and gas organization in Saudi Arabia at the time of the attacks.
Meanwhile, the Triton/Trisis attackers were able to remain in the plant's network undetected until the Schneider Triconex SIS went down after the attackers inadvertently powered it down.
Rob Lee, founder and CEO of ICS security firm Dragos - who earlier this year confirmed the attacker had been inside the first victim's network since 2014 - said FireEye's new report echoes his firm's tracking of Triton activity at other industrial facilities. Dragos has seen around 12 companies whose networks have been hit with by the attack group, which it calls XENOTIME, in early stages of the attack.
Dragos said the attackers have been active in various industries aside from oil and gas, including targeting ICS OEMs and manufacturers. "All available evidence at this time indicates that XENOTIME has not deployed either Triton/Trisis or any new ICS-disruptive malware in any environment," which jibes with FireEye's findings, said Dragos adversary hunter Joe Slowik.
Meanwhile, Schneider Electric said in a statement that it was "encouraged" that FireEye had not reported finding Triton/Trisis malware in the victim's industrial network.
"First, it is worth noting that FireEye does not claim to have found the Triton malware in the facility. Rather, they discovered the 'Triton actor' and some use of the 'Triton framework,'" the company said in a statement. "Additionally, by releasing the details behind the Triton attack framework, the OT cybersecurity industry now better understands the Triton actor's tradecraft. This will help all of us improve our tools and strategies to detect Triton-like attacks much earlier."
The Triton/Trisis attackers employed both their custom attack tools as well as open source and other attack tools, including Mimikatz and SecHack to steal credentials. Many of their custom tools mimicked the features of legitimate tools to evade detection.
"They would generally use public tools when they were not as concerned about getting caught and trying to poke around. If they were doing something really important - like about trying to get to an engineering workstation - they would switch to custom tools," Brubaker said. FireEye published a detailed technical report on Triton's attack tools and tactics.
While a complete picture of the Triton attackers' endgame remains unknown, their manipulation of safety systems in the industrial plant demonstrates their potential ability and intent to disrupt plant processes, ICS experts say. Gutmanis, who recently joined Dragos, said the first Triton/Trisis victim "got lucky" that no catastrophic physical damage occurred.
"While threat intel and incident response teams from FireEye are investigating the second Triton/Trisis incident, what we know for a fact is that the attackers selected the most safety-critical component of the ICS to achieve their goals: the safety instrumented system," said Eddie Habibi, CEO of PAS Global. "A bad actor can shut down a process by manipulating the configuration of a safety system. In fact, a plant is lucky if this is the approach an attacker takes: While the shutdown and loss of production is painful in such a situation, if the safety system is designed properly, there should be no safety impact or damage to equipment."
Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.