A new attack framework known as “Triton” is targeting industrial control systems (ICS) in an attempt to cause operational disruption and/or physical consequences.

FireEye recently detected an incident at a critical infrastructure organization in which an attacker gained access to a Distributed Control System (DCS) that allows human operators to remotely manage industrial processes. From there, the bad actor could have caused the plant to shut down. Instead they moved to also compromise the Triconex Safety Instrumented System (SIS) controllers in a move that FireEye believes was designed to cause the maximum amount of damage at the company.

It’s at this stage that the malicious individual revealed Triton. The enterprise digital security company’s Blake Johnson, Dan Caban, Marina Krotofil, Dan Scali, Nathan Brubaker, and Christopher Glyer elaborate on this critical moment:

Once on the SIS network, the attacker used their pre-built TRITON attack framework to interact with the SIS controllers using the TriStation protocol. The attacker could have caused a process shutdown by issuing a halt command or intentionally uploading flawed code to the SIS controller to cause it to fail. Instead, the attacker made several attempts over a period of time to develop and deliver functioning control logic for the SIS controllers in this target environment. While these attempts appear to have failed due one of the attack scripts’ conditional checks, the attacker persisted with their efforts. This suggests the attacker was intent on causing a specific outcome beyond a process shutdown.

TRITON Architecture and Attack Scenario. (Source: FireEye)

While attempting to cause additional damage, the wrongdoer inadvertently shut down operations.

At this time, FireEye has not attributed Triton or the attack to a specific threat actor. They have found that the malware is consistent in its aim with other ICS-related threats including Stuxnet and Industroyer. Coupled with (Read more...)