A second attack against a critical infrastructure target has been launched using the Triton/Trisis custom attack framework.

FireEye researchers were able to attribute a second attack to the Russian group it fingered as being behind the initial 2017 attack that hit a petrochemical plant in Saudi Arabia through its industrial control system. Although details such as location and type of facility were not released, FireEye said the attacker’s intention was to cause severe damage; however, the malware’s own activity shut down the plant before this could occur.

“FireEye Mandiant incident responders have uncovered additional intrusion activity from this threat actor – including new custom toolsets – at a second critical infrastructure facility,” the company’s report stated.

In 2017 FireEye argued a nation-state was behind Triton. “We now track this activity set as TEMP.Veles,” wrote FireEye in an Oct. 2018 blog post linking TEMP.Veles “and their activity surrounding the TRITON intrusion to a Russian government-owned research institute.”

Fireye believes those behind this latest attack were inside the facility for almost a year before gaining access to the Safety Instrumented System (SIS) engineering workstation. Once safely inside, the attackers spent their time trying to gain access to the operational technology network, as well as doing network recon, moving laterally and maintaining their presence.

“They did not exhibit activities commonly associated with espionage, such as using keyloggers and screenshot grabbers, browsing files, and/or exfiltrating large amounts of information,” the report said.

The danger here, said Eddie Habibi, CEO of PAS Global, is once the SIS is compromised attackers can leverage it to alter the plant’s operations, pushing it past safe levels to cause harm.

“The real danger lies in if the attacker infiltrates other ICS systems within the same facility as the safety system. If the attacker intends to cause physical damage, they are likely to access other control systems in parallel and, once the safety system is defeated, use the other control system to push the process beyond its safe operating limits. This can lead to physical damage, environmental incidents and loss of life,” he said.

Once access was gained to the SIS controllers, the intruders’ efforts sought to maintain their access by limiting their activities and thus potential exposure while deploying Triton. The malicious actors ignored information like plant operations, and avoided exfiltrating sensitive information or tampering with the DCS controllers.

The cybergang behind the attack also took many extraordinary steps to hide their presence while all of this took place, including:

  • Renaming their files to make them look like legitimate files. For example: KB77846376.exe, which is named after Microsoft update files.
  • Using standard tools that would mimic legitimate administrator activities. This included heavy use of RDP and PsExec/WinRM.
  • Relying on encrypted SSH-based tunnels to transfer tools and for remote command/program execution.
  • Using multiple staging folders and opting to use directories that were used infrequently by legitimate users or processes.
  • Renaming their tools’ filenames in the staging folder so that it would not be possible to identify the malware’s purpose, even after it was deleted from the disk through the residual artifacts (e.g., ShimCache entries or WMI Recently Used Apps).
  • Using timestamping to modify the $STANDARD_INFORMATION attribute of the attack tools.

Cybersecurity execs did offer up some potential defensive measures for critical infrastructure facilities to follow.

“Where possible, designers should use orthogonal safety controls, such as mechanical pressure relief values or mechanical governors, that have zero coincidence with the control systems and therefore cannot be affected by them,” John Sheehy, VP of strategic services at IOActive.

Emily Miller, director of national security and critical infrastructure programs at Mocana, believes operational technology and ICS need to have security baked in from inception in order to be properly secured, much like what is being demanded of IoT manufacturers.

“Let’s get to the root cause of the impact here: we need to harden and embed security into these ICS devices from the beginning. Until we do that, we’ll continue leaving ourselves like sitting ducks for even more critical infrastructure attacks such as this one,” she said.

FireEye recommended that those protecting industrial control systems become familiar with the tactics, techniques, and procedures profile the research firm built (available here) so analysts can check their systems for signs of Triton.