Security Experts:

Industry Reactions to New Triton Attacks on Critical Infrastructure

News broke this week that the threat group behind the notorious malware known as Triton, Trisis and HatMan has targeted another critical infrastructure facility.

The existence of Triton came to light in 2017 after the malware had caused disruptions at an oil and gas plant in Saudi Arabia. FireEye, which previously linked Triton to a research institute owned by the Russian government, recently analyzed the threat actor’s tools and techniques after identifying another target.

The hackers appear to specialize in disruptive attacks aimed at industrial environments. Unlike in espionage operations, these campaigns focus on maintaining access, moving laterally, conducting reconnaissance, and avoiding being detected, rather than stealing information from compromised devices.

Industry reactions to Triton attack

Several industry professionals have commented on the Triton attacks and shared thoughts on how organizations can protect their systems against such threats.

FireEye will present its research into Triton, including the Russian government link and ways for organizations to hunt for evidence of this attacker in their systems, at SecurityWeek’s 2019 ICS Cyber Security Conference next week in Singapore.

And the feedback begins…

Joe Slowik, Adversary Hunter, Dragos (Dragos tracks the group as XENOTIME):

“FireEye's reporting echoes Dragos' findings on XENOTIME behavior that the group relies upon a collection of publicly-available tools and utilities, some with varying degrees of modification or customization, in order to breach and move laterally through victim networks. Aside from TRITON/TRISIS itself, the group does not appear to possess or use any other complex, custom malware frameworks for intrusion scenarios.

 

Dragos responded to and analyzed data from multiple sites and several industries spanning North America and Europe featuring XENOTIME activity since mid 2018, and continues to aggressively track this adversary in current operations. Dragos' work and identification of continuing XENOTIME activity is supported by FireEye's claim that they are responding to events at another location at this time. XENOTIME remains active in the oil and gas and other ICS sectors, in addition to having a persistent interest in ICS OEMs and manufacturers.

 

FireEye's reporting captured XENOTIME tactics, techniques, and procedures (TTPs) as used to enable the 2017 TRISIS/TRITON event. Since that time, XENOTIME continues to develop and modify its behaviors and TTPs. While some of the capabilities outlined are still used by the adversary, the group continues to evolve while following the same pattern of using customized versions of publicly-available tools for operations.

 

All available evidence at this time indicates that XENOTIME has not deployed either TRITON/TRISIS or any new ICS-disruptive malware in any environment, a statement that is also implicitly made in FireEye's reporting.”

Andrea Carcano, Co-Founder and Chief Product Officer, Nozomi Networks:

“First and foremost, it's important to keep in mind that based on the information that is currently available, it does not appear that TRITON malware was deployed at this new facility. However, it's not surprising to learn that FireEye has seen evidence of the Triton threat group at a new location.

 

Based on our extensive analysis of the original TRITION attack, we believed then and continue to believe that it was just the first of more TRITON and/or TRITON-like attacks. Our analysis of the malware found that the effort, skills and financial resources needed to create it might not have been as high as originally thought. We also believe the attacker could have just as easily succeeded in injecting the final payload.

  

This realization, and the knowledge that a growing number of hackers have critical infrastructure in their sights reinforces the fact that we as a community must continue to move quickly on all fronts to strengthen the cyber security culture for the entire industry.”

David Atch, VP of Research, CyberX:

“The latest information about TRITON highlights two important insights. First, the attackers were present in the victim's networks for almost a year before gaining access to the SIS engineering workstation, which shows why it's critical to continuously monitor OT networks for suspicious or unauthorized behavior -- so you can spot adversaries before they shut down or blow up your plant.

 

Second, signature-based mechanisms are no longer sufficient to protect OT networks from targeted attacks, because -- similar to what we suspect happened in the LockerGoga attack -- the attackers used admin-like tools similar to PsExec to move laterally through the network, remotely execute tasks, and deploy purpose-built zero-day malware.”

Learn More About Triton Attacks at SecurityWeek’s 2019 Cyber Security Conference in Singapore

Eddie Habibi, CEO, PAS Global:

“While threat Intel and incident response teams from Fireye are investigating the second Triton/Trisis incident, what we know for a fact is that the attackers selected the most safety-critical component of the ICS (industrial control system) to achieve their goals: the Safety Instrumented System (SIS). The safety system contains the safe operating limits that are carefully engineered to shut down a plant gracefully upon a loss of control or other emergency situations.

 

A bad actor can shut down a process by manipulating the configuration of a safety system. In fact, a plant is lucky if this is the approach an attacker takes. While the shutdown and loss of production is painful in such a situation, if the safety system is designed properly, there should be no safety impact or damage to equipment.

 

However, the real danger lies in if the attacker infiltrates other ICS systems within the same facility as the safety system. If the attacker intends to cause physical damage, they are likely to access other control systems in parallel, and once the safety system is defeated, use the other control system to push the process beyond its safe operating limits. This can lead to physical damage, environmental incidents and loss of life. Facilities that could be affected by Triton/Trisis are encouraged to look beyond the safety systems to other ICS assets for signs of infiltration or unauthorized changes.”

Emily S. Miller, Director of National Security and Critical Infrastructure Programs, Mocana:

“This news about the second intrusion by the actor behind TRISIS provides more evidence that the threat to human lives via cyber means is very real. Let’s be clear: This threat actor has shown at best a reckless disregard towards human life, and at worst a malicious intent to do evil things. The TRISIS malware wasn’t developed to steal data – it was specifically designed to impact the safety systems of critical infrastructure and cause bad things to happen.

 

For asset owners, the absolute number one priority should be to stop these bad things from happening. While traditional defensive measures such as leveraging indicators, network monitoring and threat hunting are necessary to discover the threat, we should also be thinking about cybersecurity much more holistically. Asset owners need to think not only about the operational networks used to reach the devices the threat actors want to impact, but also consider the security of those devices themselves. Let’s get to the root cause of the impact here: we need to harden and embed security into these ICS devices from the beginning. Until we do that, we’ll continue leaving ourselves like sitting ducks for even more critical infrastructure attacks such as this one.”

Chris Morales, head of security analytics, Vectra:

“This research from FireEye aligns with what we found in the 2019 spotlight report on energy and utilities. In that report, we found that most cyberattacks in this industry occur inside enterprise IT networks – not in the critical infrastructure. These and other key findings underscore the importance of detecting hidden threat behaviors inside enterprise IT networks before attackers have a chance to spy, spread and steal.

 

The research from FireEye maps out the sequence of behaviors that occurs in the attack, which is consistent with attacks in the energy and utility industries. When attackers move laterally inside a network, it exposes a larger attack surface that increases the risk of data acquisition and exfiltration. It’s imperative to monitor all network traffic to detect these and other attacker behaviors early and consistently.

 

Remote attackers typically gain a foothold in energy and utilities networks by staging malware and spear-phishing to steal administrative credentials. Once inside, they use administrative connections and protocols to perform reconnaissance and spread laterally in search of confidential data about industrial control systems.

 

The covert abuse of administrative credentials provides attackers with unconstrained access to critical infrastructure systems and data. This is one of the most crucial risk areas in the cyberattack lifecycle.”

John Sheehy, Vice President Sales, Strategy and Strategic Services, IOActive

“Unfortunately in today's cypher-physical systems, a cybersecurity risk is a safety risk. With the current generation of operational technology (OT) systems, an unmitigated cybersecurity issue is an unmitigated safety issue.

 

Where possible, designers should use orthogonal safety controls, such as mechanical pressure relief values or mechanical governors, that have zero coincidence with the control systems and therefore cannot be affected by them. Today's OT implementations should focus on managing the consequences of a cybersecurity attack through layered protections and mitigations using non-cybersecurity engineering controls. This should be done with a focus on providing operational resiliency to the process and overall operations.

 

As a cybersecurity strategy, defenders should be focusing on two primary strategic objectives: First, raising the cost to the threat actors through a layered, defensive model and non-cybersecurity consequences. Second, lowering the payoff to the threat actor by reducing the consequences and impact to the defenders of any successful attack. The recent attacks on safety instrumented system (SIS) environments demonstrates there's an unmet need to focus on the second.”

Saurabh Sharma, VP of Business Development, Virsec:

“It’s disturbing, but shouldn’t be surprising that the Triton malware is back in the news, and more widespread than originally assumed. These types of attacks are particularly dangerous because they are very targeted at specific types of safety equipment used in industrial controls.

 

These attackers are advanced, methodical and patient, carefully tip-toeing around sensitive networks, looking for vulnerable systems and being careful to avoid conventional detection. In this case, the attacker’s dwell time within these industrial networks was 5 years. It’s more critical

 

than ever that we have security controls that monitor critical systems in real-time, and not depend on porous, easily bypassed perimeter security.”

Timur Kovalev, chief technology officer, Untangle:

“Covert, slow-moving nation state attacks against industrial control systems like Stuxnet and Triton/Trisis will continue to be a problem for critical infrastructure. With a focus on lateral movement and longevity to gain network reconnaissance, these persistent attacks are conducted by patient actors with a keen interest in specific targets, bent on disabling safety systems to halt operation or cause harm. Increased vigilance against multi-vector threats, enhanced detection and analysis, and improved quarantine and response protocols are necessary for identifying and reacting to attacks, but systems must be hardened and made redundant with segmented failover to prevent catastrophic failure.”

Bob Noel, VP of Strategic Partnerships, Plixer:

“It's no surprise that bad actors will take steps to maintain access to compromised systems, and place effort into covering their tracks. Their degree of success depends upon their skill set, and often the cybercriminals focused on critical infrastructure are more sophisticated. In the case of Triton being used against critical infrastructure, the attackers focused on after-hours activity for reconnaissance and lateral movement.

 

Critical infrastructure organizations, which are high-value targets, must be implementing network traffic analysis technologies to provide 7 x 24 proactive monitoring. Applying security analytics to every network conversation allows organizations to use technology to uncover low and slow data theft, credential misuse, and behavioral anomalies. Monitoring network traffic is an important complement to antivirus and other end-user device security technologies. Hackers are getting better at hiding their tracks as it pertains to antivirus, however their activities will always generate network traffic that can be used to identify their presence.”

David Ginsburg, Vice President of Marketing, Cavirin:

“This latest attack speaks to the increasing vulnerability of what most call OT – Operations Technology – be it manufacturing, critical infrastructure, or even avionics. There must be closer integration between IT and OT, with security teams straddling both domains given that many OT attacks will originate within IT. People, processes and technical controls apply to both, as all the air-gapping in the world may be defeated by a single USB drive.”

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.