Triton industrial malware group still active, researchers warn

The cyber attack group behind the Triton malware family that targets industrial control systems (ICS) has been detected in another critical infrastructure facility, and may be present in others, researchers warn.

The Triton malware was linked to an attack on a petrochemical plant in Saudi Arabia in August 2017 by The New York Times, leading to initial speculation that Iran might be behind the attack.

But researchers at security firm FireEye subsequently linked Triton to Russia, and now report that they have discovered, and are responding to, an intrusion by the Triton group at a different, but unnamed critical infrastructure facility.

In addition to “intrusion activity” by the Triton group, the researchers said they have uncovered evidence of “new custom tool sets” at the compromised facility.

The researchers have published indicators of compromise, TTPs [tools, techniques and procedure] and detections in a blog post, urging industrial control system (ICS) asset owners to use these to improve their defences and hunt for related activity in their networks.

The Triton group uses dozens of custom and commodity intrusion tools to gain and maintain access to the target’s IT (information technology) and OT (operational technology) networks, the researchers said, including tools for credential harvesting, remote command execution, creating backdoors, and generating command and control domains.

Triton’s custom tools frequently mirrored the functionality of commodity tools, they said, and appear to be developed with a focus on antivirus evasion. In some cases Triton used custom and commodity tools for the same function, such as credential harvesting.

ICS attacks are typically measured in years, the researchers said, because attackers need time to learn about the target’s industrial processes and build custom tools.

“This attack was no exception. The actor was present in the target networks for almost a year before gaining access to the safety instrumented system (SIS) engineering workstation. Throughout that period, they appeared to prioritise operational security,” the researchers said.

In this latest intrusion, they said that after establishing an initial foothold on the corporate network, Triton focused most of their effort on gaining access to the OT network for reconnaissance purposes and used multiple techniques to hide their activities, cover their tracks, and deter forensic examination of their tools and activities.

Although Triton gained a foothold on the distributed control system (DCS), they did not use that access to learn about plant operations, exfiltrate sensitive information, tamper with the DCS controllers, or manipulate the process.

“They then gained access to an SIS engineering workstation. From this point forward, they focused most of their effort on delivering and refining a backdoor payload using the Triton attack framework,” the researchers said.

Based on analysis of the actor’s custom intrusion tools, the researchers believe the Triton group has been operating since as early as 2014.

The fact that some of these tools have not been encountered before, despite being several years old, and the fact the group has demonstrated a strong interest in operational security, has led the researchers to conclude that there may be other, still undiscovered compromised industrial environments where Triton was active or is still present.

“There is often a singular focus from the security community on ICS malware largely due to its novel nature and the fact that there are very few examples found in the wild. While this attention is useful for a variety of reasons, we argue that defenders and incident responders should focus more attention on so-called ‘conduit’ systems when trying to identify or stop ICS-focused intrusions, the researchers said.