In December 2017, newly discovered malware was launched against a petrochemical plant in Saudi Arabia. The malware itself was notable in that it was specifically designed to manipulate safety systems in critical infrastructures. The malware, called TRITON or TRISIS, was the first to deliberately target systems that functioned to prevent life-threatening accidents and serious physical damage.
On April 10, security researchers at FireEye released a blog post stating that they uncovered an additional intrusion by the group behind the TRITON attack. The target was again a critical infrastructure facility.
The new intrusion
Similar to the intrusion in 2017, the attackers targeted the facility’s operational technology (OT), which is responsible for monitoring and managing physical processes and devices. The report says that the group was present in the target’s networks for almost a year before they gained access to the safety instrumented system (SIS) engineering workstation, but they were not involved in traditional espionage or data exfiltration. Instead, the attackers focused on network reconnaissance, lateral movement, and maintaining presence in the target environment. Once they gained access to a SIS engineering workstation, they focused on deploying TRITON.
Custom and generic tools were strategically used to help the attackers avoid security software and cover up their actions. They also used different techniques to evade detection — they mimicked legitimate administrator activities, renamed files to make them look legitimate, and used other tactics.
FireEye’s report includes detailed information about the group's TTPs and custom tooling. They also included a statement encouraging others to pursue TRITON-related activity: “We encourage ICS asset owners to leverage the detection rules and other information included in this report to hunt for related activity as we believe there is a good chance the threat actor was or is present in other target networks.”
Looking back at the TRITON malware
As mentioned above, TRITON was engineered to target a type of industrial control system (ICS), specifically the Triconex SIS controllers. In 2017, the attackers used the malware and shut down operations at a critical infrastructure site after deliberately targeting the SIS system. According to the reports, the actors deployed TRITON on a Windows-based workstation hoping to reprogram the SIS controllers. If the controllers were compromised, the attackers could have manipulated the safe states of all the equipment or processes controlled by the SIS — an extremely dangerous scenario.
This discovery was also significant because these types of safety systems are used in many critical infrastructure sites across different industries. They prevent unsafe conditions from arising; for example, if a pressure valve reaches unsafe thresholds, the SIS will automatically close the valves to prevent damage and injury. They are an important line of defense for transportation systems, chemical plants, manufacturing factories, and many more facilities.
Securing ICS systems
Industrial control systems like SIS are now commonplace, found everywhere from cooling systems in office buildings to sprawling manufacturing plants. Additionally, organizations are becoming more and more dependent on these systems to increase productivity and efficiently manage important operational processes. As such, they are significant targets — a successful attack on these critical systems could seriously affect operations of a facility or even damage it. An actor could force shutdowns, destroy equipment, or steal intellectual property, and even cause substantial health and safety risks.
Attacks against ICS usually starts with reconnaissance, followed by the use of tactics to gain a foothold in the target network. An attacker will make use of all the possible vulnerabilities and specific configurations of an ICS to launch malware. After exploiting the vulnerabilities, the attacker can stop operations, change functions, or manipulate existing controls. There are different types of ICS vulnerabilities that can be exploited, a detailed list can be found here.
Preventing ICS attacks requires layered and tailored security. An organization should cover the basics of securing its own specific OT environment, and conduct proper surveys, updates, and maintenance. It is essential to have best practices in place. Proper security strategies also have to be implemented as part of daily operations.
Other best practices for organizations:
Apply network segmentation using the Purdue Model for Control Hierarchy.
Assess ICS systems to thoroughly identify the different kinds and levels of risk, and then install the corresponding safeguards.
Evaluate external partnerships and shared resources, making sure to involve the IT team in the initial planning and development stages of designing collaborative network environments.
Implement safeguards against insider threats with both technical and non-technical steps.
Get network and device security solutions specifically for ICS and SCADA.