Triton Malware is designed with “a blatant, flat-out intent to hurt people.”
91% of cyber attacks start with an email. And while that, in itself, is a worrisome statistic, the stakes aren’t always clear to people. For many people, getting phished amounts to some personal embarrassment, possibly a financial loss – nothing life-threatening though. Right?
Maybe not. Over the past year and a half, researchers have been following a new strain of malware called “Triton” (or sometimes “Trisis”) that can shut down industrial safety instrumented systems. These systems are comprised of physical controllers and associated software that are designed to prevent life-threatening disasters in various industrial contexts.
In the original incident, in the Summer of 2017, a petrochemical plant in Saudi Arabia came perilously close to one such disaster when components like pressure-release mechanisms and shutoff valves became disabled. Were it not for a small error in the code there’s a very good chance that people working at the plant, as well as those unfortunate enough to live in the surrounding area, could have been injured or possibly even killed.
And it’s likely that, at one point, the attackers used spearphishing to compromise key credentials. Credentials that gave them direct access to the safety instrumented systems
So, today we’re going to discuss Triton, killer phish and how to secure you organization’s email.
Let’s hash it out.
What is Triton Malware?
Triton Malware is a specific strain of malware that targets industrial safety systems in an effort to cause a catastrophe. As we just touched on, its debut – for lack of a better term – came in 2017 against an unnamed Saudi chemical company. To this day the name of the company has never been disclosed. This has been done to avoid discouraging other companies from reporting these kinds of attacks.
Triton was hamstrung by a small flaw in its code, which shut down the plant and alerted the company to the attack before it could result in any physical harm. This happened in June 2017. At the time it was thought to be a simple mechanical glitch. But in August the plant shut down again and this time the company opted to bring in investigators.
[Julian] Gutmanis recalls that dealing with the malware at the petrochemical plant, which had been restarted after the second incident, was a nerve-racking experience. “We knew that we couldn’t rely on the integrity of the safety systems,” he says. “It was about as bad as it could get.”
While the attack wasn’t disclosed publicly until December of that year, security firms and researchers have been scrambling to unpack the malware and learn how it works since its discovery.
What makes this malware scary is that it’s intended to cause real harm. This isn’t holding someone’s files ransom or stealing their personal data – this could get somebody killed.
And it’s exceptionally sophisticated.
What makes Triton Malware so sophisticated?
For starters, the people behind Triton have a ton of resources at their disposal and given some of the high-level techniques that have been strung together, researchers believe that a nation-state is behind them. Exactly which nation is still a point of debate. While it was initially attributed to Iran, FireEye – who was brought in when the malware was first discovered – has now pointed the blame at Russia.
Regardless of who is behind it, it’s part of a trend where state-sponsored cyber attackers have targeted private sector businesses. The Marriott breach last year being another example.
The attack actually began in 2014, when the attackers gained access to the plant operator’s corporate network. At some point they gained access to the targeted plant’s network, then – using credentials potentially acquired in a spearphishing operation – the attackers gained access to an engineering workstation.
That engineering workstation interfaced directly with the plant’s safety instrumented systems, which informed the attackers of the makes and models being used, as well as their firmware versions. Their persistence in the network allowed the attackers to maintain visibility over any updates being made, too.
The attackers ultimately chose to focus on a Schneider Electric safety instrumented machine called the Triconex safety controller. Hence the malware’s name. It’s likely, per the MIT Technology Review, that the attackers acquired one of the Schneider Triconex machines to test its malware before deploying it. This helped them to create code that could elude malware scanners and other security safeguards.
And truly rounding out the attack, a new Zero-day was found in the Triconex safety controller, furthering Triton’s chances of success.
The result was the intruders maintained a persistent presence in the network and injected code that could order the safety instruments to shut themselves down as other malware wreaked havoc on the plant, creating what could have been a very deadly situation.
The results could have been horrific. The world’s worst industrial disaster to date also involved a leak of poisonous gases. In December 1984 a Union Carbide pesticide plant in Bhopal, India, released a vast cloud of toxic fumes, killing thousands and causing severe injuries to many more. The cause that time was poor maintenance and human error. But malfunctioning and inoperable safety systems at the plant meant that its last line of defense failed.
First Takeaway – Email Security has never been more critical
Let’s start with email security. While it’s yet to be confirmed that the compromised engineering credentials were obtained via spearphishing, there has been some reporting that this was the case. While there are other methods that could have been used to access the terminal, spearphishing would appear to be the likeliest culprit.
Spearphishing is basically phishing + social engineering. The attacker does some research on the target, oftentimes using sites like LinkedIn, in order to craft a convincing situation in order to obtain the targeted information. This type of phishing typically includes a convincing fake website, often with HTTPS security indicators, that is meant to harvest the information.
This just underscores the importance of proper internet security. There’s a very good chance, given their presence in the network itself, that the attackers could have sent a convincing email from a trusted email server, which could have fooled SPF or DKIM. S/MIME and email signing could have helped prevent this though.
Teaching employees to sign emails and look for signatures on emails, as well as educating them about email security best practices in general is critical to maintaining a good organizational security posture. Your employees, regardless of their intent, are your biggest threat.
Second Takeaway – IoT Security cannot be overlooked
While it’s been said and written so many times that it’s become trite at this point, it still bears repeating: securing the Internet of Things needs to be a priority for everyone from manufacturers to vendors to end users. Eventually, one of these attacks is going to get someone killed and it’s likely going to be an IoT device or component that gets compromised and causes it.
This potentially could have been the cyber attack that achieved that unfortunate milestone, were it not for a small glitch, or perhaps more appropriately an oversight, that shut the entire plant down in the face of the pending emergency. Next time we might not be so lucky, which has security researchers losing sleep at night.
Even the most disruptive malware has historically not attempted to cause harm to humans.
“Targeting safety systems just seemed to be off limits morally and really hard to do technically,” explains Joe Slowik, a former information warfare officer in the US Navy that now works for cybersecurity firm, Dragos.
Stuxnet is the most famous example, it compromised key systems in the Iranian nuclear program to overheat centrifuges in 2010. The Russian government has also used sophisticated malware to compromise power grids in various countries. That’s actually been named Crash Override, I assume after the character from the cheesy 90s movie, Hackers, which makes it way more awesome than the usual fare in this industry (looking at you, POODLE).
Regardless, this just underscores how critical IoT security is. As great as our newfound connectivity is, there are risks inherent that must be addressed. For the most part the industrial sector does a fairly good job of securing itself.
To keep attackers out, industrial companies typically rely on a strategy known as “defense in depth.” This means creating multiple layers of security, starting with firewalls to separate corporate networks from the internet. Other layers are intended to prevent hackers who do get in from accessing plant networks and then industrial control systems.
These defenses also include things like antivirus tools to spot malware and, increasingly, artificial-intelligence software that tries to spot anomalous behavior inside IT systems. Then, as the ultimate backstop, there are the safety instrumented systems and physical fail-safes. The most critical systems typically have multiple physical backups to guard against the failure of any one element.
But even the best security posture can be undone by irresponsible or negligent partners. In this case, the sophistication of the attackers gave them an advantage that many non-state backed hackers wouldn’t have, but the compromise still came from a third-party IoT device that the organization was leveraging.
This is why we refer to security as an ecosystem, because it might not be your mistake that causes your compromise – or it could your mistake that causes someone else’s.
As always, leave any comments or questions below…