(Eduard Kovacs – SecurityWeek) – The developers of Triton, a recently discovered piece of malware designed to target industrial control systems (ICS), reverse engineered a legitimate file in an effort to understand how the targeted devices work.
Triton, also known as Trisis and HatMan, was discovered in August 2017 after a threat group linked by some to Iran used it against a critical infrastructure organization in the Middle East. The malware targets Schneider Electric’s Triconex Safety Instrumented System (SIS) controllers, which use the proprietary TriStation network protocol. The malware leveraged a zero-day vulnerability affecting older versions of the product.
FireEye’s Advanced Practices Team has conducted a detailed analysis of the threat, which it describes as a malware framework, in an effort to determine when and how it was created.
The TriStation protocol is designed for communications between PCs (e.g. engineering workstations) and Triconex controllers. With no public documentation available, the protocol is not easy to understand, but it has been implemented by Schneider through the TriStation 1131 software suite.
It’s unclear how the attackers obtained the hardware and software they used to test the malware. They may have purchased it or borrowed it from a government-owned utility. The software could have also been stolen from ICS companies or other organizations that use Triconex controllers.
FireEye believes, however, that the malware developers did not build the TriStation communications component from the ground up. The company’s analysis suggests that the hackers copied code from legitimate libraries.
Specifically, researchers discovered significant similarities between the code found in the malware and code in a legitimate TriStation software file named “tr1com40.dll.”
While reverse engineering the legitimate DLL file may have helped them understand how TriStation works, the code in the malware suggests it did not answer all their questions. This may have led to the problems experienced by the threat group during its attack on the critical infrastructure organization.
Triton was discovered after it accidentally caused SIS controllers to initiate a safe shutdown. Experts believe the attackers had been conducting tests, trying to determine how they could cause physical damage.
Learn More at SecurityWeek’s 2018 ICS Cyber Security Conference
“Seeing Triconex systems targeted with malicious intent was new to the world six months ago. Moving forward it would be reasonable to anticipate additional frameworks, such as TRITON, designed for usage against other SIS controllers and associated technologies,” FireEye said in its report. “If Triconex was within scope, we may see similar attacker methodologies affecting the dominant industrial safety technologies.”
Industrial cybersecurity firm Dragos reported recently that the threat group behind the Triton attack, which it tracks as Xenotime, is still active, targeting organizations worldwide and safety systems other than Schneider’s Triconex.
Triton ICS Malware Developers Likely Copied Code From Legitimate Libraries
(Eduard Kovacs - SecurityWeek) - The developers of Triton, a recently discovered piece of malware designed to target industrial control systems (ICS), reverse engineered a legitimate file in an effort to understand how the targeted devices work. Triton, also known as Trisis and HatMan, was discovered in August 2017 after a threat group linked by some to Iran used it against a critical infrastructure organization in the Middle East. The malware targets Schneider Electric’s Triconex Safety Instrumented System (SIS) controllers, which
‘Chrysene’ Group Targets ICS Networks in Middle East, United Kingdom
(SecurityWeek - Eduard Kovacs) - A threat actor with ties to hacker groups believed to be operating out of Iran has been targeting the industrial networks of organizations in the Middle East and the United Kingdom. Tracked by industrial cybersecurity firm Dragos as “Chrysene,” the actor has been linked to OilRig and Greenbug, groups that have mainly focused on the Arabian Gulf region and which are believed to have been involved in the Shamoon and Shamoon 2 attacks. According to Dragos, Chrysene
Industrial Internet Consortium (IIC) Unveils New IoT Security Maturity Model
(Kevin Townsend / SecurityWeek) - The Industrial Internet Consortium (IIC) has developed a new IoT Security Maturity Model (SMM), building on its own security framework and reference architecture. This week it has published the first of two papers: IoT Security Maturity Model: Description and Intended Use. This is primarily a high-level overview aimed at the less technical of IoT stakeholders. "This is for the businessmen," Ron Zahavi, chief strategist for IoT standards at Microsoft, told SecurityWeek, "to help them understand what is needed
Multiple U.S. Gas Pipeline Firms Affected by Cyberattack
(Eduard Kovacs - SecurityWeek) Several natural gas pipeline operators in the United States have been affected by a cyberattack that hit a third-party communications system, but the incident does not appear to have impacted operational technology. Energy Transfer Partners was the first pipeline company to report problems with its Electronic Data Interchange (EDI) system due to a cyberattack that targeted Energy Services Group, specifically the company’s Latitude Technologies unit. EDI is a platform used by businesses to exchange documents such as purchase
Critical Vulnerabilities Found in Siemens Building Automation, Telecontrol Products
(Eduard Kovacs / SecurityWeek) - Industrial giant Siemens this week warned that critical vulnerabilities have been found in some of its telecontrol and building automation products, and revealed that some SIMATIC systems are affected by a high severity flaw. One advisory published by the company describes several critical and high severity flaws affecting Siveillance and Desigo building automation products. The security holes exist due to the use of a vulnerable version of a Gemalto license management system (LMS). The bugs affect Gemalto
Bayshore Networks Names Kevin Senator as CEO
Industrial cyber protection firm Bayshore Networks has named Kevin Senator as the company's new Chief Executive Officer and President. Senator served as VP of Worldwide Sales & Channels at Bayshore since joining the company in April 2017, and takes over for Mike Dager, who served as Bayshore’s Chief Executive Officer for just over two years. "I would like to welcome Kevin Senator as the new CEO of Bayshore Networks. During his time as Bayshore’s VP of Worldwide Sales, Kevin provided invaluable leadership and
Palo Alto Networks Releases Rugged Firewall for Industrial and Other Harsh Environments
(SecurityWeek - Eduard Kovacs) - Palo Alto Networks on Tuesday announced that it has updated its PAN-OS operating system and released a new next-generation firewall designed for use in industrial and other harsh environments. The new PA-220R is a ruggedized NGFW that can be used by various types of organizations, including power plants, utility substations, oil and gas facilities, manufacturing plants, and healthcare organizations. During beta testing, the product was also used for railway systems, defense infrastructure, and even amusement parks. The PA-220R is
The Need for ICS Security Operations Centers (Video)
[Presented at SecurityWeek's 2017 Singapore ICS Cyber Security Conference] Register for the 2018 Event Session Description: Presented by Joss Menting, Chief Technologist, Lab Manager Cybersecurity, ENGIE Lab LABORELEC Cybersecurity for Industrial Control Systems (ICS) is gaining importance fast and cannot be covered by one single action. To accept is easy, to continue is difficult; It takes a lot of efforts for ICS assets to reach an acceptable level of security. However, it takes much more to maintain that level over a sustainable
Railway Cybersecurity Firm Cylus Emerges From Stealth With $4.7 Million in Funding
Cylus Raises $4.7M to Help Protect Rail Industry Against Cyberattacks (SecurityWeek) - Cylus, an Israel-based startup that specializes in cybersecurity solutions for the rail industry, emerged from stealth mode on Thursday with $4.7 million in seed funding. Researchers have warned on several occasions in the past years that modern railway systems are vulnerable to cyberattacks, and the rail industry has been targeted by both cybercriminals and state-sponsored cyberspies. Cylus aims to address the challenges of securing railway systems by developing a solution that
Protecting Against Unauthorized PLC Modifications
[Presentation from SecurityWeek's 2017 Singapore ICS Cyber Security Conference] Operations managers need to be 100% certain that their PLCs’ software is shielded from unauthorized modifications, to assure that operational processes go uninterrupted. This session demonstrates how PLC software can be modified without operators being aware, and outline the potential impact on ongoing ICS processes. An attack demo shows how to simulate an engineering workstation operation to change the firmware of the PLC while keeping the communication with the SCADA system intact. Various defense