Trisis Malware Discovered at Additional Industrial Facility

When cybersecurity researchers at Dragos and FireEye disclosed the so-called Triton malware targeting industrial safety systems, it was something of a revelation. Triton marked the first discovery of malware intended to cause physical destruction. The code did so by targeting an industrial safety instrumented system, but was, thankfully, not effective in causing disaster.

The attack, also known as “Trisis,” was shrouded in mystery until recently. Early reports of the attack were vague. A nation-state actor was likely behind the attack, which struck somewhere in the Middle East. But Triton also served as something of a wake-up call because of its potential to cause massive destruction in the form of an emergency at an oil and gas plant.

“I was in the Middle East about a week or so before Triton hit,” recalled Jason Haward-Grau, CISO for PAS Global. In a conversation, Haward-Grau asked a security director at the oil company there how he felt about the level of cybersecurity at the company. “Well, he told me he didn’t need to worry about anything. I thought: ‘Wow, you’re the only person I’ve met in cybersecurity who doesn’t worry. I don’t stop worrying. I can’t sleep,’” Haward-Grau continued. The Middle East–based cybersecurity professional went on to rattle off the reasons why he could sleep well at night: “We’re air-gapped. We’ve got data diodes. And if all goes wrong, we’ve got an SIS system,” said the security director, referring to the safety instrumented system, which is designed to enable a critical industrial operation to fail safely and gracefully in the event of an emergency.

[Internet of Things World is the intersection of industries and IoT innovation. Book your conference pass and save $350, get a free expo pass or see the IoT security speakers at the event.]

One week later, Trisis hit, which prompted the cybersecurity professional to call Haward-Grau. “He rang me and said: ‘Listen, you know, how I said we had three central approaches in place for cybersecurity. I’m a little bit nervous now that we may not have all three.’”

While Trisis set shock waves through the field of industrial cybersecurity in the months after it was uncovered, details surrounding the malware were sparse. Now, a clearer picture is emerging of the attack. The cybersecurity firm FireEye confirmed on April 10  it discovered an additional attack at a separate critical infrastructure facility. Last year, the cybersecurity company also announced it believed the attack has Russian roots.  

“For most owners and operators, it doesn’t matter if Russia was behind it, or a hacktivist group,” said Emily S. Miller, director of national security and critical infrastructure programs at Mocana. “What matters is can they cause bad things to happen. And when it comes to critical infrastructure, that means loss of life.”

FireEye has developed a clearer picture of the mechanics of Triton, which leveraged dozens of commodity and custom intrusion tools. For instance, SecHack was used for credential harvesting while Cryptcat, Bitvise, OpenSSH and PLINK created backdoors. Custom tools likely helped attackers skirt cybersecurity protections.

The impact of a successful attack on a SIS target could be significant. “A bad actor can shut down a process [intended to safeguard an industrial facility in an emergency] by manipulating the configuration of a safety system,” said Eddie Habibi, chief executive officer of PAS Global in an email statement. “However, the real danger lies in if the attacker infiltrates other ICS systems within the same facility as the safety system,” he continued. If that happens, an adversary can lay the groundwork for a disaster by modifying industrial processes to exceed safe operating limits, potentially causing physical destruction, injuries and death, and pollution. In the facility where the malware was first identified, Triton could have interfered with the functioning of a burner management system, potentially triggering the release of hydrogen sulfide gas.

Triton, which targeted equipment from Schneider Electric, could also inspire copycat attacks that aim not to just steal sensitive data, but also cause physical destruction and possible loss of life. “I think we have seen the catalyzation of similar attacks,” Miller said. And the attack provides not just a blueprint for attacks on the oil-and-gas sector, which was purportedly targeted in the first announced Trisis attack, but any type of critical infrastructure including building automation systems. “Look at Black Energy,” Miller said, referring to the malware that played a role in shutting down part of the power grid in Ukraine. “When it hit, it was totally new and novel. Now, it is something you can purchase on the dark web.” The adversaries who develop such dangerous attacks could share their tactics with like-minded hackers online, similar to cooks sapping recipes online, Miller said.

The potential for further nation-state backing of such attacks is also troubling. “With the current generation of operational technology (OT) systems, an unmitigated cybersecurity issue is an unmitigated safety issue,” said John Sheehy, vice president of strategic services at IOActive in an email statement. Schneider has since launched an educational campaign to transform Triton into a “call to action” for the industry, Andrew Kling, director of cybersecurity and system architecture at Schneider Electric, said in an interview last year.

FireEye researchers believe that nation-states could be ramping up such malware to support contingency operations rather than launch immediately destructive attacks. Setting up and potentially orchestrating an attack like Trisis likely requires years of planning and time investment from threat actors, who work to ensure they have continued access to their target’s environment. The FireEye research team believes it took nearly a year for the adversary to expand access from their target’s network to a SIS engineering workstation. In the meantime, the attacker carefully worked to hide their tracks, for instance, renaming executable malware files to look like Microsoft update files. FireEye believes the attackers behind Trisis have been active since at least 2014.

John Sheehy, vice president of strategic services at IOActive and Miller a said the Triton malware should also serve as an impetus to bake holistic cybersecurity protections into industrial environments, rather than focusing predominantly on defensive measures such as network monitoring and threat hunting. Sheehy also stressed the importance of building physical safety protections into industrial environments that would could help mitigate a successful safety-oriented cyberattack. “Where possible, designers should use orthogonal safety controls, such as mechanical pressure relief valves or mechanical governors, that have zero coincidence with the control systems and therefore cannot be affected by them,” Sheehy said. “Today’s OT implementations should focus on managing the consequences of a cybersecurity attack through layered protections and mitigations using non-cybersecurity engineering controls. This should be done with a focus on providing operational resiliency to the process and overall operations.”

“Let’s get to the root cause of the impact here: we need to harden and embed security into these ICS devices from the beginning,” Miller said in an email statement. “Until we do that, we’ll continue leaving ourselves like sitting ducks for even more critical infrastructure attacks such as this one.”