loader gif

The infamous Triton operators used customized SecHack attack tool to target Russian research institute

The infamous Triton operators used customized SecHack attack tool to target Russian research institute
  • After establishing an initial foothold on the network, the Triton actors focused on gaining access to the OT network.
  • Based on the analysis of the custom tool, researchers believed that the group has been operating since as early as 2014.

The powerful Triton malware that was used in a failed plot to impact a Saudi petrochemical plant has now been linked with the attack against a Russia-based institute. The malware has been found to target an unnamed technical research institute in Moscow, Russia.

How was it performed - The researchers from FireEye revealed that the operators had used a custom attack tool along with a publicly available exploit kit to launch the attack. The tools that were used in the attack are identified as SecHack and Mimikatz.

“The actor's custom tools frequently mirrored the functionality of commodity tools and appear to be developed with a focus on anti-virus evasion. The group often leveraged custom tools when they appeared to be struggling with anti-virus detection or were at a critical phase in the intrusion (e.g., they switched to custom backdoors in IT and OT DMZ right before gaining access to the engineering workstation),” said the researchers.

What’s next after gaining a foothold - After establishing an initial foothold on the network, the Triton actors focused on gaining access to the Operational Technology (OT) network. For this, they used sophisticated attack tools for network reconnaissance, lateral movement, and maintaining a presence on the network.

Apart from that, the actors used several obfuscation methods to evade detection. This includes:

  • Renaming their files to make them look like legitimate files;
  • Planting webshells on the Outlook Exchange servers;
  • Relying on encrypted SSH-based tunnels to transfer tools and for remote command execution;
  • Routinely deleting dropped attack files, execution logs and other files;
  • Using multiple staging folders and directories that are very less used by legitimate users or processors.

Based on the analysis of the custom tool, researchers believed that the group has been operating since as early as 2014.

loader gif