TRITON Malware: Industrial Controllers are No Longer Safe from Attacks

Recently, a new malware variant, called TRITON, specifically designed to attack industrial safety systems was identified as being responsible for causing an operational outage at a critical infrastructure facility in the Middle East. The identity of the organization compromised has not been disclosed yet by the researchers.  

The TRITON (or TRISIS) malware is an attack framework that targets Triconex Safety Instrumented System (SIS) controllers made by Schneider Electric. By replacing the Logic of the SIS controllers, an adversary can prevent it from functioning correctly, which can result in physical consequences. This latest incident illustrates the growing escalation in the sophistication and capabilities of cyber threats being developed to target industrial control systems.

Since ICS environments lack security controls, it is very difficult for organizations to identify malicious activities once an adversary gains access to the operational network. This makes it virtually impossible to restrict access to critical devices and prevent unauthorized changes, until  it’s too late.

Malware Industrial Systems

Fortunately, Indegy's Cyber Industrial Security Platform enables organizations to detect and respond to threats like the TRITON malware in real time. Indegy detects all remote access and reconnaissance activity in industrial networks, and alerts on potential threats in the very early phases of an attack.

Even more importantly, Indegy uniquely detects and alerts on any access and changes made to critical industrial controllers. For example, it would alert on any attempts to read the  memory of a controller, which is one of the actions performed by the TRITON malware before it uploads the new ladder logic. Indegy would also detect and alert when new ladder logic is uploaded to the controller, identify the source of the upload, the command used, the target system and more.

In addition, Indegy would pinpoint the exact changes made to the ladder logic - what was added, changed or removed. This information is critical for detecting threats and reducing mitigation time.

The following table explains how Indegy would have detected and responded to each phase of a TRITON attack:

TRITON Attack Step

How Does Indegy Detect and Alert

1. Network and System Infiltration:

Adversary gains a foothold in the network and starts reconnaissance activity

Industrial Network Infiltration.png

 

 

 

It is important to note that at this time, it is unknown how the adversary infiltrated the network, or how reconnaissance took place:

  • If a remote connection was used to infiltrate the industrial network - Indegy would have detected it and alerted on it in real time.
  • If once inside the network, the adversary scanned the network to identify ICS devices - Indegy would have detected and alerted on this activity in real time.
  • If the adversary accessed any system, including: operator or engineering workstations, HMIs, any MS-windows server, or any controller (PLC, RTU or DCS controller), during reconnaissance, Indegy would have identified it and alert in real-time.
  • If the adversary read information from controllers, like the model, firmware version, configuration settings or even the ladder logic - Indegy would have detected it and alerted on it in real time.

2. Data Exfiltration:

The information gathered via reconnaissance is extracted off-site

Data Exfiltration1.png

Again, it is unknown at this time how the reconnaissance information was extracted from the industrial environment. If the adversary passed the information internally from different systems into a single location from which it was extracted - Indegy would identify it and alerted on it in real time.

If the adversary opened a connection to an external system - Indegy would have detected it and alerted on it in real time.

3. Off-site Malware Development and Testing:

The adversary uses the information to develop and test a targeted attack

Off-Site Malware Testing.png

Since this is executed off-site, Indegy would not have detected or alerted on this.
4. Malware Installation:

The malware is installed on a workstation with access to the targeted system

Malware Installation.png

It is unknown how the code was installed on the Windows workstation - it could have been installed via the network, or by using an infected USB drive.

If the installation was done over the network, Indegy would have detected the access to the workstation and alerted on it in real time.

5. Controller Compromised:

The malware replaces existing logic and uploads the new ladder logic to the controller

Industrial Controller Compromised.png

The final stage of the attack involved  several different steps:

First, the malicious code identified the location of the logic in the controller memory and uploaded an ‘initializing code.’ Both of these activities would have been detected and alerted on in real time by Indegy.

After validating this was successful, TRITON uploaded the new ladder logic, which Indegy would have detected and alerted on in real-time, showing the source of the command, the command itself, and the impacted system. Indegy would also show the difference between the old and new ladder logic, i.e. what has been deleted, added or changed.

Finally, Indegy’s patent-pending Agentless Controller Validation (ACV) would have validated that the integrity of the controller has been compromised and the ladder logic has been replaced.


How Indegy's Industrial Cyber Security Technology Helps with Post-Incident Mitigation
 
By providing real-time alerts with detailed information and a comprehensive audit trail, Indegy enables security professionals to accurately identify the source of an attack, the commands used, and devices impacted.

This intelligence is critical for determining how to respond to and remediate a threat. Indegy also helps organizations shorten incident recovery time by providing historical information for restoring  controller configurations  and code to their pre-attack state.

This data is typically not documented, which forces operations staff to make assumptions and use trial and error to restore controllers. Indegy eliminates this guesswork and ensures proper recovery takes place.

Industrial Control Plane