As Christmas is approaching, you are likely to receive gifts from Santa, but in the cybersecurity realm, expect to get malware. On Thursday 14, FireEye’s Mandiant threat research team revealed that there was malware called Triton planted on the Industrial Control Systems (ICS) on a certain company situated within the Mideast.
Triton, also known as Trisis was intended to carry out a high impact attack with the aim of causing physical damage. Later on, the researchers revealed that Triton is targeting Triconex Safety Instrumented System controllers sold by Schneider Electric.
This discovery led to Schneider Electric to caution its customers promptly about the malware. “Schneider Electric is aware of a directed incident targeting a single customer’s Triconex Tricon safety shutdown system. We are working closely with our customer, independent cybersecurity organizations and ICS-CERT to investigate and mitigate the risks of this type of attack. While evidence suggests this was an isolated incident and not due to a vulnerability in the Triconex system or its program code, we continue to investigate whether there are additional attack vectors,” the company said in a statement.
What makes Triton worse is that it works like malware used in Stuxnet and Industroyer. According to researchers at Drago, Triton works by enabling a replacement of logic in the final elements. “It is not currently known what exactly the safety implications of Trisis would be. Logic changes on the final control element imply that there could be a risk to the safety as set points could be changed for when the safety system would or would not take control of the process in an unsafe condition,” Dragos stated in a report detailing the malware.
“It follows Stuxnet which was used against Iran in 2010 and Industroyer which we believe was deployed by Sandworm Team against Ukraine in 2016,” FireEye researchers said in their blog post outlining their research. “Triton is consistent with these attacks, in that it could prevent safety mechanisms from executing their intended function, resulting in a physical consequence.” FireEye further added that Triton disguises to be a legitimate Triconex application which is used to review system logs. The researchers also speculate that Triton was dropped by a zipper by the attackers. “The malware was delivered as a Py2EXE compiled python script dependent on a zip file containing standard Python libraries, open source libraries, as well as the attacker-developed Triconex attack framework for interacting with the Triconex controllers.”
How Triton works
Triton attack strategies include shutting down Safety Instrumented System (SIS) controllers that are in a safe state. This then will result in an impact that will disrupt the plant’s operations and render a downtime to their services. Another strategy involves the attackers reprogramming the SIS controller so as it doesn’t shut down when the environment is unsafe. This will, in turn, expose people to risks pertaining human safety and even damage the equipment. The attackers could also perform both strategies at the same time. They could manipulate the distributed control system to create unsafe conditions and then program SIS to allow the unsafe state. This will result in possible human harm or equipment failure.
“FireEye has not connected this activity to any actor we currently track; however, we assess with moderate confidence that a nation-state sponsors the actor,” researchers said. “We assess with moderate confidence that the attacker was developing the capability to cause physical damage and inadvertently shut down operations, this is an attack objective not typically seen from cyber-crime groups,” they further added.
Dragos also aforementioned Triton as having a “game-changing” impact on industrial control systems especially safety systems. “Targeting SIS equipment represents a dangerous evolution among ICS network attacks. Potential impacts include; System downtimes, potential loss of life and equipment damage. With these implications, it’s necessary to ensure refinement in how the industry responds and communicates concerning this attack,” Dragos researchers said.
What to be done
Schneider offers variety of detection and mitigation measures in its advisory that vary from ensuring Triconex systems are deployed on isolated networks, CDs, USB drives, or laptops connecting to the network ought to be scanned for malware before being used.
Summary of Malware Capabilities
The TRITON attack tool was engineered with a variety of options and features that enable it to read and write programs, individual functions and also query the state of the SIS controller. However, just some of its capabilities were leveraged within the trilog.exe sample (e.g., the attackers didn’t leverage all of TRITON’s in-depth reconnaissance mission capabilities).
The malware also contained other capabilities that enabled it to communicate with Triconex SIS controllers (e.g., send specific commands like halt or read its memory content) And remotely reprogram them with an attacker-defined payload. The TRITON sample which was analyzed by Mandiant added an attacker-provided program to the execution table of the Triconex controller. This sample left legitimate programs which made the controller continue being operated without any fault. If the controller is failing, TRITON will attempt to restore it to a running state. If the controller didn’t recover within the given period, this sample would cover its tracks by overwriting the malware with invalid data.
The research team gave out recommendations for asset owners to use if they wished to defend against the capabilities of Trion. They are as follows;
- Leverage hardware options that offer physical management against the ability to program safety controllers. These typically take the form of switches controlled by a physical key. On Triconex controllers, keys shouldn’t be left within the PROGRAM mode unless it’s during the scheduled regular programming events.
- Where technically possible, segregate safety system networks from process control and information system networks. Engineering workstations capable of programming SIS management controllers shouldn’t be dual-homed to the other DCS process control or information system network.
- Use a simplex entrance instead of duplex network connections for any applications that rely upon the information provided by the SIS.
- Implement change management procedures for changes to key position. Audit current key state
- Monitor ICS network traffic for abnormal activity and unexpected communication flows
- Implement strict access management and application whitelisting on any server or digital computer endpoints that may reach the SIS system over TCP/IP.