Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cyberwarfare

Triton ICS Malware Developed Using Legitimate Code

The developers of Triton, a recently discovered piece of malware designed to target industrial control systems (ICS), reverse engineered a legitimate file in an effort to understand how the targeted devices work.

The developers of Triton, a recently discovered piece of malware designed to target industrial control systems (ICS), reverse engineered a legitimate file in an effort to understand how the targeted devices work.

Triton, also known as Trisis and HatMan, was discovered in August 2017 after a threat group linked by some to Iran used it against a critical infrastructure organization in the Middle East. The malware targets Schneider Electric’s Triconex Safety Instrumented System (SIS) controllers, which use the proprietary TriStation network protocol. The malware leveraged a zero-day vulnerability affecting older versions of the product.Triconex controller targeted by Triton ICS malware

FireEye’s Advanced Practices Team has conducted a detailed analysis of the threat, which it describes as a malware framework, in an effort to determine when and how it was created.

The TriStation protocol is designed for communications between PCs (e.g. engineering workstations) and Triconex controllers. With no public documentation available, the protocol is not easy to understand, but it has been implemented by Schneider through the TriStation 1131 software suite.

It’s unclear how the attackers obtained the hardware and software they used to test the malware. They may have purchased it or borrowed it from a government-owned utility. The software could have also been stolen from ICS companies or other organizations that use Triconex controllers.

FireEye believes, however, that the malware developers did not build the TriStation communications component from the ground up. The company’s analysis suggests that the hackers copied code from legitimate libraries.

Specifically, researchers discovered significant similarities between the code found in the malware and code in a legitimate TriStation software file named “tr1com40.dll.”

While reverse engineering the legitimate DLL file may have helped them understand how TriStation works, the code in the malware suggests it did not answer all their questions. This may have led to the problems experienced by the threat group during its attack on the critical infrastructure organization.

Triton was discovered after it accidentally caused SIS controllers to initiate a safe shutdown. Experts believe the attackers had been conducting tests, trying to determine how they could cause physical damage.

Learn More at SecurityWeek’s 2018 ICS Cyber Security Conference

“Seeing Triconex systems targeted with malicious intent was new to the world six months ago. Moving forward it would be reasonable to anticipate additional frameworks, such as TRITON, designed for usage against other SIS controllers and associated technologies,” FireEye said in its report. “If Triconex was within scope, we may see similar attacker methodologies affecting the dominant industrial safety technologies.”

Industrial cybersecurity firm Dragos reported recently that the threat group behind the Triton attack, which it tracks as Xenotime, is still active, targeting organizations worldwide and safety systems other than Schneider’s Triconex.

Related: Internet Exposure, Flaws Put Industrial Safety Controllers at Risk of Attacks

Related: Test, Test & Test Again – Are Your Safety Instrumented Systems Cybersecure?

Related: DHS Warns of Malware Targeting Industrial Safety Systems

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Cyberwarfare

Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

ICS/OT

Otorio has released a free tool that organizations can use to detect and address issues related to DCOM authentication.

Cyberwarfare

Iranian APT Moses Staff is leaking data stolen from Saudi Arabia government ministries under the recently created Abraham's Ax persona

Cybercrime

CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.

Cybercrime

Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...