Hackers target critical infrastructure facility using Triton framework
11 April 2019
A little over a year after hackers used the Triton malware framework to target Schneider Electric SE’s Triconex industrial safety technology, they have used the malware framework to target yet another unnamed critical infrastructure facility, FireEye has revealed.
In December 2017, security researchers at FireEye uncovered how cyber criminals used a specialised malware family named Triton to target a critical infrastructure technology that provided emergency shutdown capability for industrial processes.
Firstly, by attacking an SIS engineering workstation and causing a diagnostic failure, the hackers wanted to ensure great physical damage. Secondly, the attackers deployed Triton only after gaining access to the SIS system, indicating that they had pre-built and tested the tool in advance.
Considering that an SIS system monitors the status of industrial processes and brings a process back into a safe state after it reaches a hazardous state, compromising an organisation’s SIS system means compromising its performance as a whole and creating a crisis situation.
‘Triton is a serious threat to critical infrastructure systems on par with the likes of Stuxnet and Industroyer because it specifically targets industrial control systems with the capability to cause physical damage or shutdown operations,’ said Edgard Capdevielle, CEO of Nozomi Networks and a FireEye partner.
“The safety systems targeted are key components for critical infrastructures as they are used to monitor industrial environments to ensure the safety of workers, environmental factors and other aspects of operations,” he added.
Triton framework leveraged to target critical infrastructure
On Wednesday, FireEye announced that cyber criminals had used the Triton malware framework yet again to target an unnamed critical infrastructure facility. The attackers, who are known to belong to the Russian-owned Central Scientific Research Institute of Chemistry and Mechanics, leveraged dozens of custom and commodity intrusion tools to gain and maintain access to the facility’s IT and OT networks.
Before carrying out the attack, the attacks first gained a foothold on the facility’s corporate network and then used several attack tools focussed on network reconnaissance, lateral movement, and maintaining presence in the target environment. These custom tools mirrored the functionality of commodity tools and evaded detection by antivirrus solutions.
After gaining a foothold into the corporate environment, the attackers renamed their files to make them look like legitimate files, used standard tools that would mimic legitimate administrator activities, relied on encrypted SSH-based tunnels to transfer tools and for remote command/program execution, and used multiple staging folders and directories that were used infrequently by legitimate users or processes.
The attackers also routinely deleted dropped attack tools, execution logs, files staged for exfiltration, and other files after they were finished with them, renamed their tools’ filenames in the staging folder so that it would not be possible to identify the malware’s purpose, and used timestomping to modify the $STANDARD_INFORMATION attribute of the attack tools.
Once the attackers gained access to an SIS engineering workstation, they focussed on delivering a backdoor payload using the Triton framework and tried to reduce the chance of being observed by interacting with target controllers during off-hour times.
Critical infrastructure firms must improve their security hygiene
“Threat actors moving deliberately and stealthy for months if not years have one goal in mind and that’s not getting caught. This latest attack isn’t likely being carried out by amateurs. In general, risks to critical infrastructure such as industrial control systems can actually be minimized and managed. However, threats against this industry, in particular, will never be completely eradicated,” says Israel Barak, CISO at Cybereason.
“Most countries are still vulnerable to cyber-attacks on critical infrastructure because the systems are generally old and poorly patched. Power grids are interconnected and thus vulnerable to cascading failures. If an attacker knows which substation to take offline or cause a surge in, they can take down significant portions of the grid without conducting a large number of intrusions.
“Beyond power generation, there are significant localised effects a hacker can create by going after sewage/water treatment, industrial chemical production, or the transportation system. Again, diligence, persistence and improved security hygiene can greatly reduce risks,” he adds.
“As a cybersecurity strategy defenders should be focusing on two primary strategic objectives. First, raising the cost to the threat actors through a layered defensive model and non-cybersecurity consequences. Second, lowering the payoff to the threat actor by reducing the consequences and impact to the defenders of any successful attack. The recent attacks on SIS environments demonstrates there’s an unmet need to focus on the second,” says John Sheehy, VP of Strategy at IOActive.