Early today FireEye released an analysis of new malware, dubbed TRITON, that was conceived to disrupt operations at a Critical Infrastructure facility, allegedly located in the Middle East.
FireEye responded to the incident and performed the initial analysis. The analysis has determined that the long-term goal of the attacker was to cause a physical consequence. The analysis has also determined that the attacker inadvertently shutdown operations, leading to an investigation that uncovered the whole operation.1
This is the fifth ever publicly known malware tailored to attack operational technology (following Stuxnet, Havex/Dragonfly, Blackenergy2 and Industroyer).
The malware was designed to target Safety Instrumentation Systems (SIS) from Schneider Electric (Triconex 3008 processor modules specifically).2
The malicious code is well-structured into functional components, making it a proper “attack framework”. The attacker reverse-engineered the proprietary TriStation protocol to include several functions to send specific commands, such as halting the device or writing and reading memory. The malware comprises a main executable and a set of compiled Python libraries for communicating with the SIS devices.
The main executable attempts to disguise itself as a legitimate Triconex software for analyzing SIS logs and, once running, loads the new logic into the targeted device(s). The malware does not leverage any previously unknown vulnerability (0-day), yet the amount of time required to assemble the attack framework for such a specific environment suggests the involvement of a well-funded actor (possibly nation state).
The attacker first gained access to an SIS workstation and then deployed malicious code to reprogram the SIS controllers. This indicates that the attacker performed an extensive testing phase, by first collecting information about and then simulating similar conditions to the targeted environment.
FireEye reports that the attacker made several attempts over a period of time to deliver functioning control logic to the SIS controllers. During one of these attempts, the attacker triggered some SIS controllers to enter a “fail safe” state, which automatically shut down the industrial process for no apparent reason. The asset owner promptly initiated an investigation that lead to uncovering the whole operation.
This behavior points at a motive beyond causing just a process shutdown, as the attacker could have simply issued a halt command or corrupted the memory of the SIS controllers. Moreover, as the attacker might have already obtained a foothold on the DCS, manipulating or shutting down the process was already possible without having to compromise the safety systems.
Similar to previous incidents, a mix of factors allowed the attacker to achieve some success throughout the operation.
First, the Triconex SIS controllers feature a physical keyswitch that prevents reprogramming of the logic. However, the targeted controllers were left in “program” mode, instead of “run”, even during normal operations, easing the task for the attacker.
Secondly, no specific security measure was apparently in place (whitelisting, network monitoring, etc.) leaving the asset owner totally blinded to suspicious system activities, dangerous/hazardous commands, or other network events.
Thirdly, albeit not yet confirmed, the SIS network appears to not have been properly isolated, again easing the task for an attacker that could have managed to enter via a remote session (such as those used by engineers for maintenance purposes on the DCS).3
Conclusion and Recommendations
While Triconex safety systems are widely deployed in a number of industries, each SIS is uniquely configured, and thus specific knowledge of the process is required. The likelihood of observing this attack at a different asset owner is rather low, unless a significant level of effort and resources are spent.
Well-funded and motivated attackers (like nation-states) have demonstrated yet again that it is possible to penetrate industrial networks and trigger potentially serious consequences.
Asset owners need to implement solid change management and audit procedures to slow down attackers and deploy countermeasures, like application whitelisting and ICS network security monitoring, to prevent and detect malicious events and gain an adequate level of visibility into their operational technology networks.