Triton malware group found in second compromised facility

Russia-linked hacking group rumbled when malware caused controllers to initiate an automatic safety shutdown, claimed FireEye

Security researchers claim to have found traces of a highly capable hacker group that reportedly tried to blow up a Saudi petrochemical plant using highly sophisticated malware.

Security firm FireEye claimed to have discovered evidence that the Triton Group, believed to be linked to a Russian government-led technical research organisation, has infected a second, unnamed "critical infrastructure facility".

The Group has created a form of malware that compromises a victim's network with the aim of disrupting industrial control systems, often used in power plants and oil refineries.

In a blog post, the company claimed: "The TRITON framework itself and the intrusion tools the actor used were built and deployed by humans, all of whom had observable human strategies, preferences, and conventions for the custom tooling of the intrusion operation."

FireEye added that its incident responders have "uncovered additional intrusion activity from this threat actor", including a new set of custom toolsets.

These custom and commodity intrusion tools are used to "gain and maintain access to the target's IT and OT [operational technology] networks".

The targeted attack lifecycle of a sophisticated ICS attack is often measured in years

FireEye continued: "The actor's custom tools frequently mirrored the functionality of commodity tools, and appear to be developed with a focus on anti-virus evasion.

"The group often leveraged custom tools when they appeared to be struggling with anti-virus detection or were at a critical phase in the intrusion."

While FireEye has not detailed much about the second facility, it has produced extensive research about the Triton group and its hacking techniques.

Research from the firm shows that it can take up to a year after gaining control of a network for the group to launch an attack.

During this time, they will have analysed the network and how it works. Their primary objective is to compromise a target's safety instrumented system and can carry out an attack without being noticed.

"The targeted attack lifecycle of a sophisticated ICS [industrial control system] attack is often measured in years. Attackers require a long time to prepare for such an attack in order to learn about the target's industrial processes and build custom tools," explained the researchers.

"These attacks are also often carried out by nation states that may be interested in preparing for contingency operations rather than conducting an immediate attack

Although the Triton Group has developed a range of sophisticated hacking techniques, the August 2017 attack failed because of a bug in the code.

At the time, FireEye wrote: "The attacker gained remote access to an SIS engineering workstation and deployed the TRITON attack framework to reprogram the SIS controllers.

Threat actors moving deliberately and stealthily for months, if not years, have one goal in mind - and that's not getting caught

"During the incident, some SIS controllers entered a failed safe state, which automatically shutdown the industrial process and prompted the asset owner to initiate an investigation.

"The investigation found that the SIS controllers initiated a safe shutdown when application code between redundant processing units failed a validation check - resulting in a manufacturing process diagnostic failure message."

Israel Barak, CISO at security firm Cybereason, added: "Threat actors moving deliberately and stealthily for months, if not years, have one goal in mind - and that's not getting caught.

"This latest attack isn't likely being carried out by amateurs. In general, risks to critical infrastructure such as industrial control systems can actually be minimised and managed. However, threats against this industry, in particular, will never be completely eradicated.

Cybereason's 2018 ICS honeypot enabled the threat actors to be observed as they plotted their attacks within their target's networks, continued Barak.

"Overall, threats to critical infrastructure is something that security products and practitioners are very good at combating. By paying attention to hygiene and best practices, companies running ICS can greatly reduce their risks, despite the threats they face."

Delta is a new market intelligence service from Computing to help CIOs and other IT decision makers make smarter purchasing decisions - decisions informed by the knowledge and experience of other CIOs and IT decision makers.

Delta is free from vendor sponsorship or influence of any kind, and is guided by a steering committee of well-known CIOs, such as Charles Ewen, Christina Scott, Steve Capper and Laura Meyer.

Ten crucial technology areas are already covered at launch, with more data appearing and more areas being covered every week. Sign-up here for your free trial of the Computing Delta website.