TRITON - The first SIS malware which shook the global security community

On December 14, 2017, Schneider Electric published a security notification that initiated the public scrutiny of a security incident and ringed alarm bells for many security analysts.

This particular incident could have gone largely unnoticed if the targeted systems had not been significant enough. But in this case, everyone was at the edge of their seats. Schneider had discovered a new malware affecting the Triconex Safety Controllers - Triton.

Though the description of the incident may sound rather dull, its impact could have been quite the opposite. The Triconex systems belong to the class of Safety Instrument System (SIS) controllers which allow critical industrial systems to safely shut down in case of emergencies, to prevent a chain reaction of hazardous events.

These type of systems are used in numerous places across the world in various kinds of manufacturing plants, petroleum refineries, and even nuclear power plants. The SIS controller systems had never been targeted before in any cyberattack.

This attack stands right at the top with the likes of Stuxnet in 2010, in terms of potential global impact. TRITON was analysed by researchers at FireEye, who provided the technical details of the attack, the malware’s capabilities and recommendations to mitigate its impact.

Attack Timeline

Triton’s attack timeline can be seen below, as reported by Accenture Security.

• August 4, 2017: Malware development date, based on last time stamp of
  embedded sub-modules.
• August 4 to 29, 2017: Targeted entities in KSA infected by TRITON malware.
• August 29, 2017: A user from KSA uploaded the first instance of trilog.exe to
  public malware repositories.
• September 12, 2017: A second user from Dhahran, KSA uploaded an instance
  of trilog.exe to public malware repositories.
• October 19, 2017: The third instance of an infection came from Dhahran, KSA.
• October 20, 2017: The fourth instance of an infection came from Dhahran, KSA.
• October 22, 2017: The fifth instance of an infection came from Riyadh, KSA.
• December 14, 2017: Third-party reports made, based on incident response
  efforts.

Modus operandi of the TRITON malware

The Triconex SIS controllers were targeted using a zero-day vulnerability in the engineering workstation, running the Windows operating system. The TRITON malware was designed to appear as the legitimate Triconex Tirlog application, which is a log review tool for the Triconex application suite by Schneider.

The TRITON architecture consisted of a malicious trilog.exe application binary, along with a zip file containing custom communication libraries required to interact with the Triconex controllers.

According to FireEye researchers, the attackers had several options once they were successful in compromising the SIS controllers.

• The attackers could use the compromised SIS to shut down an industrial process by triggering a false positive.
• The SIS logic could also be modified by allowing unsafe conditions for an industrial process, thus, completely breaking down the role of the SIS controllers.
• The attackers could create an even more hazardous situation by reprogramming the Distributed Control System, which allows human operators to remotely monitor and control an industrial process, to artificially create an unsafe situation.

On observing the threat model of this malware, researchers concluded that the attackers intended to cause significant physical harm to industrial systems in the long term. This kind of an objective differentiates from most other cybercrimes which do not aim to cause physical repercussions from an attack.

Who was behind this attack?

According to FireEye, a state-sponsored hacker group may have been responsible for developing and deploying TRITON, given the nature of the threat model and the potential attack impact.

The industrial security firm Dragos, which also analyzed the initial TRITON/TRISIS attacks, dubbed the threat actors as Xenotime and said the group was responsible for other global attacks beyond the Middle East as well.

In October 2018, FireEye published another blog post regarding TRITON attribution. This time, FireEye reported that the Central Scientific Research Institute of Chemistry and Mechanics (CNIIHM; a.k.a. ЦНИИХМ), a Russian government-owned technical research institution in Moscow, was involved in TRITON’s deployment.

There was some possibility of the attack having been conducted by a few CNIIHM employees without the approval of government authorities. However, the researchers believe that this alternative scenario has very low probability due to the complexity in executing such an attack. This indicates that TRITON was the work of a resourceful organization instead of just a few individuals.

Mitigations

Researchers provided several recommendations for industrial asset owners to defend against such attacks.

• Segregate safety system networks from process control and information system networks wherever possible.
• Use physical control keys in most scenarios, instead of using the PROGRAM mode on Triconex controllers all the time.
• Perform regular key state audits.
• Use unidirectional gateways instead of bidirectional networks for any applications depending on SIS data.
• Implement strict access control and application whitelisting on any endpoints that touch the SIS system.
• Monitor Industrial Control System (ICS) network traffic for any anomalous activity.

A free malware detection tool for TRITON was released during the 2018 Black Hat USA conference in Las Vegas. Schneider Electric also built its own tool during its forensic investigation to help their customers identify any future attacks.

Aftermath

Many security researchers have warned against more ICS attacks in the future. Dragos tracked several groups which targeted ICS networks in different regions, including groups like Iran-linked Chrysene and Russia-linked Allanite. The attackers behind the initial TRITON attacks are also believed to have launched more attacks.