By Gregory Hale
The attack that led to the deployment of Triton malware was supported by the Central Scientific Research Institute of Chemistry and Mechanics (CNIIHM), a Russian government-owned technical research institution located in Moscow, new research from FireEye Intelligence found.
In the Triton event, a Saudi Arabian refinery suffered a shutdown of its facility in August 2017 and the controllers of a targeted Schneider Electric Triconex safety system failed safe.
During an initial investigation security professionals noticed there were some suspicious things going on and that is when they found the Triton malware. The safety instrumented system (SIS) engineering workstation was compromised and had the Triton (also called Trisis and HatMan) malware deployed on it. The distributed control system (DCS) was also compromised. The attacker had the ability to manipulate the DCS while reprogramming the SIS controllers.
FireEye experts substantiate the claims through the following research:
1. FireEye uncovered malware development activity that is very likely supporting TEMP.Veles activity. This includes testing multiple versions of malicious software, some of which were used by TEMP.Veles during the Triton intrusion.
2. Investigation of this testing activity reveals multiple independent ties to Russia, CNIIHM, and a specific person in Moscow. This person’s online activity shows significant links to CNIIHM.
3. An IP address registered to CNIIHM has been employed by TEMP.Veles for multiple purposes, including monitoring open-source coverage of Triton, network reconnaissance, and malicious activity in support of the Triton intrusion.
4. Behavior patterns observed in TEMP.Veles activity are consistent with the Moscow time zone, where CNIIHM is located.
5. We judge that CNIIHM likely possesses the necessary institutional knowledge and personnel to assist in the orchestration and development of Triton and TEMP.Veles operations.
While FireEye researchers said in a post they cannot rule out the possibility one or more CNIIHM employees could have conducted TEMP.Veles activity without their employer’s approval, further details show this explanation is less plausible than TEMP.Veles operating with the support of the institute.
Whether Russia was behind the attack or not, the question is now raised regarding when a solution ends up installed, do integrators/suppliers have to understand the geopolitical climate surrounding the client to understand what kind of security is in play, or do they just have to ensure the solution is secure and the end user has a solid holistic security plan behind it?
“In the era of the IIoT (Industrial Internet of Things), all geopolitics is local. That means all stakeholders must uphold the highest levels of security practices all the time, regardless of whether they’re installing new or maintaining existing systems and no matter where they are in the world,” said Andy Kling, director of cyber security and architecture at Schneider Electric. “First, responsible OEMs and responsible plant and asset owners will take into account weaknesses within their ICS technology, while also understanding the techniques being used to exploit those weaknesses. This will help them effectively direct limited resources to improve their cyber-posture. It further implies that threat intelligence that covers regional and geo-political aspects of cybersecurity become part of their risk management plan. Second, everyone across the industry needs to collaborate on the development of new approaches that ensure both legacy and new technologies are able to withstand increasingly sophisticated cyberattacks.”
During the FireEye investigation of TEMP.Veles activity, they found multiple unique tools the group deployed in the target environment. Some of these same tools, identified by hash, were evaluated in a malware testing environment by a single user.
This testing environment was used to refine some TEMP.Veles tools, FireEye researchers said.
In addition, FireEye researchers said adversary behavioral artifacts suggest the TEMP.Veles operators are based in Moscow, lending some further support to the scenario CNIIHM, a Russian research organization in Moscow, has been involved in TEMP.Veles activity.
“We identified file creation times for numerous files that TEMP.Veles created during lateral movement on a target’s network,” the researchers said. “These file creation times conform to a work schedule typical of an actor operating within a UTC+3 time zone supporting a proximity to Moscow. Additional language artifacts recovered from TEMP.Veles toolsets are also consistent with such a regional nexus.”
FireEye researchers went on to say, “While we know that TEMP.Veles deployed the Triton attack framework, we do not have specific evidence to prove that CNIIHM did (or did not) develop the tool. We infer that CNIIHM likely maintains the institutional expertise needed to develop and prototype Triton based on the institute’s self-described mission and other public information. CNIIHM has at least two research divisions that are experienced in critical infrastructure, enterprise safety, and the development of weapons/military equipment.
Step Up Their Game
Knowing the levels of sophistication for attacks keep increasing, manufacturing automation industry end users – whether they are just starting or have an established program – need to ratchet up their sensitivity to the potential for an attack.
“At the end of the day, those responsible for industrial operations, regardless of the region or segment, must adhere to the most current industry cybersecurity standards; regularly review and strengthen their cybersecurity posture, policies, procedures and practices; and work with suppliers to ensure new and evolving threats are addressed holistically, not just by the entities that suffer an attack,” Kling said. “That is why Schneider Electric continues to call for industry-wide collaboration in response to cyberattacks. No single entity can address this global threat alone; rather, end users, third-party suppliers, integrators, standards bodies, industry groups and government agencies must work together to help the global manufacturing industry withstand cyberattacks and protect the world’s most critical operations and the people and communities we all serve.”