By Alessandro Di Pinto and Younes Dragoni
Triton, also known as Trisis and HatMan, is one of only a few known malware frameworks that resulted in a direct physical impact on critical infrastructure.
In 2017, Triton was used to attack a Saudi Arabian gas facility, directly interacting with, and remotely controlling, its Safety Instrumented System (SIS). Given the significance of this attack, Nozomi Networks conducted research on the malware to better understand how its multistage injection techniques work.
We obtained a Triconex SIS controller and successfully communicated with it, including injecting the Triton malware. Using the network traffic generated, we analyzed the proprietary TriStation protocol used to communicate with Triconex Safety Systems.
Along those lines, we released a Wireshark dissector for the TriStation protocol — called the TriStation Protocol Plug-in for Wireshark. The dissector is available on request from Nozomi Networks. These tools are intended to give researchers and ICS organizations access to a clear visual dissection of SIS controller communications, helping them identify compromises and cyber security risks.
Our complete analysis of Triton, along with a live demo of an attack and a second Triton tool will be shown at the upcoming Black Hat USA presentation we are giving jointly with FireEye on August 8 at 11:15 a.m. in Las Vegas, NV.
Triton Reprograms SIS Controller
In December 2017, FireEye reported it had worked with an industrial operator whose facility was attacked by a new type of ICS malware they named Triton. The attack reprogrammed the facility’s SIS, causing it to enter a failed state and resulting in an automatic shutdown of the industrial process.
The shutdown led to the discovery of the malware and is thought to have been the result of a programming problem with the malware’s code. Likely Triton was intended to prevent the SIS from safely shutting down the plant when used with a simultaneous attack on the process itself.
SIS systems are designed to prevent critical process systems from causing safety, health or environmental incidents. They are the last line of automated defense for a plant (mechanical defenses also exist) and are a special kind of PLC with multiple redundant systems.
While no harm occurred in this case, the attack represents a step-up in sophisticated ICS cyberattacks, being the first known one to successfully interact with a SIS.
During research on Triton, we expanded our knowledge about the proprietary TriStation protocol used by the Triconex Safety Systems components. Some insight was extracted from the malware itself. Other knowledge came from the live traffic generated in our lab using a Triconex controller model MP 3008 with an NCM 4329/N/G communications module.
A PCAP of this traffic was shared with FireEye, who worked with BSI (the German Federal Office for Information Security), to develop packet rules for detecting Triton.
We conducted our own analysis of the PCAP and realized a tool capable of explaining the communications would be extremely helpful. Usually engineers analyze network traffic by intercepting it with a program called Wireshark. Wireshark is a very flexible tool that visually explains the meaning of each byte contained in captured traffic. It works well for known, well documented protocols but is ineffective when dealing with a proprietary protocol. To overcome this issue, Wireshark allows users to create their own dissector (protocol parser) to describe how to interpret unknown protocols. Some of the languages use to create dissectors are C++ and Lua.
Because TriStation is a proprietary protocol not understood by Wireshark, initially the contents of the packets looked like raw data.
We developed a Lua dissector that instructs Wireshark on how to parse the data contained inside each packet. With the dissector as a guide, Wireshark describes the meaning of each byte inside TriStation packets, making it easier for analysts to understand TriStation data traveling over a control network.
We would like to emphasize the functionality of the dissector is the result of our malware analysis and reflects the attackers’ reverse engineering of the TriStation protocol.
Dissector Includes Triton Detection
Additionally, based on new findings gained during our Triton research, our TriStation Protocol Plug-in for Wireshark detects the uploading of a malicious program related to Triton. While we are aware that Wireshark is not the most convenient tool for performing intrusion detection, our dissector demonstrates it’s possible to identify ICS malware on the network using passive techniques.
Alessandro Di Pinto and Younes Dragoni are members of Nozomi Networks’ research team.