Triton Framework Exposes Russia’s Craft in SCADA Attacks

Triton Framework Exposes Russia's Craft in SCADA Attacks

The best way to learn if your software is ready for the big time is to test it in the real world. That is true if you are building a mobile app or … hacking the power grids of Eastern European nations with the intent to cause as much havoc as possible.

For Russian nation state hackers dedicated to developing SCADA and operational technology attack capabilities, the proving ground appears to be the Ukraine.

The way Russian-sponsored nation state attackers have built a modular attack framework to infiltrate energy grids provides a good lesson on the current state of SCADA security across the world.

Research performed by FireEye has linked the infrastructure attack framework Triton (referred to as TEMP.Veles by FireEye) to a Russian laboratory, the Central Scientific Research Institute of Chemistry and Mechanic, located near Moscow. Triton has been observed in development and malware testing environments since at least 2014.

The goal of Triton is to infiltrate SCADA networks for the purpose of causing physical damage to infrastructure equipment. In this way, it is similar to Stuxnet in that Triton was purpose-built to attack infrastructure on a nation-state level, but that is where the comparison ends.

It is likely that Triton has been used by the attacker groups dubbed “BlackEnergy” and “GreyEnergy” over the last couple of years to attack industry control systems in Ukraine with the result of loss of electricity for thousands of people in the country.

Stuxnet was designed to do one thing: effect the processes of uranium enrichment at specific locations. Whereas Triton has been designed to be more modular, allowing the attacker to mold the framework to attack varying targets, based on differing hardware and software requirements.

FireEye describes three attack options where a framework like Triton could successfully effect industrial control systems:

The SIS threat model below highlights some of the options available to an attacker who has successfully compromised an SIS.

Attack Option 1: Use the SIS to shutdown the process.

• The attacker can reprogram the SIS logic to cause it to trip and shutdown a process that is, in actuality, in a safe state. In other words, trigger a false positive.
• Implication: Financial losses due to process downtime and complex plant start up procedure after the shutdown.

Attack Option 2: Reprogram the SIS to allow an unsafe state.

• The attacker can reprogram the SIS logic to allow unsafe conditions to persist.
• Implication: Increased risk that a hazardous situation will cause physical consequences (e.g. impact to equipment, product, environment and human safety) due to a loss of SIS functionality.

Attack Option 3: Reprogram the SIS to allow an unsafe state – while using the DCS to create an unsafe state or hazard.

• The attacker can manipulate the process into an unsafe state from the DCS while preventing the SIS from functioning appropriately.
• Implication: Impact to human safety, the environment, or damage to equipment, the extent of which depends on the physical constraints of the process and the plant design.

“It’s interesting to see this attacker build a modular attack framework designed to infiltrate and attack SCADA and Operational Technology [OT] networks,” said Francisco Donoso, DevOps Security Engineer at Randori. “The Triton malware appears to have been written to enable the attackers to quickly and effectively adjust their attack strategy based on the software and hardware deployed within the environment. This flexibility allows the attack group to effectively cause damage against a wide range of SCADA technologies, instead of targeting a specific manufacturer or configuration, like with Stuxnet.”

Bridging the Operational Gap

One significant hindrance in defending SCADA infrastructure against dedicated nation-state level attacks is the need for defenders to move slowly and minimize downtime. Many SCADA systems have been operational for years and it is a non-starter to just rip them out to replace them with something new. Downtime can cost companies and organizations hundreds of thousands to millions of dollars. Infrastructure is the opposite of the Silicon Valley credo of “move fast and break things.”

“It is sort of a difficult situation,” said Donoso. “Ideally, they would know how an attacker could move laterally in their organization to go from the IT network to the OT network, where the SCADA systems live. Normally companies spend a lot of time making sure that OT environment is fully separated or air-gapped from the IT environment. But there are often connections that were not properly documented or reviewed. This makes it possible to ‘jump’ from the standard IT network to the OT environment. ”

The lesson for all companies to learn from a case like this is to understand how an attacker can move through a network once they have gained access. In the case of Triton, the goal is to infiltrate through the infrastructure’s information technology and software and then move into the operational technology which has system controls which operate machinery. In theory, those two realms would not be connected, but in reality, they almost always are.

“Our goal at Randori is to provide organizations with visibility to help them understand how an attacker views their network and to help them identify these IT and OT network links so they can put controls around the kind of the gapas well as to make sure they build visibility within the OT networks,” said Donoso.

One of the biggest problems defenders face is that they do not know what they do not know. Whether it is the software link between IT and OT environments of a power plant or how a company’s servers can be accessed when an attacker gains access through an edge device, like an employee laptop.

It does not take a nation-state level attacker to compromise a company network. Just a patient hacker who is persistent in finding vulnerabilities and then moving through the network to see how far they can go.

*** This is a Security Bloggers Network syndicated blog from Code Red authored by Dan Rowinski. Read the original post at: