By Gregory Hale
An additional intrusion by the attacker behind Triton ended up discovered at a second critical infrastructure facility, said researchers at FireEye.
Researchers are talking about an intrusion at a critical infrastructure facility by the Triton attackers, but it does not say it was a specific “Triton” attack. No one knows yet if this was an attack solely against a safety system or a distributed control system, or any other system.
“The actor was present in the target networks for almost a year before gaining access to the Safety Instrumented System (SIS) engineering workstation. Throughout that period, they appeared to prioritize operational security,” said FireEye Researchers Steve Miller, Nathan Brubaker, Daniel Kapellmann Zafra, and Dan Caban in a report. “After establishing an initial foothold on the corporate network, the Triton actor focused most of their effort on gaining access to the OT network. They did not exhibit activities commonly associated with espionage, such as using key loggers and screenshot grabbers, browsing files, and/or exfiltrating large amounts of information. Most of the attack tools they used were focused on network reconnaissance, lateral movement, and maintaining presence in the target environment.”
News of the initial Triton/Trisis malware first became public in December 2017 when FireEye and Dragos separately released analysis on the Triton/Trisis malware where malicious actors used a custom attack framework to manipulate a Triconex safety system at a critical infrastructure facility and inadvertently caused a process shutdown.
Safety System Catches Malware
At the time, the malware had the capability of taking over the safety system and the distributed control system at a refinery in Saudi Arabia. Through some mistakes made by the attacker, the safety system caught on and ended up shutting down the facility in August 2017.
FireEye then examined how the attackers gained access to critical components needed to build the Triton attack framework. The research firm later attributed the Triton attack to a Russian government-owned technical research institute in Moscow.
In the latest incident, FireEye has come out and said there was a second attack, but revealed few other details regarding the second facility, what they found? Was it a similar scenario? What kind of attack took place?
FireEye Mandiant incident responders reported they have uncovered additional intrusion activity from this threat actor – including new custom tool sets – at a second critical infrastructure facility.
Threat is Real
“This news about the second intrusion by the actor behind TRISIS provides more evidence that the threat to human lives via cyber means is very real,” said Emily S. Miller, director of national security and critical infrastructure programs at Mocana. “While traditional defensive measures such as leveraging indicators, network monitoring and threat hunting are necessary to discover the threat, we should also be thinking about cybersecurity much more holistically. Asset owners need to think not only about the operational networks used to reach the devices the threat actors want to impact, but also consider the security of those devices themselves. Let’s get to the root cause of the impact here: We need to harden and embed security into these ICS devices from the beginning.”
“The real danger lies in if the attacker infiltrates other ICS systems within the same facility as the safety system,” said Eddie Habibi, chief executive at PAS Global. “If the attacker intends to cause physical damage, they are likely to access other control systems in parallel, and once the safety system is defeated, use the other control system to push the process beyond its safe operating limits. This can lead to physical damage, environmental incidents and loss of life. Facilities that could be affected by Triton/Trisis are encouraged to look beyond the safety systems to other ICS assets for signs of infiltration or unauthorized changes.”
John Sheehy, vice president sales, strategy and strategic services at IOActive said safety and security go hand-in-hand.
“With the current generation of operational technology (OT) systems, an unmitigated cybersecurity issue is an unmitigated safety issue,” Sheehy said. “Where possible, designers should use orthogonal safety controls, such as mechanical pressure relief values or mechanical governors, that have zero coincidence with the control systems and therefore cannot be affected by them. Today’s OT implementations should focus on managing the consequences of a cybersecurity attack through layered protections and mitigations using non-cybersecurity engineering controls. This should be done with a focus on providing operational resiliency to the process and overall operations. As a cybersecurity strategy, defenders should be focusing on two primary strategic objectives: First, raising the cost to the threat actors through a layered, defensive model and non-cybersecurity consequences. Second, lowering the payoff to the threat actor by reducing the consequences and impact to the defenders of any successful attack. The recent attacks on safety instrumented system (SIS) environments demonstrates there’s an unmet need to focus on the second.”