Triton malware (aka TRISIS) has joined the limited list of publicly identified malware targeted at operational technology (OT) networks. Other occupants of this small-but-mighty category include Stuxnet (2010), Shamoon (2012), Shamoon 2 (2016) and Industroyer (2016).
In August of 2017, the Triton malware was observed to be targeting Schneider Electric’s Triconex safety instrumented system (SIS) controllers in an oil and gas plant located in Saudi Arabia. The OT malware caused industrial equipment to shut down at random, thus forcing the company to temporarily halt operations.
Triton used a zero-day vulnerability in Triconex Safety Controllers v2.0 in the attack. The vulnerability allows remote security bypass when the physical key switch is in the “program” mode, which is intended only to allow remote reprogramming of the underlying controller, and should be switched off immediately thereafter.
Full details of the attack became public in December 2017 as did a fix published by Schneider Electric.
Who’s Behind Triton?
The Triton malware communicates using the proprietary TriStation protocol which has no public documentation and targets hardware and software not widely available. Due to such hallmarks and the sophistication of the malware, it is likely the work of a nation–state threat actor. As the sole victim (at this point) is in Saudi Arabia, many fingers are pointing at the kingdom’s biggest enemy: Iran. And the history of the Shamoon cyberattacks against Saudi critical infrastructure only bolster these suspicions.
But considering the threat Triton poses, it should be noted that attribution and publicly identifying the specific victim pale in comparison to the lessons to be learned from a remote attack on OT targets that forced operations to cease. (Little Bobby backs me up on this one.)
Did Triton Malware Cause Actual Damage?
In the attack, some SIS controllers entered a failed safe state, which automatically triggered related industrial processes to shut down. Though according to Mandiant who investigated the incident, the shutdown was inadvertent as it tipped off employees that something was awry. Despite a loss of revenue for the victim while operations were halted, the potential damage was much greater.
Worst Case Scenarios
The attack, as it happened, tricked the SIS logic to shut down processes that were actually in a safe state. While this resulted in costly downtime and a headache of plant re–start, there was no physical damage or harm caused.
However, if the attackers had gained access to modify the application memory on SIS controllers, they could prevent it from functioning correctly, allowing unsafe processes to continue unimpeded. Attackers could have also have created an actually unsafe state via the distributed control system which communicates with the SIS. Failures such as these could have physical consequences — damage or destruction of equipment or products, and endangerment to environmental or human safety.
The capacity of the Triton malware and the behavior of the attackers show the Saudi incident was likely the first step in a much larger, more serious planned attack. Thankfully, it was spotted in its early stages.
Protecting Against the Triton Malware
If you have products affected by the Triton malware, you should deploy the patch for the Schneider Electronic vulnerability. (As of this post, no CVE has been assigned. See Skybox Vulnerability Center for more information.)
You should also ensure safety system networks are properly segregated from IT and processes control systems, and monitor industrial control system (ICS) network traffic for unexpected communication flows and other anomalous activity.
Shamoon 2 Distributing DistTrack Wiper in Saudi Arabia: Petrochemical Company Sadara has reportedly already been affected by the advanced, multi-step attack. Learn how Skybox can help
Life after Breach — 5 Steps to Recover From a Cyberattack: Christina Kubecka’s Black Hat briefing on recovering from the Aramco cyberattack lays out a playbook for post-attack recovery and adaptive security teams
LogicLocker Brings Ransomware to SCADA Networks: It may only be a POC, but LogicLocker is teaching a valuable lesson on the risks distributed cybercrime pose to critical infrastructure