TRITON attackers detected at another critical infrastructure facility

The attackers who were first spotted wielding the custom TRITON framework have targeted another critical infrastructure facility, FireEye researchers have revealed on Wednesday.

Although, since they seem to have been active since at least 2014, its quite likely that they have managed to get access to other target environments and may still be present in some of them.

About TRITON

When first detected and analyzed back in 2017, the TRITON (aka TRISIS) attack framework was extremely noteworthy: specifically designed to target Schneider Electric’s Triconex Safety Instrumented System (SIS), it was detected when it led to an automatic shutdown of the industrial process at a petrochemical plant in Saudi Arabia.

Who built and who is using this custom attack framework is currently unknown (although FireEye makes a case for a Russian government-owned research institute being a likely creator). One thing is sure, though: they are no ordinary hackers or criminals after money.

The technical resources necessary to create the attack framework suggest a well-resourced nation state actor. Also, in the initial attack, it was deployed shortly after gaining access to the SIS system, which means that the creators had pre-built and tested the tool, which means that they had access to hardware and software that is not widely available.

“TRITON is also designed to communicate using the proprietary TriStation protocol which is not publicly documented suggesting the adversary independently reverse engineered this protocol,” FireEye researchers pointed out at the time.

It’s not all about the TRITON framework

FireEye researchers did not say whether TRITON was actually deployed during this latest spotted intrusion and if it resulted in disruptions of the production processes.

But they are eager to impress on defenders and incident responders the need to focus more attention on IT systems located in either IT or OT networks when trying to identify or stop ICS-focused intrusions.

“Attackers commonly leave a broad footprint in IT systems across most if not all the attack lifecycle,” they noted, and say that it’s ideal to stop an attacker as early in the attack lifecycle as possible.

Also, there are many existing security tools and services that can be leveraged to defend and hunt in these “conduit” systems.

Things to look for

In this latest attack, for example, the threat actors used a mix of commodity and custom tools, switching to the latter when they appeared to be struggling with anti-virus detection or were at a critical phase in the intrusion.

“After establishing an initial foothold on the corporate network, the TRITON actor focused most of their effort on gaining access to the OT network. They did not exhibit activities commonly associated with espionage, such as using key loggers and screenshot grabbers, browsing files, and/or exfiltrating large amounts of information. Most of the attack tools they used were focused on network reconnaissance, lateral movement, and maintaining presence in the target environment,” the researchers shared.

The actor did everything in their power to keep their presence unnoticed: they renamed their files to make them look like legitimate files, routinely deleted dropped attack tools, execution logs, files staged for exfiltration, and so on.

And, when they gained access to the target Triconex SIS controllers, they appeared to focus solely on maintaining access while attempting to successfully deploy TRITON.

“The actor gained a foothold on the distributed control system (DCS) but did not leverage that access to learn about plant operations, exfiltrate sensitive information, tamper with the DCS controllers, or manipulate the process,” the researchers pointed out.

On the SIS engineering workstation, they focused on delivering a backdoor payload using the TRITON attack framework, renamed malicious files, and interacted with target controllers during off-hour times (to reduce the chance of their actions being spotted by workers).

The actor was in this unnamed target’s networks for almost a year before gaining access to the SIS engineering workstation. In all that time, their presence went unnoticed.

It is, therefore, highly likely that there are other targets out there that have yet to discover TRITON actor’s intrusion, so FireEye has published indicators of compromise, detection rules, as well as tips on identifying evidence of their (and other potential attackers’) activities.