Triton intrusion discovered at second industrial facility

FireEye confirms activity tied to Russian group at additional site, others likely affected

Intrusion activity attributed to the same group which attacked the industrial safety systems of a petrochemical plant in Saudi Arabia in 2017 has been uncovered at a second facility, security researchers have confirmed.

FireEye told Computerworld the company is responding to a Triton-linked attack at a different "critical infrastructure facility".

The company would not reveal the function or location of the second affected facility but said it was "consistent" with the first.

"It's incredibly significant. The fact we've found [the attackers] in two places.  We're pretty confident they are elsewhere," FireEye's cyber-physical intelligence team lead Nathan Brubaker said.

Triton – sometimes referred to as Trisis – targets the Triconex Safety Instrumented System (SIS) controllers made by Schneider. These controllers perform critical safety functions within industrial plants, acting as a defence against potentially fatal incidents.

If they detect conditions have become dangerous, these industrial control systems (ICS) trigger mechanisms to return processes to safe levels or shut them down completely.

The Triton malware allows such systems to be controlled remotely – potentially allowing malicious actors to cause explosions or release toxic gas.

FireEye responded to the first incident in December 2017. The attempt to cease control of the safety systems failed because "the attacker inadvertently shutdown operations while developing the ability to cause physical damage" the security firm said at the time.

In October, FireEye attributed the intrusion attempt to Russian government-owned research institute – the Central Scientific Research Institute of Chemistry and Mechanics (CNIIHM) – in Moscow.

This week, at the Kaspersky Security Analyst Summit in Singapore, FireEye said it had "uncovered additional intrusion activity" by the same threat actor at a second facility.

"I would say it's likely that they are somewhere else, especially since we've found them in two places," Brubaker said.

Analysis has found the attacker has used new custom tool sets in combination with commodity tools, which has helped in the attribution effort.

Other evidence linking the intrusion to the CNIIHM was a PDB path contained in a tested file which contained a unique username.

The same name was used by a vulnerability researcher in articles written for a Russian hacking magazine, and appeared on social media and photo-sharing sites which showed the individual was a professor at the institute. IP addresses used in malicious activity supporting the Triton intrusion were also linked to the location, and activity on the attack happened during Moscow working hours.

"We will never get a more clean cut case," Brubaker said.

The attackers showed "incredible restraint" throughout the attack, Brubaker said, which commenced in 2014.
After establishing an initial foothold on the corporate network, the malicious actor focused their effort on gaining access to the operational technology network.

"They did not exhibit activities commonly associated with espionage, such as using key loggers and screenshot grabbers, browsing files, and/or exfiltrating large amounts of information. Most of the attack tools they used were focused on network reconnaissance, lateral movement, and maintaining presence in the target environment," a FireEye analysis states.

The firm has stopped short of blaming the Russian group for developing and deploying Triton, however.

"The attribution is specific to the intrusion activity, the IT portion, we don't have evidence tying them explicitly to the development of Triton," Brubaker said.

"That being said, they probably have the capability to do it. There's only a couple of organisations in the world that could build a Triton in house, they almost certainly have the capability to do that," he added.

The attack was undoubtedly intended to cause significant physical damage, Brubaker explained.

"I don't think they were going to blow something up right away. What they were very likely doing was – get one of the controllers, sit there with Triton, and if there's a contingency or war between Russia and whoever, activate that, blow that up," he said.

The author travelled to the Security Analyst Summit as a guest of Kaspersky.

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags hackingSCADAFireEyerussiacritical infrastructurecyberschneiderOTsafety system

More about FireEyeIntrusionKaspersky

Show Comments