Traces of the group were found by researchers in a new critical infrastructure facility. Traces of a hacking group behind destructive Triton malware were found in new facilities after an infamous Middle East attack.
Triton, also known as Trisis, has been specifically designed to target a specific type of ICP system, namely the SIS controller Triconex that is developed by Schneider Electric. Triton is also known as Trisis. The malware is unusual because the code on these systems causes process shutdowns and disturbs urgent systems. There are only a handful of examples of malware specific to industrial systems, such as Stuxnet and Industroyer, which in the past have been targeted by nuclear and energy systems.
Triton was first discovered in 2017, but system operators are believed to have been active since 2014. The malware was used against a Tasnee-owned petrochemical plant in Saudi Arabia. Symantec researchers believe that the attack was designed to damage the industrial site physically.
This attack nearly caused serious damage to the plant, but the activities of Triton inadvertently shut down the plant because of its manipulation of SIS systems which resulted in a failed safe situation. FireEye researchers said this failed attempt on Wednesday did not deter the group uncovered at a new location. The company’s name was not revealed.
FireEye, however, said the victim is a’ critical infrastructure facility’ and that Triton operators have been present for almost a year on the victim’s systems. FireEye’s cyberforensics Mandiant arm was involved in the study of intrusion, but it remained closely aware of what damage-if any-was caused.
The cybersecurity company however published some new details on the infiltration tactics of the Triton Group. After gaining a foothold in the network’s corporate side, Triton focused on accessing the industrial system’s operating side. The actors involved in the threat did not steal data, take screenshots or use any kind of keylogger; instead, they concentrated on moving the system side by side, maintaining persistence and network recognition.
The toolkit for the threat group includes both generic and customized tools which have been switched around to prevent antivirus software and facilitate several phases of the attack–for example, hackers have switched to individual backdoors in the victim’s IT and OT networks before accessing a SIS engineering workstation. The hackers use Mimikatz, a public tool and SecHack, a custom tool for credential collection.
Triton operators have also renamed their files as legitimate files, such as Microsoft Update, and used webshells and SSH tunnels for covert activity and to drop additional tools. “The actor, when accessing the targeted SIS controllers, seemed to be focused exclusively on maintaining access when attempting to deploy Triton successfully,” says FireEye. Triton operators kept their activities off-duty to reduce the risk of discovery.
The hackers also had access to the distributed control system (DCS) of the victim that would have supplied information about plant processes and operations. The group ignored this, however, and focused on the SIS controller alone. Although Triton’s malware itself is supposed to be not deployed in the victim’s system, it would surely have been a serious matter of concern to find traces of the hacking group behind this harmful malware, especially given its past history.
FireEye has previously linking Triton with “high confidence” the Russian Central Scientific Research Institute for Chemistry and Mechanical Research, based in Moscow. “Often, the security community focuses on ICS malware with a singular focus, in large part because of its novel nature and because there are very few examples of it in the wild,” says FireEye.
“We encourage owners of ICS assets to take advantage of the detection regulations and other information contained in this report for the purpose of hunting for related activities, since we think there is a good chance that the Threat Actor has been or is present in other target networks.”