Triton/Trisis Attacks Another Victim

  /     /     /  
Publicated : 23/11/2024   Category : security


Triton/Trisis Attacks Another Victim


FireEye Mandiant incident responders reveal a new attack by the hacking group that previously targeted a petrochemical plant in Saudi Arabia in 2017.



KASPERSKY SECURITY ANALYST SUMMIT - Singapore - Yet another critical infrastructure organization was found infiltrated with the Triton/Trisis malware tools used in a 2017 attack that shut down the safety instrumentation system at a petrochemical plant in Saudi Arabia. 
FireEye Mandiant, here this week, revealed that it recently discovered the Triton/Trisis attack code installed at the second industrial organization and that it is currently working on an ongoing incident response investigation into the attack. Nathan Brubaker, senior manager of FireEyes cyber-physical intelligence team, said this represents the first publicly revealed attack by the Triton/Trisis group since the original incident two years ago.
FireEye analysts found a set of custom Triton/Trisis tools tied to the second victim organization while conducting research, and the attackers inside the victims corporate IT network, Brubaker said. Based on the tool overlap [with Triton/Trisis], we have very high confidence its the same actor, he said.
Brubaker said unlike attack attempts like those that have been spotted by FireEye and other ICS security firms, this was a full-blown attack. He declined to discuss any details about the victim organizations identity or location, nor whether this new victim also had suffered an infection of its safety instrumentation system like the first victim did.
Triton/Trisis specifically targets Schneider Electrics SIS, the Triconex Emergency Shut Down (ESD) system. SISes provide emergency shutdown for plant processes to prevent physical threats when a plant process reaches an unsafe level. These systems are not typically under the domain of security teams but, rather, engineering teams; Triton/Trisis was the first known incident to affect the OT engineering department.
In the latest Triton/Trisis incident, the attackers had a foothold in the corporate network and were conducting reconnaissance and advancing deeper into the network in order to reach the industrial operations technology (OT) network, according to FireEye.
Brubaker said the group appears to have been operational since 2014 based on intel gathered from an analysis of the custom attack tools used on the victim and there may well be more as-yet unidentified victims and attacks.
For quite a while weve been looking at this possibility of more victims, FireEyes Brubaker said.
Just how widespread the Triton/Trisis attack campaign truly is has remained a mystery. Earlier this year, an incident responder involved in a Saudi Arabia case
revealed
that the first known attack was more extensive than had been reported publicly. That August 2017 attack wasnt the first incident at the plant: in June of 2017, an emergency plant-process shutdown system was knocked offline by the attackers but was misconstrued as a mechanical issue rather than a cyberattack, according to Julian Gutmanis, who was working out of a major oil and gas organization in Saudi Arabia at the time of the attacks.
Meanwhile, the Triton/Trisis attackers were able to remain in the plants network undetected until the Schneider Triconex SIS went down after the attackers inadvertently powered it down.
Rob Lee, founder and CEO of ICS security firm Dragos - who earlier this year confirmed the attacker had been inside the first victims network since 2014 - said FireEyes new report echoes his firms tracking of Triton activity at other industrial facilities. Dragos has seen around 12 companies whose networks have been hit with by the attack group, which it calls XENOTIME, in early stages of the attack.
Dragos said the attackers have been active in various industries aside from oil and gas, including targeting ICS OEMs and manufacturers. All available evidence at this time indicates that XENOTIME has not deployed either Triton/Trisis or any new ICS-disruptive malware in any environment, which jibes with FireEyes findings, said Dragos adversary hunter Joe Slowik.
Meanwhile, Schneider Electric said in a statement that it was encouraged that FireEye had not reported finding Triton/Trisis malware in the victims industrial network.
First, it is worth noting that FireEye does not claim to have found the Triton malware in the facility. Rather, they discovered the Triton actor and some use of the Triton framework, the company said in a statement. Additionally, by releasing the details behind the Triton attack framework, the OT cybersecurity industry now better understands the Triton actors tradecraft. This will help all of us improve our tools and strategies to detect Triton-like attacks much earlier.
Tools
The Triton/Trisis attackers employed both their custom attack tools as well as open source and other attack tools, including Mimikatz and SecHack to steal credentials. Many of their custom tools mimicked the features of legitimate tools to evade detection.
They would generally use public tools when they were not as concerned about getting caught and trying to poke around. If they were doing something really important - like about trying to get to an engineering workstation - they would switch to custom tools, Brubaker said. FireEye published
a detailed technical report
on Tritons attack tools and tactics.
While a complete picture of the Triton attackers endgame remains unknown, their manipulation of safety systems in the industrial plant demonstrates their potential ability and intent to disrupt plant processes, ICS experts say. Gutmanis, who recently joined Dragos, said the first Triton/Trisis victim got lucky that no catastrophic physical damage occurred.
While threat intel and incident response teams from FireEye are investigating the second Triton/Trisis incident, what we know for a fact is that the attackers selected the most safety-critical component of the ICS to achieve their goals: the safety instrumented system, said Eddie Habibi, CEO of PAS Global. A bad actor can shut down a process by manipulating the configuration of a safety system. In fact, a plant is lucky if this is the approach an attacker takes: While the shutdown and loss of production is painful in such a situation, if the safety system is designed properly, there should be no safety impact or damage to equipment.
Related Content:
Industrial Safety Systems in the Bullseye
TRITON Attacker Disrupts ICS Operations, While Botching Attempt to Cause Physical Damage
First Malware Designed Solely for Electric Grids Caused 2016 Ukraine Outage
Lessons From The Ukraine Electric Grid Hack
 
 
 Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industrys most knowledgeable IT security experts. Check out the
Interop agenda
here.

Last News

▸ Nigerian scammers now turning into mediocre malware pushers. ◂
Discovered: 23/12/2024
Category: security

▸ Beware EMV may not fully protect against skilled thieves. ◂
Discovered: 23/12/2024
Category: security

▸ Hack Your Hotel Room ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Triton/Trisis Attacks Another Victim