Triton (also called TRISIS) is an attack on Industrial Safeguarding Systems (SIS) and has caused operational disruption to the critical infrastructure in Saudi Arabia. Triton was designed to be not only destructive, but be destructive in a way that would kill people. The Triton malware uses a Zero-day-attack to make changes to one of the best safeguarding systems available globally, a SIS of Triconex of Schneider Electric and was successfully launched in Jun 2017.

How the Triton-malware works:

To reach IACS systems, attackers need to first break into an organization’s IT infrastructure and gain persistence just like any other advanced persistent threat (APT) actor. Last year in 2019, FireEye released a new report that documents the techniques and tools used by the Triton group in the early stages of its attacks. The report contains indicators of compromise, file hashes and other information collected by FireEye from incident responses related to Triton activity, including from an intrusion detected at second critical infrastructure facility that hasn’t been named.

“After establishing an initial foothold on the corporate network, the Triton actor focused most of their effort on gaining access to the OT (Operational Technology) network,” the FireEye researchers said in their report. “They did not exhibit activities commonly associated with espionage, such as using key loggers and screenshot grabbers, browsing files, and/or exfiltrating large amounts of information. Most of the attack tools they used were focused on network reconnaissance, lateral movement, and maintaining presence in the target environment.”

Some of the techniques employed by the Triton group during intrusions include renaming files to mimic Windows update packages, using standard tools like RDP (Remote Desktop Protocol) and PsExec (a portable tool from Microsoft that lets you run processes remotely using user’s credentials) to hide among typical administrative activities, planting web shells on Outlook Exchange servers by placing them inside legitimate files, using encrypted SSH-based tunnels, deleting tools and logs after using them to avoid leaving traces behind, modifying file timestamps and operating outside normal working hours to avoid being noticed.

The malware was able to access the Engineering Workstation (EWS) of the SIS using Remote Desktop Protocol (RDP) and software was injected. The Triconex SIS Safeguarding modules will only accept new software when the key switch, a switch between the EWS and the Safeguarding modules, is in the ‘program’ position. Attackers then must either wait for someone at the victim’s site to switch the mode to ‘program’. Faster is to hack around the key-switch, which they did. It is the first time that this type of keyswitch has been hacked and that malware was able to bypass this switch.

The Triconex Key Switch that was bypassed by the malware

In order to overcome this special security protection barrier (the key-switch), the attackers prepared a second stage code using a Zero-day-attack. This code, running inside the SIS device, was designed to write itself on to the firmware of the SIS Modules if Triconex and hook on to the communications main loop, thereby overcoming the switch position problem.

Because of a mistake in the malware the Triconex modules ended up in a failed safe state and a major accident was avoided by a controlled Plant Shutdown. Modifying the SIS could prevent it from functioning correctly, increasing the likelihood of a failure. In case the system need to work and doesn’t function correctly a process unsafe situation could occur that would result in damage to the installation, such as pipelines, vessels, pumps, coolers, compressors, etc. and could result in explosions, spills, emissions and undesired shutdowns.

Triton is seen as the first direct attack on SIS, the integrity heart and last line of defence of production facilities equipped with safeguarding systems (SIS) .

Who is behind this attack?

The attacker (most probably a Russian organisation, called Xenotime) was identified by FireEye as a Russian state-sponsored hackers via a Russian government owned lab. If this is really the case, it is a very concerning situation. Thanks to the mistake that was made by the attackers in the malware the facilities shutdown on a diagnostic failure message and a dramatic situation was avoided.

Xenotime, Hacking Group behind Triton, also found probing Industrial Control Systems (ICS) of Power Grids in the US in June 2019.

Why, the intent of the hacker?

Saudi Arabia is the largest producer in the world and disruption of oil and gas production could have a positive impact on the oil prices. Also missed production could damage reputation when production targets are not met. When oil and gas producing plants are heavily damaged, it is almost certain that production targets and not met and when people are killed it looks very bad for the End-User, since it looks like that the End-User has not done enough to prevent this dangerous situation.

Compromising both the DCS and SIS systems would enable the attacker to develop and carry out an attack that causes the maximum amount of damage. On several occasions, FireEye has observed evidence of long term intrusions into IACS which were not ultimately used to disrupt or disable operations. For instance, Russian operators, such as Sandworm Team, have compromised Western IACS over a multi-year period without causing a disruption.

However this attack was designed to cause maximum damage, inclusive loss of lives. This attack is considered to be political and may be to cause an uplift in the oil price. The targeting of critical infrastructure to disrupt, degrade, or destroy systems is consistent with numerous attack and reconnaissance activities carried out globally by Russian, Chinese, Iranian, North Korean, U.S., and Israeli nation state actors. Intrusions of this nature do not necessarily indicate an immediate intent to disrupt targeted systems, and may be preparation for a contingency.

The impact of Triton and conclusions:

  • Triton is the world’s most murderous malware, and it’s spreading (Ref: MIT Techn. Review)
  • Impact on Process Safety, total loss of Technical Integrity and resulted in a plant shutdown
  • The consequences could have been catastrophic
  • March 2019: Triton ICS Malware hits a second victim (undisclosed company in the Middle East), most likely to create a backdoor.

Back to ‘Attacks on Industry

This image has an empty alt attribute; its file name is TAPS-Logo-3D-1.jpg