Triton kill chain published to the MITRE ATT&CK framework. Threat actor may be present in other facilities, FireEye warns
FireEye won’t name the critical infrastructure facility in which it has identified a highly sophisticated threat group/attack framework dubbed Triton.
The company today, however, published Triton’s latest tactics, techniques and procedures (TTPs) on its own site and the kill chain to the MITRE ATT&CK Framework [pdf with JSON raw data] a public knowledge base of adversary techniques, in a move that has shed more light on Triton’s custom tools and hashes.
“Nation State Preparing for an Attack”
Triton was first identified in a Saudi Arabian oil plant in 2017.
FireEye described it then as an attack framework built to interact with Triconex Safety Instrumented System controllers, saying its activity was “consistent with a nation state preparing for an attack”.
(It later attributed creation of the tools used “with high confidence” to Russia’s Central Scientific Research Institute of Chemistry and Mechanics.)
In a new blog post today, FireEye reveals that the hackers gained an initial foothold on the corporate network of the mystery CNI, pivoted to the OT network and used multiple techniques over the course of a year to hide their activities and deter forensic examination of their tools, ultimately gaining access to a safety system to refine and deliver a backdoor payload that could have sabotaged the plant.
The California-based company said: “We strongly encourage industrial control system (ICS) asset owners to leverage the indicators, TTPs, and detections [published] to improve their defenses and hunt for related activity in their networks.”
Triton In System for a Year: May Lurk in Other Critical Infrastructure
FireEye said: “The actor was present in the target networks for almost a year before gaining access to the Safety Instrumented System (SIS) engineering workstation. Throughout that period, they appeared to prioritize operational security.”
“After establishing an initial foothold on the corporate network, the TRITON actor focused most of their effort on gaining access to the OT network. They did not exhibit activities commonly associated with espionage, such as using key loggers and screenshot grabbers, browsing files, and/or exfiltrating large amounts of information. Most of the attack tools they used were focused on network reconnaissance, lateral movement, and maintaining presence in the target environment.”
“There may be other target environments where the actor is still present”
Based on analysis of the actor’s custom intrusion tools, the group has been operating since as early as 2014. FireEye added that is has “never before encountered any of the actor’s custom tools, despite the fact that many of them date to several years before the initial compromise. This fact and the actor’s demonstrated interest in operational security suggests there may be other target environments – beyond the second intrusion announced in this blog post – where the actor was or still is present.”
The company urged CNI providers to look for warning signs including inbound and outbound connections from and to non-standard IP ranges, “especially from international Virtual Private Server providers like OVH and UK-2 Limited”; unsigned “Microsoft Corporation” binaries in the group’s common staging directories; new and anomalous Scheduled Tasks XML triggers referencing unsigned .exe files; timestomping command strings such as “.CreationTime=” in PowerShell scripts or in PowerShell command-line entries, along with a range of other suggestions.
FireEye’s team added: “Most sophisticated ICS attacks leveraged Windows, Linux, and other traditionally “IT” systems (located in either IT or OT networks) as a conduit to the ultimate target”, urging defenders to focus on these conduits.
“Some examples include leveraging computers to gain access to targeted PLCs (e.g., Stuxnet), interacting directly with internet-connected human machine interfaces (HMIs) (e.g., BlackEnergy), and gaining remote access to an engineering station to manipulate a remote terminal unit (RTU) (e.g., INDUSTROYER) or infect SIS programmable logic controllers (PLC) (e.g., TRITON).
Defenders who focus on stopping an attacker in these “conduit” systems benefit from a number of key advantages that will only grow as IT and OT systems continue to converge, including the broad availability of mature security tools to defend and hunt in Windows, Linux, and other traditionally “IT” systems, FireEye noted.