Triton hackers return with new, covert industrial attack

Traces of the group have been found at a fresh critical infrastructure facility by researchers.

New form of malware carrying out internet reconnaissance, larger cyberattack to come Newly identified Xwo malware could be laying the groundwork for far more damaging cyberattacks around the globe, warn researchers.

Traces of a hacking group behind the destructive Triton malware have been found at a new infrastructure facility following an infamous attack in the Middle East.

Triton, also known as Trisis, has been specifically engineered to target a specific type of industrial control system (ICS), namely Triconex safety instrumented systems (SIS) controllers developed by Schneider Electric.

The malware is unusual in the fact that the code hones in on these systems to cause process shutdowns and to tamper with emergency systems.

There are only a handful of examples of other industrial system-specific malware, such as Stuxnet and Industroyer, malware variants which have targeted nuclear and power systems in the past.

Triton was first spotted in 2017 but it is believed that the operators of the system may have been active since 2014. The malware was used against a petrochemical plant owned by Tasnee in Saudi Arabia.

Symantec researchers believe the attack was meant to cause physical damage at the industrial site. The attack was close to causing severe damage at the facility, but Triton's activities inadvertently closed down the plant due to its manipulation of SIS systems which caused them to enter a failed safe state.

Researchers from FireEye said on Wednesday that this failed attempt hasn't deterred the group, which has been uncovered at a new location.

The name of the company has not been revealed. However, FireEye did say the victim was a "critical infrastructure facility" and that the Triton operators were present on the victim's systems for close to a year. FireEye's Mandiant cyberforensics arm was involved in investigating the intrusion, but the company has remained tight-lipped about what damage -- if any -- was achieved.

See also: Industroyer: An in-depth look at the culprit behind Ukraine's power grid blackout

However, the cybersecurity firm has published some new details concerning the Triton group's infiltration tactics.

After gaining a foothold into the corporate side of the network, the Triton group focused on gaining access to the operational side of the industrial system. The threat actors did not steal any data, take any screenshots, or use any form of keylogger; instead, they focused on moving laterally through the system, maintaining persistence and performing network reconnaissance.

The threat group's toolkit includes both generic and custom tools, which were switched around in order to avoid antivirus software and to facilitate different stages of the attack -- for example, the hackers switched to custom backdoors in the IT and OT networks of the victim just before gaining access to an SIS engineering workstation.

Mimikatz, a public tool, and SecHack, a custom tool, are both used by the hackers for credential harvesting. Triton's operators also renamed their files to appear legitimate, such as after Microsoft Update files, and made use of both webshells and SSH tunnels to perform their covert activities and to drop additional tools.

CNET: Your hotel check-in confirmation could be putting you at risk

"Once the actor gained access to the targeted SIS controllers, they appeared to focus solely on maintaining access while attempting to successfully deploy Triton," FireEye says.

Triton's operators kept their activities to off-work times to limit the risk of being discovered.

The hackers also gained access to the victim's distributed control system (DCS) which would have provided information on plant operations and processes. However, the group ignored this and focused solely on the SIS controller.

While the Triton malware itself is not believed to have been deployed on the victim's system, finding traces of the hacking group behind the dangerous malware would have certainly been a serious cause for concern -- especially given the group's past history.

FireEye has previously linked Triton to Russia's Central Scientific Research Institute of Chemistry and Mechanics research lab, based in Moscow, with "high confidence."

TechRepublic: Vulnerability in Verizon Fios Quantum Gateway allows attackers to gain root privileges

"There is often a singular focus from the security community on ICS malware largely due to its novel nature and the fact that there are very few examples found in the wild," FireEye says. "We encourage ICS asset owners to leverage the detection rules and other information included in this report to hunt for related activity as we believe there is a good chance the threat actor was or is present in other target networks."

FireEye has shared a list of potential indicators that the threat group is connected to in industrial settings and encourages IT admins to keep an eye out for any suspicious files or activity relating to them. 

Previous and related coverage