Yesterday, FireEye said that they have uncovered the hacking group behind the Triton malware which was recently used to impact an unnamed “critical infrastructure” facility. This malware is designed to penetrate into the target’s networks and sabotage their industrial control systems and has often been used in power plants and oil refineries to control the operations of the facility.
The Triton malware attack first occurred in August 2017, where it was used against a petrochemical plant owned by Tasnee in Suadi Arabia. Researchers believe that the operators of this attack must have been active since 2014. FireEye also believes Triton attack to be linked to a Russian government-owned technical research institute in Moscow.
Triton, also known as Trisis, has been specifically engineered to target a specific type of industrial control system (ICS), namely Triconex safety instrumented systems (SIS) controllers developed by Schneider Electric.
FireEye’s first analysis on Triton after the 2017 attack was, “malicious actors used Triton to manipulate industrial safety systems at a critical infrastructure facility and inadvertently caused a process shutdown.”
FireEye has also released a report which explains the custom information technology tools and tactics the threat actor leveraged during the early stages of the targeted attack lifecycle. “The information in this report is derived from multiple TRITON-related incident responses carried out by FireEye Mandiant”, the researchers state in their blog.
According to the FireEye report, the threat actor leveraged different custom and commodity intrusion tools including SecHack, NetExec, WebShell, and some more. “The actor’s custom tools frequently mirrored the functionality of commodity tools and appear to be developed with a focus on anti-virus evasion. The group often leveraged custom tools when they appeared to be struggling with anti-virus detection or were at a critical phase in the intrusion (e.g., they switched to custom backdoors in IT and OT DMZ right before gaining access to the engineering workstation)”, the researchers mentioned in their report.
The report further mentions, “After establishing an initial foothold on the corporate network, the TRITON actor focused most of their effort on gaining access to the OT network. Most of the attack tools they used were focused on network reconnaissance, lateral movement, and maintaining a presence in the target environment.”
Actors have also used several other obfuscation methods including:
- Renaming their files to make them look like legitimate files;
- Planting webshells on the Outlook Exchange servers;
- Relying on encrypted SSH-based tunnels to transfer tools and for remote command execution;
- Routinely deleting dropped attack files, execution logs, and other files;
- Using multiple staging folders and directories that are very less used by legitimate users or processors.
To know more about this report in detail, read FireEye’s complete report on the Triton attack.