New Triton malware detected in attacks against a Critical Infrastructure operator

Pierluigi Paganini December 14, 2017

Triton malware – A new strain of malware specifically designed to target industrial control systems (ICS) system has been spotted by researchers at FireEye

A new strain of malware dubbed Triton specifically designed to target industrial control systems (ICS) has been spotted by researchers at FireEye.

The Triton malware has been used in attacks aimed at an unnamed critical infrastructure organization, experts speculate the involvement of a state-sponsored actor for sabotage purpose due to the lack of financial motivation and the level of sophistication of the attacks.

FireEye has not linked the Triton attack to any known APT group, the experts believe the activity they detected was part of the reconnaissance phase of a campaign, and it’s consistent with many attacks and reconnaissance activities carried out globally previously attributed to Russian, Iranian, U.S., North Korean and Israeli nation-state actors.

The Triton malware is designed to target Schneider Electric’s Triconex Safety Instrumented System (SIS) controllers that are used in industrial environments to monitor the state of a process and restore it to a safe state or safely shut it down if parameters indicate a potentially hazardous situation.

“Mandiant recently responded to an incident at a critical infrastructure organization where an attacker deployed malware designed to manipulate industrial safety systems. The targeted systems provided emergency shutdown capability for industrial processes.” reads the analysis published by FireEye.

“We assess with moderate confidence that the attacker was developing the capability to cause physical damage and inadvertently shutdown operations. This malware, which we call TRITON, is an attack framework built to interact with Triconex Safety Instrumented System (SIS) controllers.”

Triton malware

Once gained access to the SIS system, the threat actor deployed the TRITON malware, a circumstance that indicates that attackers had a knowledge of such systems. According to FireEye the attackers pre-built and tested the tool which would require access to hardware and software that is not widely available. TRITON is also designed to communicate using the proprietary TriStation protocol which is not publicly documented, this implies that the attackers reverse engineered the protocol to carry out the attack.

The Triton malware interacts with Triconex SIS controllers., it is able to read and write programs and functions to and from the controller.

“TRITON was deployed on an SIS engineering workstation running the Microsoft Windows operating system. The malware was named to masquerade as the legitimate Triconex Trilog application. This application is used for reviewing logs and is a part of the TriStation application suite.” continues FireEye.

“The malware was delivered as a Py2EXE compiled python script dependent on a zip file containing standard Python libraries, open source libraries, as well as the attacker-developed Triconex attack framework for interacting with the Triconex controllers. Along with the executable, two binary files, inject.bin (malicious function code) and imain.bin (malicious control logic), were deployed as the controller’s payload. These file names were hard coded in the Py2EXE compiled python script.”

Triton Malware Triconex

The hackers deployed the Triton malware on a Windows-based engineering workstation, the malicious code added its own programs to the execution table. In case of a failure, the malware attempts to return the controller to a running state, it also overwrites the malicious program with junk data if the attempt fails, likely to delete any track of the attack.

The attack against a SIS controller is very dangerous, once it has been compromised, the attacker can reprogram the device to trigger a safe state with a dramatic impact on the operations of the targeted environment. Attackers could also reprogram the SIS controller to avoid triggering actions when parameters assume dangerous values.

“The attacker targeted the SIS suggesting an interest in causing a high-impact attack with physical consequences. This is an attack objective not typically seen from cyber-crime groups.” continues FireEye.

“If the SIS and DCS controls fail, the final line of defense is the design of the industrial facility, which includes mechanical protections on equipment (e.g. rupture discs), physical alarms, emergency response procedures and other mechanisms to mitigate dangerous situations.”

Back to the attack detected by FireEye, hackers shut down operations after causing the SIS controllers to initiate a safe shutdown, but experts believe they may have inadvertently triggered it during a reconnaissance phase.

Schneider Electric is investigating the attack to discover if the threat actors exploited any vulnerability in the Triconex product.

Schneider published a security advisory to warn its customers, it suggests to avoid leaving the front panel key position in “Program” mode when the controller is not being configured. The malicious code can only deliver its payload if the key switch is set to this mode.

“Schneider Electric is aware of a directed incident targeting a single customer’s Triconex Tricon safety shutdown system. We are working closely with our customer, independent cybersecurity organizations and ICSCERT to investigate and mitigate the risks of this type of attack.” reads the security advisory.

“The modules of this malware are designed to disrupt Triconex safety controllers, which are used widely in critical infrastructure. The malware requires the keyswitch to be in the “PROGRAM” mode in order to deliver its payload. Among others, the reported malware has the capability to scan and map the industrial control system environment to provide reconnaissance and issue commands directly to Tricon safety controllers.”

FireEye report included the Indicators of Compromise (IoCs) for the threat.

Signatures of the malware samples identified by FireEye have been provided to cybersecurity firms so security products should be able to detect at least some variants of the threat.

Despite a large number of infections reported for ICS systems across the years, at the time experts only detected four pieces of ICS tailored malware; StuxnetHavexBlackEnergy2, and IRONGATE, and Industroyer.

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – Triton Malware, ICS)

[adrotate banner=”5″]

[adrotate banner=”13″]

you might also like

leave a comment