The group behind the Triton malware that triggered an emergency shutdown last year at a critical infrastructure organization in the Middle East is still active and has expanded its operations to industrial controllers in facilities in other regions of the world.
“XENOTIME operates globally, impacting regions far outside of the Middle East, their initial target,” industrial security firm Dragos said in a new report. “Intelligence suggests the group has been active since at least 2014 and is presently operating in multiple facilities targeting safety systems beyond Triconex.”
XENOTIME, as Dragos calls the group, came into the spotlight in December when researchers from FireEye posted an analysis of its attack framework dubbed Triton or Trisis. The malware stood out because it was able to reprogram Triconex safety instrumented system (SIS) controllers from Schneider Electric by reverse-engineering an undocumented protocol and by exploiting a zero-day vulnerability.
Triton is one of the very few malware programs found in the wild that infect industrial controllers. The other known example is Stuxnet, the U.S.-made cyberweapon used to destroy uranium enrichment centrifuges at Iran’s Natanz nuclear plant in 2010 after infecting programming logic controllers (PLCs).
Other malware has been found inside industrial facilities since Stuxnet, but it focused on stealing sensitive information from IT environments rather than interacting with industrial equipment.
Safety instrumented systems (SIS) are made up of specialized hardware controllers that monitor industrial processes by receiving information from sensors and actuators. The controllers run code that automatically brings monitored processes back into a safe state or shuts them down when certain parameters are exceeded.
The Triton malware was discovered after an emergency shutdown event occurred at a critical infrastructure organization from the Middle East. Dragos and FireEye, which investigated that incident, believe the emergency shutdown was the result of an error the attackers made when executing their attack, which might have actually had destructive goals.
“Dragos assesses with moderate confidence that XENOTIME intends to establish required access and capability to cause a potential, future disruptive—or even destructive—event,” Dragos said in its report. “Compromising safety systems provides little value outside of disrupting operations. The group created a custom malware framework and tailormade (sic) credential gathering tools, but an apparent misconfiguration prevented the attack from executing properly.”
XENOTIME is easily the most dangerous threat activity publicly known and has no known associations to other groups, the company said. It is also the only threat actor known to target safety systems, which can lead to environmental damage and possibly loss of life.
FBI Disrupts VPNFilter Botnet Linked to Russian Cyberespionage Group
The FBI has seized a domain name used by VPNFilter, a sophisticated botnet that has enslaved more than 500,000 SOHO routers and NAS devices from around the world.
The botnet is controlled by the Sofacy Group, a group of actors also known as APT28, Sandworm, X-agent, Pawn Storm, Fancy Bear and Sednit, the U.S. Department of Justice said in an announcement. “The group, which has been operating since at least in or about 2007, targets government, military, security organizations, and other targets of perceived intelligence value.”
Many security researchers and companies believe that APT28 is an arm of the GRU, Russia’s military intelligence agency. Among others, the group is responsible for the theft and subsequent leak of emails from the Democratic National Committee during the 2016 U.S. presidential election.
The existence of the VPNFilter botnet was revealed May 23 by researchers from Cisco Systems’ Talos division. The malware infects devices from multiple manufacturers and has different components that are deployed at different stages of the infection chain.
The first-stage payload, which is persistent across device reboots, uses three methods of locating a server from where it downloads a second-stage component. Two of the methods involve downloading photos from Photobucket.com, an image hosting site, or from an attacker-controlled domain called toknowall.com, and then extracting the download server’s encoded IP address from the EXIF metadata of those photos.
Photobucket removed the attacker-uploaded image from its website and the FBI has now seized the toknowall.com domain, leaving the first-stage downloader with only a single method of obtaining the IP address of the download server for the second-stage component.
The third method involves attackers connecting to every infected device and sending the IP address inside a specially crafted network packet that the first-stage component will recognize. It is a much more involved technique compared to the malware downloading a photo from the internet.
“Although devices will remain vulnerable to reinfection with the second stage malware while connected to the Internet, these efforts maximize opportunities to identify and remediate the infection worldwide in the time available before Sofacy actors learn of the vulnerability in their command-and-control infrastructure,” the DOJ said.
The second-stage component is the one responsible for most of VPNFilter’s malicious capabilities, but unlike the first-stage downloader, it doesn’t survive device reboots. This means affected users can now reboot their devices to remove the most dangerous part of the malware and since the automatic reinfection chain is now broken, they’ll have time to take additional actions, such as upgrading their device firmware.