The TRITON/TRISIS/HatMan malware is not to be trifled with, FireEye and Ann R. Thryft explains why
BOULDER CREEK, Calif. — Less than two months after October's U.S. Department of Homeland Security/FBI joint technical alert confirmed cyberattacks against industrial control systems, a new type of malware targeting industrial processes struck an unnamed critical infrastructure facility. The TRITON/TRISIS/HatMan malware is the first designed to attack an industrial plant's safety systems. Since the attack, security firms and the safety system supplier have provided detailed analyses of the attack and the malware.
A team from FireEye's Mandiant cybersecurity service wrote in a December blog that it responded to the attack when the new malware took remote control of a workstation running a Schneider Electric Triconex Safety Instrumented System (SIS). The SIS, used in oil and gas plants and nuclear facilities, monitors critical industrial processes and automatically shuts them down if they exceed safety limits. The new malware, which FireEye dubbed TRITON, then tried to reprogram the SIS controllers. Some controllers entered a failsafe mode, shutting down the industrial process and prompting the facility's owner to investigate and identify the attack.
The FireEye blog said TRITON's ability to prevent safety systems from operating as intended, which could then result in physical consequences, is consistent with attacks made by two previous types of malware — Stuxnet and Industroyer/Crash Override — that can disrupt the ICS of manufacturers and infrastructure systems like energy and water utilities. Although FireEye did not identify the attacker, the victim, or their locations, it did say the attack was characteristic of a nation state, not of cyber-criminal hackers, in its "targeting of critical infrastructure to disrupt, degrade, or destroy systems" without a clear monetary goal.
In this case, attackers needed enough specialized engineering expertise to understand the particular process being controlled by the SIS at a victim's site and how to manipulate it, as well as the specific SIS controllers used there. When TRITON modified application memory on the SIS controllers, this may have led to the failed validation check of application code between redundant processing units that triggered the controllers to begin a safe shutdown. The malware used Schneider Electric's proprietary TriStation protocol to interact with the SIS controllers. Since that protocol isn't publicly documented, the FireEye blog said this suggests the attackers had reverse-engineered it.
According to cybersecurity firm Dragos, the attack was made on a company in the Middle East. The new malware, which Dragos calls TRISIS, is "the fifth ever ICS-tailored malware and the first to directly target SIS," making it a highly significant event, wrote CEO Robert M. Lee in a blog. "It is a very bold attack while not technically complicated." Against best security practices, the Triconex SIS controller's keyswitch was set in program mode, not run mode, which would have prevented program changes.
A more detailed Dragos report on TRISIS and how it works states that Triconex SIS are not inherently vulnerable, and were chosen because that's what the victim was using. Although the SIS' security was compromised, the safety of the ICS was not, because the SIS controllers performed a safe shutdown. But the report said TRISIS is game-changing because "targeting SIS equipment represents a dangerous evolution within ICS computer network attacks. Potential impacts include equipment damage, system downtime, and potentially loss of life."
A few days after the attack, the DHS issued a malware analysis report, calling the malware HatMan.
At the January S4x18 security conference, Schneider Electric presented details of its own investigation into the attack and its analysis of TRITON. These included the discovery of a remote access Trojan (RAT) in the malware that's the first to infect SIS equipment, as well as a zero-day vulnerability in the SIS firmware that the malware took advantage of to inject the RAT into the controller's memory. The intent of the malware was to install this RAT, which gave the attackers read-write-execute permissions over the SIS, said Andrew Kling, director of cybersecurity and architecture for Schneider Electric, in the presentation.
The threat intelligence team of cybersecurity firm CyberX has performed its own independent reverse-engineering of the TRITON malware, wrote Phil Neray, vice president of industrial cybersecurity, in an email. "We believe the goal of the back door was to enable persistent access to the controller, even when the controller's memory-protection key switch is in RUN mode," he wrote. "We believe the purpose of the attack was to disable the safety system in order to lay the groundwork for a second cyberattack that would cause catastrophic damage to the facility itself, potentially causing large-scale environmental damage and loss of human life."
— Ann R. Thryft is the industrial control & automation designline editor at EETimes.