Cybersecurity firm FireEye has uncovered and is responding to a new intrusion at an unnamed critical infrastructure facility that it suggests in an April 10 blog post was perpetrated by the group behind the TRITON attack, which prompted a process shutdown at a Middle Eastern facility in 2017.
But while details of the new attack are sparse, according to Joe Slowik, an adversary hunter at industrial control systems (ICS) security firm Dragos, the attack by the cyberthreat activity group it calls "XENOTIME," does not involve TRITON–which also known as TRISIS.
"All available evidence at this time indicates that XENOTIME has not deployed either TRITON/TRISIS or any new ICS-disruptive malware in any environment, a statement that is also implicitly made in FireEye's reporting," he told POWER on April 10.
Slowik's analyses addresses speculation that a second TRITON attack had occurred, as had been widely suggested by experts and reported by POWER in a previous version of this story. Slowik, however, confirmed FireEye's claim. "Dragos' work and identification of continuing XENOTIME activity is supported by FireEye's claim that they are responding to events at another location at this time," he said.
According to Slowik, XENOTIME continues to be active. "Dragos responded to and analyzed data from multiple sites and several industries spanning North America and Europe featuring XENOTIME activity since mid 2018, and continues to aggressively track this adversary in current operations," he said on Wednesday. The group "remains active in the oil and gas and other ICS sectors, in addition to having a persistent interest in ICS OEMs and manufacturers," he warned.
But aside from TRITON/TRISIS itself, the group does not appear to possess or use any other complex, custom malware frameworks for intrusion scenarios, Slowik said. Since the 2017 attacks, XENOTIME continues to develop and modify its behaviors and TTPs. "While some of the capabilities outlined are still used by the adversary, the group continues to evolve while following the same pattern of using customized versions of publicly-available tools for operations," he said.
TRITON/TRISIS Worries Persist
FireEye and Dragos first publicly exposed the destructive TRITON/TRISIS malware attack that reportedly occurred in October 2017 at a Petro Rabigh facility, on the west coast of Saudi Arabia. Their reports in December 2017 prompted wide alarm among ICS security professionals because the attack targeted Schneider Electric's Triconex Safety Instrumented System (SIS) and "inadvertently caused a process shutdown," as FireEye said.
Dragos in May 2018 pinned that attack on XENOTIME, a group it said is intent on compromising and disrupting industry SISs globally. On Wednesday, FireEye attributed the intrusion activity that led to the deployment of TRITON in the 2017 attack to a Russian government-owned technical research institute in Moscow.
FireEye and other experts have consistently warned that TRITON is an especially insidious attack framework because it is designed and deployed to modify application memory on safety instrumented system (SIS) controllers to prevent them from functioning correctly, increasing the likelihood of a failure and other physical consequences.
"The TRITON intrusion is shrouded in mystery," FireEye noted, however. "There has been some public discussion surrounding the TRITON framework and its impact at the target site, yet little to no information has been shared on the tactics, techniques, and procedures (TTPs) related to the intrusion lifecycle, or how the attack made it deep enough to impact the industrial processes," it said.
A Safety System Threat
As Eddie Habibi, CEO of PAS Global told POWER on April 10, details about the new attack, while sparse, are concerning. "While threat intel and incident response teams from FireEye are investigating the second TRITON/TRISIS incident, what we know for a fact is that the attackers selected the most safety-critical component of the ICS to achieve their goals: the Safety Instrumented System (SIS)," he said.
"The safety system contains the safe operating limits that are carefully engineered to shut down a plant gracefully upon a loss of control or other emergency situations," said Habibi. "A bad actor can shut down a process by manipulating the configuration of a safety system. In fact, a plant is lucky if this is the approach an attacker takes."
Habibi noted that while the shutdown and loss of production is painful, if the safety system is designed properly, there should be no safety impact or damage to equipment. "However, the real danger lies in if the attacker infiltrates other ICS systems within the same facility as the safety system," he explained. "If the attacker intends to cause physical damage, they are likely to access other control systems in parallel, and once the safety system is defeated, use the other control system to push the process beyond its safe operating limits. This can lead to physical damage, environmental incidents and loss of life."
Habibi urged facilities that could be affected by TRITON/TRISIS to "look beyond the safety systems to other ICS assets for signs of infiltration or unauthorized changes."
According to Emily Miller, director of National Security and Critical Infrastructure Programs at Mocana, an "industrial internet of things" (IIoT) cybersecurity firm, news about the intrusion by the actor behind TRISIS is more evidence that cyberthreats to human lives are very real. "Let's be clear: This threat actor has shown at best a reckless disregard towards human life, and at worst a malicious intent to do evil things. The TRISIS malware wasn't developed to steal data–it was specifically designed to impact the safety systems of critical infrastructure and cause bad things to happen," she said.
While traditional defensive measures such as leveraging indicators, network monitoring, and threat hunting are necessary to discover the threat, ICS and IIoT firms should also be thinking about cybersecurity much more holistically. "Asset owners need to think not only about the operational networks used to reach the devices the threat actors want to impact, but also consider the security of those devices themselves. Let's get to the root cause of the impact here: we need to harden and embed security into these ICS devices from the beginning," Miller said.
"Until we do that, we'll continue leaving ourselves like sitting ducks for even more critical infrastructure attacks such as this one," she added.
–Sonal Patel is a POWER associate editor (@sonalcpatel, @POWERmagazine)
Update (April 10): Adds details by Dragos that suggests new attack is not a TRISIS/TRITON attack.