Gorodenkoff - stock.adobe.com

Triton industrial malware group still active, researchers warn

Security researchers have found traces of a Russian-linked cyber attack group in another critical infrastructure facility, prompting calls for increased diligence around industrial cyber security

The cyber attack group behind the Triton malware family that targets industrial control systems (ICS) has been detected in another critical infrastructure facility, and may be present in others, researchers warn.

The Triton malware was linked to an attack on a petrochemical plant in Saudi Arabia in August 2017 by The New York Times, leading to initial speculation that Iran might be behind the attack.

But researchers at security firm FireEye subsequently linked Triton to Russia, and now report that they have discovered, and are responding to, an intrusion by the Triton group at a different, but unnamed critical infrastructure facility.

In addition to “intrusion activity” by the Triton group, the researchers said they have uncovered evidence of “new custom tool sets” at the compromised facility.

The researchers have published indicators of compromise, TTPs [tools, techniques and procedure] and detections in a blog post, urging industrial control system (ICS) asset owners to use these to improve their defences and hunt for related activity in their networks.

The Triton group uses dozens of custom and commodity intrusion tools to gain and maintain access to the target’s IT (information technology) and OT (operational technology) networks, the researchers said, including tools for credential harvesting, remote command execution, creating backdoors, and generating command and control domains.

Triton’s custom tools frequently mirrored the functionality of commodity tools, they said, and appear to be developed with a focus on antivirus evasion. In some cases Triton used custom and commodity tools for the same function, such as credential harvesting.

ICS attacks are typically measured in years, the researchers said, because attackers need time to learn about the target’s industrial processes and build custom tools.

“This attack was no exception. The actor was present in the target networks for almost a year before gaining access to the safety instrumented system (SIS) engineering workstation. Throughout that period, they appeared to prioritise operational security,” the researchers said.

In this latest intrusion, they said that after establishing an initial foothold on the corporate network, Triton focused most of their effort on gaining access to the OT network for reconnaissance purposes and used multiple techniques to hide their activities, cover their tracks, and deter forensic examination of their tools and activities.

Although Triton gained a foothold on the distributed control system (DCS), they did not use that access to learn about plant operations, exfiltrate sensitive information, tamper with the DCS controllers, or manipulate the process.

“They then gained access to an SIS engineering workstation. From this point forward, they focused most of their effort on delivering and refining a backdoor payload using the Triton attack framework,” the researchers said.

Based on analysis of the actor’s custom intrusion tools, the researchers believe the Triton group has been operating since as early as 2014.

The fact that some of these tools have not been encountered before, despite being several years old, and the fact the group has demonstrated a strong interest in operational security, has led the researchers to conclude that there may be other, still undiscovered compromised industrial environments where Triton was active or is still present.

“There is often a singular focus from the security community on ICS malware largely due to its novel nature and the fact that there are very few examples found in the wild. While this attention is useful for a variety of reasons, we argue that defenders and incident responders should focus more attention on so-called ‘conduit’ systems when trying to identify or stop ICS-focused intrusions, the researchers said.

Cyber attack evolution

In an  advisory updated in November 2018, the UK’s National Cyber Security Centre (NCSC) said Triton represents a further evolution in ICS attack methodology.

“As ICS becomes increasingly connected, threat actors will continue to develop their capabilities to exploit them. Such incidents underline the importance of organisations implementing effective mitigation approaches,” the advisory said.

Although cyber threats against industrial control systems are unlikely to be eliminated, Israel Barak, CISO at security firm Cybereason said risks to critical infrastructure using such systems can be minimised and managed.

“Cybereason’s 2018 ICS honeypot enabled us to observe threat actors attacking networks in this industry, and what we learned is invaluable. Overall, threats to critical infrastructure is something that security products and practitioners are very good at combating. By paying attention to hygiene and best practices, companies running ICS can greatly reduce their risk despite the threats they face,” he said.

However, Barak said most countries are still vulnerable to cyber attacks on critical infrastructure because the systems are generally old and poorly patched.

“Power grids are interconnected and thus vulnerable to cascading failures. If an attacker knows which substation to take offline or cause a surge in, they can take down significant portions of the grid without conducting a large number of intrusions.

“Beyond power generation, there are significant localised effects a hacker can create by going after sewage/water treatment, industrial chemical production, or the transportation system. Again, diligence, persistence and improved security hygiene can greatly reduce risks,” said Barak.

Read more about ICS security

Read more on Hackers and cybercrime prevention

Data Center
Data Management