New TRITON/TRISIS Cyberattack Reported at Critical Infrastructure Facility
Credit to Author: Sonal Patel| Date: Wed, 10 Apr 2019 16:04:17 +0000
A new critical infrastructure facility has suffered a TRITON intrusion, says cybersecurity firm FireEye.
The company confirmed in an April 10 blog post that it has uncovered and is responding to an “an additional intrusion by the attacker behind TRITON at a different critical infrastructure facility.”
Details about the attack are sparse, but FireEye and other experts warned that TRITON—also known as TRISIS—is an especially insidious attack framework because it is designed and deployed to modify application memory on safety instrumented system (SIS) controllers to prevent them from functioning correctly, increasing the likelihood of a failure and other physical consequences.
FireEye and Dragos first publicly exposed a TRITON attack at a Middle Eastern industrial facility in December 2017, prompting wide alarm among industrial control system (ICS) security professionals. The destructive malware attack occurred in October 2017 at a Petro Rabigh facility, on the west coast of Saudi Arabia.
The attack targeted Schneider Electric’s Triconex safety instrumented system (SIS) and “inadvertently caused a process shutdown,” FireEye said. Dragos in May 2018 pinned that attack on a cyberthreat activity group it calls “XENOTIME,” saying the group is intent on on compromising and disrupting industry safety instrumented systems globally. On Wednesday, FireEye attributed the intrusion activity that led to the deployment of TRITON in that attack to a Russian government-owned technical research institute in Moscow.
“The TRITON intrusion is shrouded in mystery,” FireEye noted, however. “There has been some public discussion surrounding the TRITON framework and its impact at the target site, yet little to no information has been shared on the tactics, techniques, and procedures (TTPs) related to the intrusion lifecycle, or how the attack made it deep enough to impact the industrial processes,” it said.
As Eddie Habibi, CEO of PAS Global told POWER on April 10, details about the second TRITON attack, while sparse, are concerning. “While threat intel and incident response teams from FireEye are investigating the second TRITON/TRISIS incident, what we know for a fact is that the attackers selected the most safety-critical component of the ICS to achieve their goals: the Safety Instrumented System (SIS),” he said.
“The safety system contains the safe operating limits that are carefully engineered to shut down a plant gracefully upon a loss of control or other emergency situations,” said Habibi. “A bad actor can shut down a process by manipulating the configuration of a safety system. In fact, a plant is lucky if this is the approach an attacker takes.”
Habibi noted that while the shutdown and loss of production is painful, if the safety system is designed properly, there should be no safety impact or damage to equipment. “However, the real danger lies in if the attacker infiltrates other ICS systems within the same facility as the safety system,” he explained. “If the attacker intends to cause physical damage, they are likely to access other control systems in parallel, and once the safety system is defeated, use the other control system to push the process beyond its safe operating limits. This can lead to physical damage, environmental incidents and loss of life.”
Habibi urged facilities that could be affected by TRITON/TRISIS to “look beyond the safety systems to other ICS assets for signs of infiltration or unauthorized changes.”
According to Emily Miller, director of National Security and Critical Infrastructure Programs at Mocana, an IIOT cybersecurity firm, news of the second TRITON/TRISIS attack is more evidence that cyberthreats to human lives are very real. “Let’s be clear: This threat actor has shown at best a reckless disregard towards human life, and at worst a malicious intent to do evil things. The TRISIS malware wasn’t developed to steal data—it was specifically designed to impact the safety systems of critical infrastructure and cause bad things to happen,” she said.
While traditional defensive measures such as leveraging indicators, network monitoring and threat hunting are necessary to discover the threat, ICS and IIOT firms should also be thinking about cybersecurity much more holistically. “Asset owners need to think not only about the operational networks used to reach the devices the threat actors want to impact, but also consider the security of those devices themselves. Let’s get to the root cause of the impact here: we need to harden and embed security into these ICS devices from the beginning,” she said.
“Until we do that, we’ll continue leaving ourselves like sitting ducks for even more critical infrastructure attacks such as this one.”
—Sonal Patel is a POWER associate editor (@sonalcpatel, @POWERmagazine)
The post New TRITON/TRISIS Cyberattack Reported at Critical Infrastructure Facility appeared first on POWER Magazine.