FireEye can now confirm that we have uncovered and are responding
to an additional intrusion by the attacker behind TRITON at a
different critical infrastructure facility.
In December 2017, FireEye publicly released our first analysis on
the href="https://www.fireeye.com/blog/threat-research/2017/12/attackers-deploy-new-ics-attack-framework-triton.html">TRITON
attack where malicious actors used the TRITON custom attack
framework to manipulate industrial safety systems at a critical
infrastructure facility and inadvertently caused a process shutdown.
In subsequent href="https://www.fireeye.com/blog/threat-research/2018/06/totally-tubular-treatise-on-triton-and-tristation.html">research
we examined how the attackers may have gained access to critical
components needed to build the TRITON attack framework. In our most
recent href="https://www.fireeye.com/blog/threat-research/2018/10/triton-attribution-russian-government-owned-lab-most-likely-built-tools.html">analysis,
we attributed the intrusion activity that led to the deployment of
TRITON to a Russian government-owned technical research institute in Moscow.
The TRITON intrusion is shrouded in mystery. There has been some
public discussion surrounding the TRITON framework and its impact at
the target site, yet little to no information has been shared on the
tactics, techniques, and procedures (TTPs) related to the intrusion
lifecycle, or how the attack made it deep enough to impact the
industrial processes. The TRITON framework itself and the intrusion
tools the actor used were built and deployed by humans, all of whom
had observable human strategies, preferences, and conventions for the
custom tooling of the intrusion operation. It is our goal to discuss
these adversary methods and highlight exactly how the developer(s),
operator(s) and others involved used custom tools in the intrusion.
In this report we continue our research of the actor’s operations
with a specific focus on a selection of custom information technology
(IT) tools and tactics the threat actor leveraged during the early
stages of the targeted attack lifecycle (Figure 1). The information in
this report is derived from multiple TRITON-related incident responses
carried out by FireEye Mandiant.
Using the methodologies described in this post, FireEye Mandiant
incident responders have uncovered additional intrusion activity from
this threat actor – including new custom tool sets – at a second
critical infrastructure facility. As such, we strongly encourage
industrial control system (ICS) asset owners to leverage the
indicators, TTPs, and detections included in this post to improve
their defenses and hunt for related activity in their networks.
For IT and operational technology (OT) incident response support,
please contact FireEye
Mandiant. For more in-depth analysis of TRITON and other cyber
threats, consider subscribing to href="https://www.fireeye.com/solutions/cyber-threat-intelligence.html?utm_source=google&utm_medium=cpc&utm_content=paid-search&gclid=CjwKCAjwstfkBRBoEiwADTmnEF8VtsXQ9TPcLxWWJqMm6EnpG2o5dsmJqK282QEZCDkw_sMQSB-YOhoCKkIQAvD_BwE&gclsrc=aw.ds">FireEye
Cyber Threat Intelligence.
FireEye’s href="https://www.fireeye.com/company/press-releases/2018/fireeye-unveils-smartvision-edition-to-detect-stealthy--maliciou.html">SmartVision
technology, which searches for attackers during lateral movement
activities by monitoring east-west traffic in IT and OT networks,
reduces the risk of an attack reaching sensitive ICS processes. This
is particularly relevant for sophisticated ICS-related intrusions as
attackers typically move from corporate IT to OT networks through
systems that are accessible to both environments, far beyond perimeter defenses.
Figure 1: The FireEye targeted attack lifecycle
Throughout the targeted attack lifecycle, the actor leveraged dozens
of custom and commodity intrusion tools to gain and maintain access to
the target's IT and OT networks. A selection of the custom tools that
FireEye Mandiant recovered are listed later in this post in Table 1,
and hashes are listed in Table 2 at the end of this post. Discovery
rules for and technical analysis of these tools, as well as MITRE
ATT&CK JSON raw data, is available in Appendix A, Appendix B, and
Appendix C.
Figure 2: Selection of custom tools used
by the actor
The actor's custom tools frequently mirrored the functionality of
commodity tools and appear to be developed with a focus on anti-virus
evasion. The group often leveraged custom tools when they appeared to
be struggling with anti-virus detection or were at a critical phase in
the intrusion (e.g., they switched to custom backdoors in IT and OT
DMZ right before gaining access to the engineering workstation). In
some instances, the actor leveraged custom and commodity tools for the
same function. For example, they used Mimikatz (public) and SecHack
(custom) for credential harvesting; both tools provide a very similar
output (Figure 2).
Figure 3: Default outputs for Mimikatz
(left) and SecHack (right)
The targeted attack lifecycle of a sophisticated ICS attack is often
measured in years. Attackers require a long time to prepare for such
an attack in order to learn about the target’s industrial processes
and build custom tools. These attacks are also often carried out by
nation states that may be interested in preparing for contingency
operations rather than conducting an immediate attack (e.g.,
installing malware like TRITON and waiting for the right time to use
it). During this time, the attacker must ensure continued access to
the target environment or risk losing years of effort and potentially
expensive custom ICS malware. This attack was no exception. The actor
was present in the target networks for almost a year before gaining
access to the Safety Instrumented System (SIS) engineering
workstation. Throughout that period, they appeared to prioritize
operational security.
After establishing an initial foothold on the corporate network, the
TRITON actor focused most of their effort on gaining access to the OT
network. They did not exhibit activities commonly associated with
espionage, such as using key loggers and screenshot grabbers, browsing
files, and/or exfiltrating large amounts of information. Most of the
attack tools they used were focused on network reconnaissance, lateral
movement, and maintaining presence in the target environment.
The actor used multiple techniques to hide their activities, cover
their tracks, and deter forensic examination of their tools and activities.
Once the actor gained access to the targeted SIS controllers, they
appeared to focus solely on maintaining access while attempting to
successfully deploy TRITON. This involved strategically limiting their
activities to mitigate the risk of being discovered.
Based on analysis of the actor’s custom intrusion tools, the group
has been operating since as early as 2014. It is worth noting that
FireEye had never before encountered any of the actor's custom tools,
despite the fact that many of them date to several years before the
initial compromise. This fact and the actor's demonstrated interest in
operational security suggests there may be other target environments –
beyond the second intrusion announced in this blog post – where the
actor was or still is present.
Most sophisticated ICS attacks leveraged Windows, Linux, and other
traditionally "IT" systems (located in either IT or OT
networks) as a conduit to the ultimate target. Some examples include
leveraging computers to gain access to targeted PLCs (e.g., Stuxnet),
interacting directly with internet-connected human machine interfaces
(HMIs) (e.g., BlackEnergy), and gaining remote access to an
engineering station to manipulate a remote terminal unit (RTU) (e.g.,
INDUSTROYER) or infect SIS programmable logic controllers (PLC) (e.g., TRITON).
Defenders who focus on stopping an attacker in these
"conduit" systems benefit from a number of key advantages.
These advantages will only grow as IT and OT systems continue to converge.
Historic activity associated with this actor demonstrates a strong
development capability for custom tooling. The developer(s) behind
these toolsets leaned heavily on existing software frameworks and
modified them to best serve the intrusion operations. The developer(s)
had preferences regarding the ports, protocols, persistence
mechanisms, and other aspects of how the malware operated.
While the preferences of the development team supporting this
activity will likely shift and change over time, learning about them
is still useful to identify whether their TTPs are applicable to other
malware developers and threat actors. Additionally, the actor possibly
gained a foothold on other target networks—beyond the two intrusions
discussed in this post – using similar strategies. In such cases,
retrospective hunting would help defenders identify and remediate
malicious activity.
Based on the examination of developer(s) preferences and abstracted
adversary methodologies, it is possible to build broader visibility of
the TTPs using detection and hunting rules of various fidelity and
threat density. The compilation of these rules makes it possible to
identify and classify potentially malicious samples while building new
"haystacks" in which to hunt for adversary activity.
The TTPs we extracted from this actor’s activities are not
necessarily exclusive, nor are they necessarily malicious in every
circumstance. However, the TTP profile built by FireEye can be used to
search for patterns of evil in subsets of network and endpoint
activity. Not only can these TTPs be used to find evidence of
intrusions, but identification of activity that has strong overlaps
with the actor's favored techniques can lead to stronger assessments
of actor association, further bolstering incident response efforts.
The following table provides insights into notable methodologies
surrounding the use of custom tools and tips for identifying evidence
of this and related activity. Adversary methodologies are also
expressed in terms of the MITRE ATT&CK framework (see Appendix C
for MITRE ATT&CK JSON raw data).
Table 1: TRITON actor methodology and discovery strategies
There is often a singular focus from the security community on ICS
malware largely due to its novel nature and the fact that there are
very few examples found in the wild. While this attention is useful
for a variety of reasons, we argue that defenders and incident
responders should focus more attention on so-called
"conduit" systems when trying to identify or stop
ICS-focused intrusions.
In an attempt to raise community awareness surrounding this actor’s
capabilities and activities between 2014 and 2017—an effort compounded
in importance by our discovery of the threat actor in a second
critical infrastructure facility—we have shared a sampling of what we
know about the group's TTPs and custom tooling. We encourage ICS asset
owners to leverage the detection rules and other information included
in this report to hunt for related activity as we believe there is a
good chance the threat actor was or is present in other target networks.
For IT and OT incident response support, please contact href="https://www.fireeye.com/services.html">FireEye Mandiant.
For more in-depth analysis of TRITON and other cyber threats, consider
subscribing to href="https://www.fireeye.com/solutions/cyber-threat-intelligence.html?utm_source=google&utm_medium=cpc&utm_content=paid-search&gclid=CjwKCAjwstfkBRBoEiwADTmnEF8VtsXQ9TPcLxWWJqMm6EnpG2o5dsmJqK282QEZCDkw_sMQSB-YOhoCKkIQAvD_BwE&gclsrc=aw.ds">FireEye
Cyber Threat Intelligence.
FireEye’s href="https://www.fireeye.com/company/press-releases/2018/fireeye-unveils-smartvision-edition-to-detect-stealthy--maliciou.html">SmartVision
technology, which searches for attackers during lateral movement
activities by monitoring east-west traffic in IT and OT networks,
reduces the risk of an attack reaching sensitive ICS processes. This
is particularly relevant for sophisticated ICS-related intrusions as
attackers typically move from corporate IT to OT networks through
systems that were accessible to both environments, far beyond
perimeter defenses.