The developers of Triton, a recently discovered piece of malware designed to target industrial control systems (ICS), reverse engineered a legitimate file in an effort to understand how the targeted devices work.
Triton, also known as Trisis and HatMan, was discovered in August 2017 after a threat group linked by some to Iran used it against a critical infrastructure organization in the Middle East. The malware targets Schneider Electric’s Triconex Safety Instrumented System (SIS) controllers, which use the proprietary TriStation network protocol. The malware leveraged a zero-day vulnerability affecting older versions of the product.
FireEye’s Advanced Practices Team has conducted a detailed analysis of the threat, which it describes as a malware framework, in an effort to determine when and how it was created.
The TriStation protocol is designed for communications between PCs (e.g. engineering workstations) and Triconex controllers. With no public documentation available, the protocol is not easy to understand, but it has been implemented by Schneider through the TriStation 1131 software suite.
It’s unclear how the attackers obtained the hardware and software they used to test the malware. They may have purchased it or borrowed it from a government-owned utility. The software could have also been stolen from ICS companies or other organizations that use Triconex controllers.
FireEye believes, however, that the malware developers did not build the TriStation communications component from the ground up. The company’s analysis suggests that the hackers copied code from legitimate libraries.
Specifically, researchers discovered significant similarities between the code found in the malware and code in a legitimate TriStation software file named “tr1com40.dll.”
While reverse engineering the legitimate DLL file may have helped them understand how TriStation works, the code in the malware suggests it did not answer all their questions. This may have led to the problems experienced by the threat group during its attack on the critical infrastructure organization.
Triton was discovered after it accidentally caused SIS controllers to initiate a safe shutdown. Experts believe the attackers had been conducting tests, trying to determine how they could cause physical damage.
“Seeing Triconex systems targeted with malicious intent was new to the world six months ago. Moving forward it would be reasonable to anticipate additional frameworks, such as TRITON, designed for usage against other SIS controllers and associated technologies,” FireEye said in its report. “If Triconex was within scope, we may see similar attacker methodologies affecting the dominant industrial safety technologies.”
Industrial cybersecurity firm Dragos reported recently that the threat group behind the Triton attack, which it tracks as Xenotime, is still active, targeting organizations worldwide and safety systems other than Schneider’s Triconex.